Allowed device will not clean Quarentine for Active Sync

I have a rule set up so all ActiveSync Devices are sent to the Quarantine for Exchange 2010.  Then we click allow based on permission, etc.  Just recently when I click allow for the NEW_Device/User, they no longer clear off the list Quarantine and I keep getting Quarantine notices that the NEW_Device/User is waiting in the Quarantine.  I have rebooted both CAS servers and that has not helped.  This was NOT an issues the past 3 years for Exchange 2010 for us, this is brand new and just started last week.  Has anyone experienced this or can point me in a direction to investigate.  All other devices previously allowed are working flawlessly.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Justin YeungSenior Systems EngineerCommented:
the rule that you setup is a mailbox policy or exchange organization activesync policy?
eccisAuthor Commented:
It is an Exchange ActiveSync policy that has the Quarantine Policy on All new devices.
Justin YeungSenior Systems EngineerCommented:
check the properties of the affected device "DeviceAccessStateReason"

if that is listed as global, means you have a global active sync policy as well which will override the other policy

Get-ActiveSyncOrganizationSettings to confirm as well
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

eccisAuthor Commented:
Access state:  
Access set by:  Global Permissions

We only have a "Default" Policy set, 1 policy that paused devices by default to Quarantine for approval.
Justin YeungSenior Systems EngineerCommented:
so my question was.

Your default policy is set from where?

by default exchange doesn't block active sync devices.

Organization Level ?

Device Access Rule for all Family?
eccisAuthor Commented:
Default EVERY device goes to Quarantine.  Thy we select Allow if they are approved.  Our issue here, when you say Allow, they user device stays in the Quarantine......The weird ting is they seem to get emails, but the device is still LISTED in the Quarantine and that should not be the case after selecting ALLOW.
Justin YeungSenior Systems EngineerCommented:
as I said before "Default" settings by default is not Quarantine.

which or where you configured to Quarantine is the question.

as I see your devices are being blocked by GLOBAL level now.
eccisAuthor Commented:
The Default Policy was edited, which in turn is the Default Policy and a rule was set in the Default policy that was modified to forces devices to go to the Quarantine.
Justin YeungSenior Systems EngineerCommented:
Again Please specific which default policy that you are mentioning
eccisAuthor Commented:
Exchange ActiveSync Device Policy
Default (default)
Justin YeungSenior Systems EngineerCommented:
So you are blocking device via activesync policy

However the global setting is under


Which I believe someone set to quarantine on the global level

Run get-activesyncorganizationsettings and see if that set to quarantine
eccisAuthor Commented:
Yes, as stated earlier at the default...This policy has NOT changed.

RunspaceId                : 60b5080f-0903-4cab-8ee1-bda740ff1f1f
DefaultAccessLevel        : Quarantine
UserMailInsert            :

But the users were already set to ALLOW in the list, but there device still hung there and they were able to sync their device...

That being said...

This now looks to be related to 1/3 DCs (a 2012 DC) that is not replicating properly.  So I haveCapture.JPG removed FSMO roles off the problem DC and those 2 ActiveSync devices are now off the Quarantine list and have stayed off for about 45 minutes which has been unheard of.  So I am now trying to demote that DC and it has been on the "starting" page after clicking "Demote" for 30 minutes or so.  Hopefully it finishes, other wise I will have to run the demotion again and select forcefully Demote.  I hope this is the actual issue.  It is blowing my mind that that DC Demotion is taking this long, but at least it is clear of FSMO roles.  I have never seen a Demotion run this long.
Justin YeungSenior Systems EngineerCommented:
yes, it will be since ActiveSync device are stored in AD but not exchange.
eccisAuthor Commented:
Issue did go away after rebuilding the DC

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
eccisAuthor Commented:
Only way found to fix Replication issues the DC that prevented ActiveSync from functioning properly
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.