A script to troubleshoot issues with Exchange ActiveSync
Published Jan 31 2012 11:54 AM 146K Views

You can download the script, which has been attached to this blog post.

The Exchange support team relatively frequently receives cases where mobile devices using Exchange ActiveSync (EAS) protocol send too many requests to Exchange server resulting in a situation where server runs out of resources, effectively causing a ‘denial of service’ (DOS) attack. The worst outcome of such a situation is that the server also becomes unavailable to other users who may not be using EAS protocol to connect. We have documented this issue with possible mitigations in the following KnowledgeBase article:

2469722 Unable to connect using Exchange ActiveSync due to Exchange resource consumption

A recent example of this issue was Apple iOS 4.0 devices retrying a full sync every 30 seconds (see TS3398). Another example could be some devices that do not understand how to handle a ‘mailbox full’ response from the Exchange server, resulting in several tries to reconnect. This can cause such devices to attempt to connect & sync with the mailbox more than 60 times in a minute, killing battery life on the device and causing performance issues on server.

Managing mobile devices & balancing available server resources among different types of clients can be a daunting challenge for IT administrators. Trying to track down which devices are causing resource depletion issues on Exchange 2010/2007 Client Access server (CAS) or Exchange 2003 Front-end (FE) server is not an easy task. As referenced in the article above, you can use Log Parser to extract useful statistics from IIS logs (see note below), but most administrators do not have the time & expertise to draft queries to extract such information from lengthy logs.

The purpose of this post is to introduce everyone in Exchange community to a new PowerShell script that can be utilized to identify devices causing resource depletion issue, help in spotting performance trends and automatically generate reports for continuous monitoring. Using this script you can easily & quickly drill into your users' EAS activity, which can be a major task when faced with IIS logs that can get up to several gigabytes in size. The script makes it easier to identify users with multiple EAS devices. You can use it as a tool to establish a baseline during periods of normal EAS activity and then use that for comparison and reporting when things sway in other directions. It also provides an auto-monitoring feature which you can use to receive e-mail notifications.

Note: The script works with IIS logs on Exchange 2010, Exchange 2007 and Exchange 2003 servers.
All communication between mobile devices using EAS protocol and Microsoft Exchange is logged in IIS Logs on CAS/FE servers in W3C format. The default W3C fields enabled for logging do vary between IIS 6.0 and 7.0/7.5 (IIS 7.0 has the same fields as 7.5). This script works against both versions.

IIS Logs

Because EAS uses HTTP, all EAS requests are logged in IIS logs, which is enabled by default. Sometimes administrators may disable IIS logging to save space on servers. You must check whether logging is enabled or not and find the location of log files by following these steps:

IIS 7

  1. In IIS Manager, expand the server name i.e. ExchangeServer (Contoso\Administrator)
  2. In the Features View, double click Logging in the IIS section.

IIS 6

  1. In IIS Manager, right click the web site name (for most it should be Default Web Site) and choose Properties
  2. Click on the Web Site tab.

What are mobile devices responsible for in communications with the server?

Before we delve into the specifics of the script, let's review some important requirements for mobile devices that use EAS to communicate with Microsoft Exchange.

  • When a mobile device is returned an unexpected response from server, it's up to the device to handle the response and retry appropriately at a reasonable interval. Additionally, devices are responsible for handling timeouts that happen outside of IIS, which may be caused by network latency.
  • With each request a device sends to IIS/Exchange, it should also report the User-Agent.

What will you see when you use this script?

The script utilizes Microsoft Log Parser 2.2 to parse IIS logs and generate results. It creates different SQL queries for Log Parser based on the switches (see table below) you use. A previous blog post Exchange 2003 - Active Sync reporting talking about Log Parser that touches on similar points. The information in that post still applies to Exchange 2010 & 2007. Since that blog post, additional commands were added to EAS protocol), which are also utilized by this new script while processing the logs.

Here's a list of the EAS commands that the script will report in results:

Sync, SendMail, SmartForward, SmartReply, GetAttachment, GetHierarchy, CreateCollection, DeleteCollection, MoveCollection, FolderSync, FolderCreate, FolderDelete, FolderUpdate, MoveItems, GetItemEstimate, MeetingResponse, Search, Settings, Ping, ItemOperations, Provision, ResolveRecipients, ValidateCert

For more details about each EAS command, see ActiveSync HTTP Protocol Specification on MSDN.

