Windows 8 devices fail to Sync with Microsoft Exchange with 86000C2A, 8600C2B, 86000C29 Error (or similar) after an ActiveSync Mailbox Policy is applied

Having trouble creating an ActiveSync Mailbox Policy to support your shiny new Windows Phone or Surface devices without checking the dreaded "AllowNonProvisionableDevices" setting? Well, let's see if I can help you out!

While it is documented that Windows devices only "support" certain policy settings:

http://support.microsoft.com/kb/2823900

http://support.microsoft.com/kb/2464593/en-us

There are SOME settings that can be configured that will prevent these devices from syncing AT ALL.

These settings are as follows:

-MaxCalendarAgeFilter
-MaxEmailAgeFilter
-AllowStorageCard
-WSSAccessEnabled
-UNCAccessEnabled

In my testing, I found that ANY of these settings being set to ANYTHING other than the values specified below will result in sync failure. I also included a sample of how I set the values using Exchange Management Shell:

 

Set-ActiveSyncMailboxPolicy $YourPolicy -MaxCalendarAgeFilter All
Set-ActiveSyncMailboxPolicy $YourPolicy -MaxEmailAgeFilter All
Set-ActivesSyncMailboxPolicy $YourPolicy -AllowStorageCard $true
Set-ActivesSyncMailboxPolicy $YourPolicy -WSSAccessEnabled $false
Set-ActivesSyncMailboxPolicy $YourPolicy -UNCAccessEnabled $false 

Here is the final, working policy that I came up with:

 

To APPLY the test policy that I created to my test mailbox, I ran the following:

PS C:\Windows\System32> Get-CasMailbox "MyTestMailbox" | set-CasMailbox -ActiveSyncMailboxPolicy "TestWP8"

Please note that:

DeviceEncryptionEnabled                  : False
RequireDeviceEncryption                  : True

 Are NOT the same thing.

"The DeviceEncryptionEnabled parameter, when set to $true, requires that the storage card of the device be encrypted. The default value is $false. We recommend that you don't use this setting and use the RequireStorageCardEncryption parameter instead."

The documentation on these parameters isn't currently very clear (imo), and varies depending on which cmdlet you enumerate, get-help get-ActiveSyncMailboxPolicy -full vs get-help New-ActiveSyncMailboxPolicy -full, so please go with the ABOVE guidance and DON'T use the DeviceEncryptionEnabled parameter. If you want the actual DEVICE to be encrypted, use the RequireDeviceEncryption parameter.

Please note that NEITHER Win 7 NOR Win 8 currently support encryption of the storage card:
http://support.microsoft.com/kb/2464593/en-us

 

During testing, I can see whether any applied parameters are working by running the following:

Get-ActiveSyncDevice | Get-ActiveSyncDeviceStatistics | select-object DeviceID,DeviceOS,DeviceOS,DeviceModel,DeviceAccessState,DevicePolicyApplied,DevicePolicyApplicationStatus

In the above example, you can see that the policy is listed as "AppliedInFull", and DeviceAccessState shows "Allowed".

If there are problems with any of your settings, you will see something like the following:

Note in the above snapshot that the DeviceAcessState shows "Blocked", and that the DevicePolicyApplicationStatus is "PartiallyApplied".

See http://help.outlook.com/en-us/140/cc952755.aspx for instructions on connecting to EMS via Remote Powershell.

These tests were performed against one of my Exchange Online (O365 for Education) domains. Results may vary slightly depending on YOUR version of Exchange. Enjoy!


Many thanks to Jamie Tsottles and Charlotte Raymundo for assisting with this post and verifying the veracity of the content :)