In addition to these commands, the following parameters are also logged by the script.

  1. User
  2. User Name
  3. Device Type
  4. Device ID
  5. User-Agent
  6. sc-bytes: This is only available if you have enabled this tag in IIS logging.
  7. cs-bytes:This is only available if you have enabled this tag in IIS logging.
  8. time-taken (in milliseconds): This is only available if you have enabled this tag in IIS logging.
  9. Total number of requests or requests by Device ID
  10. Total number of all 4xx status codes
  11. Total number of all 5xx status codes (for more info, see KB: 318380 for IIS 6.0 & KB: 943891)
  12. 409 status codes: 409 (Conflict) - A collection cannot be made at the Request-URI until one or more intermediate collections have been created. The server MUST NOT create those intermediate collections automatically (Ref: RFC 4918)
  13. 500 status codes: After device sends OPTIONS command, it’s possible to get a 500 response back from server with ‘MissingCscCacheEntry’ error. This can happen as a result of an issue with the affinity where you have an Internet-facing CAS array proxying a request to an Internal CAS array. When the Internet-facing array sends the request to the Internal array, a CAS server will answer with the first 401. In the next communication, the request is handled by a different CAS server in the Internal array. Resolving the affinity issue with the Internal CAS array is the solution.
  14. 503 status codes: The server is currently unable to handle the request due to a temporary overloading or maintenance of the server. The implication is that this is a temporary condition which will be alleviated after some delay. If known, the length of the delay MAY be indicated in a Retry-After header. If no Retry-After is given, the client SHOULD handle the response as it would for a 500 response.

    Note: The existence of the 503 status code does not imply that a server must use it when becoming overloaded. Some servers may wish to simply refuse the connection. (Ref: RFC 2616)

  15. 507 status codes: The 507 (Insufficient Storage) status code means the method could not be performed on the resource because the server is unable to store the representation needed to successfully complete the request. This condition is considered to be temporary. If the request that received this status code was the result of a user action, the request MUST NOT be repeated until it is requested by a separate user action. (Ref: RFC 4918)
  16. 451 status codes: Exchange 2007/2010 returns an HTTP 451 response to an EAS client when it determines that the device should be using a ‘better’ CAS for EAS connectivity. The logic used to determine ‘better’ CAS is based on Active Directory sites and whether a CAS is considered ‘Internet-facing’. If the ExternalUrl property on the Microsoft-Server-ActiveSync virtual directory is specified, then that CAS is considered to be Internet-Facing for EAS connectivity. (Ref: TechNet articles Exchange ActiveSync Returned an HTTP 451 Error and Understanding Proxying and Redirection)
  17. TooManyJobsQueued errors: For more info on ‘TooManyJobsQueued’ please refer to KB: 2469722 referenced above
  18. OverBudget: A budget is the amount of access that a user or application may have for a specific setting. A budget represents how many connections a user may have or how much activity a user may be permitted for each one-minute period. (Ref: TechNet article)
  19. Following subset of Common Status Codes:
    InvalidContent, ServerError, ServerErrorRetryLater, MailboxQuotaExceeded, DeviceIsBlockedForThisUser, AccessDenied, SyncStateNotFound, DeviceNotFullyProvisionable, DeviceNotProvisioned, ItemNotFound, UserDisabledForSync

What can you do with this script?

You can process logs using this script to retrieve the following details:

  1. Hits by user/Device ID (users/devices with maximum number of requests sent to server)
  2. Hits per hour/day (helps in determining the frequency of requests sent by user/device, time value is entered in seconds)
  3. Hits by device with specified threshold limit (here you can specify a limit for hits/requests, i.e. all users who are sending 1000 requests per hour/day, etc.)
  4. CSV export of results
  5. HTML report of results
  6. E-mail reports for monitoring (CSV/HTML formats)

Prerequisites:

Please make sure you have the following installed on your machine before using this script:

Script Parameters

Parameter Required Type Description
ActiveSyncOutputFolder Required System.String CSV and HTML output directory
ActiveSyncOutputPrefix Optional System.String Prefixes string to the output file name
CreateZip Optional System.Management.
Automation.SwitchParameter
Creates a ZIP file. Can only be used with SendHTMLReport
CreateZipSize Optional System.In32 Threshold file size. The Default is 2MB. Once this has been exceeded the file will be compressed. Requires SendHTMLReport and CreateZip to be true
Date Optional System.String Specify a date to parse on. Enter date in the format: MM-DD-YYYY
DeviceId Optional System.String Active Sync Device ID to parse on
DisableColumnDetect Optional System.Management.
Automation.SwitchParameter
Disables the ability to add additional columns to the report that users may have enabled, Example: time-taken

Note: If you are running against multiple files that may have different W3C headers this switch should be used.
Help Optional System.Management.
Automation.SwitchParameter
Outputs switch descriptions
ReportBySeconds Optional System.Int32 Generates the report bases in the value entered in seconds
Hourly Optional System.Management.
Automation.SwitchParameter
Generates the report on a per hourly basis
HTMLReport Optional System.Management.
Automation.SwitchParameter
Creates an HTML Report
HTMLCSVHeaders Optional System.String

IIS CSV Headers to Export on in the –HTMLReport.

Defaults: "DeviceID,Hits,Ping,Sync,FolderSync,DeviceType,User-Agent"

IISLogs Required System.Array

IIS Log Directory.
Example.- IISLogs D:\Server,'D:\Server 2'

LogParserExec Required System.String Path to LogParser.exe
MinimumHits Optional System.Int32 Minimum Hit Threshold value where the report will generate on CSV and HTML
SendEmailReport Optional System.Management.
Automation.SwitchParameter
Enable Email reporting
SMTPRecipient Optional System.String SMTP Recipient
SMTPSender Optional System.String SMTP Sender
SMTPServer Optional System.String SMTP Server
TopHits Optional System.Int32

Top Hits to return.
Example: TopHits 50, This cannot be used with Hourly or ReportBySeconds

How do you use the script?

Below are some examples (with commands) on how you can use the script and why you might use them.

Hits greater than 1000

The following command will parse all the IIS Logs in the folder W3SVC1 and only report the hits by users & devices that are greater than 1000.

.\ActiveSyncReport.ps1 -IISLog "C:\inetpub\logs\LogFiles\W3SVC1" -LogparserExec “C:\Program Files (x86)\Log Parser 2.2\LogParser.exe” -ActiveSyncOutputFolder c:\EASReports -MinimumHits 1000

[In above command, script ‘ActiveSyncReport.ps1’ is located at the root of C drive, -IISLog switch specifies the default location of IIS logs, -LogparserExec switch points to the location of Log Parser executable application file, -ActiveSyncOutputFolder switch provides the location where output or result file needs to be saved, MinimumHits with a value of ‘1000’ is the script parameter explained in the above table]

Output:

image

Usually if a device is sending over 1000 requests per day, we consider this ‘high usage’. If the hits (requests) are above 1500, there could be an issue on the device or environment. In that case, the device & its user’s activity should be further investigated.

As a real world example, in one case we noticed there were several users who were hitting their Exchange server via EAS a lot (~25K hits, 1K hits per hour) resulting in depletion of resources on the server. Upon further investigation we saw that all of those users’ requests were resulting in a 507 error on mailbox servers on the back-end. Talking to those EAS users we discovered that during that time period they were hitting their mailbox size limits (25 MB) & were trying to delete mail from different folders to get under the size limit. In such situations, you may also see HTTP 503 (‘TooManyJobsQueued’) responses in IIS logs for EAS requests as described in KB: 2469722

Isolating a specific device ID

Here the following command will parse all the IIS Logs in the folder C:\IISLogs and will look for the Device ID xxxxxx and display its hourly statistics.

.\ActiveSyncReport.ps1 -IISLog " C:\inetpub\logs\LogFiles\W3SVC1" -LogparserExec “C:\Program Files (x86)\Log Parser 2.2\LogParser.exe” -ActiveSyncOutputFolder c:\EASReports –DeviceID xxxxxx -Hourly

Output:

image

With the above information you can pick a user/device and see the hourly trends. This can help identify if it’s a user action or a programmatic one.

As a real world example, in one case we had to find out which devices were modifying calendar items. So we looked at the user/device activity and sorted that by different commands they were sending to the server. After that we just concentrated on which users/devices were sending ‘MeetingResponse’ command and its frequency, time period & further related details. That helped us narrowing the issue to related users and their calendar specific activity to better address the underlying calendaring issue.

Another device related command & error to look for is ‘Options’ command and if it does not succeed for a device then the HTTP 409 error code is returned in IIS log.

Isolating a single day

The following command will parse only the files that match the date 12-24-2011 in the folder W3SVC1 and will only report the hits greater than 1000.

.\ActiveSyncReport.ps1 -IISLog "C:\inetpub\logs\LogFiles\W3SVC1" -LogparserExec “C:\Program Files (x86)\Log Parser 2.2\LogParser.exe” -ActiveSyncOutputFolder c:\EASReports -MinimumHits 1000 –Date 12-24-2011

Output:

image

With the above information you can identify users sending high number of requests. Also, within the columns, you can see what kind of commands those users are sending. This helps in coming up with more directed & efficient troubleshooting techniques.

What Should You Look For?

When analyzing IIS logs with the help of script, you should look for one specific command being sent over and over again. The frequency of particular commands being sent is important, any command failing frequently is also very important & one should further look into that. We should also look & compare the wait times between the executions of certain commands. Generally, commands taking longer time to execute or resulting in delayed response from server will be suspicious & should be further investigated. Keep in mind though, the Ping command is an exception as it takes longer to execute and you will see it frequently in the log as well, which is expected.

If you notice continuous failures to connect for a device with an error code of 403 that could mean that the device is not enabled for EAS based access. Sometimes mobile device users complain of connectivity issues not realizing that they’re actually not entering their credentials correctly (understandably it’s easy to make such mistakes on mobile devices). When looking thru logs, you can focus on that user & may find that user’s device is failing after issuing the ‘Provision’ command.

Creating Reports for Monitoring

You may want to create a report or generate an e-mail with such reports and details of user activity.

The following command will parse all the IIS Logs in the folder W3SVC1 and will only report the hits greater than 1000. Additionally it will create an HTML report of the results.

.\ActiveSyncReport.ps1 -IISLog "C:\inetpub\logs\LogFiles\W3SVC1" -LogparserExec “C:\Program Files (x86)\Log Parser 2.2\LogParser.exe” -ActiveSyncOutputFolder c:\EASReports -MinimumHits 1000 -HTMLReport

The following command will parse all the files in the folders C:\Server1_Logs and D:\Server2_Logs and will also email the generated report to ‘user@contoso.com’.

.\ActiveSyncReport.ps1 -IISLog "C:\Server1_Logs",”D:\Server2_Logs” -LogparserExec “C:\Program Files (x86)\Log Parser 2.2\LogParser.exe” -ActiveSyncOutputFolder c:\EASReports -SendEmailReport -SMTPRecipient user@contoso.com –SMTPSender user2@contoso.com -SMTPServer mail.contoso.com

We sincerely hope our readers find this script useful. Please do let us know how these scripts made your lives easier and what else can we do to further enhance it.

Konstantin Papadakis and Brian Drepaul

Special Thanks to:
M. Amir Haque, Will Duff, Steve Swift, Angelique Conde, Kary Wall, Chris Lineback & Mike Lagase

31 Comments
Not applicable

This is fantastic.

"

Usually if a device is sending over 1000 requests per day, we consider this ‘high usage’. If the hits (requests) are above 1500, there could be an issue on the device or environment. In that case, the device & its user’s activity should be further investigated."  This information is very important and useful which gives the idea about a typical user behavior and the user profile.

Thanks.

Not applicable

Great work, thanks!

Not applicable

Great article can you do the same for other protocols such as EWS and RCA?

Thanks

Not applicable

@Paul: Well, keep checking the blog; you never know what might show up! =)

Not applicable

The flag is actually named Minimun?

Not applicable

Anyway to set the date range to look for last 7 days.  Would work great for a weekly scheduled job with emailed report

Not applicable

Chad +1

Not applicable

@C and all: thanks for catching that typo; it was not supposed to be "MinimunHits" but rather "MinimumHits". We fixed this in the blog post and also uploaded a newer version of the script with that fixed.

Not applicable

When I moved to exchange 2010 I noticed that our log fille generation was 2-3x as on 2007.  After running this script, I see that 10-15% of our users are over 1000 hits per day, and some are close to 3000.  Could this be cause for a greater of log files being generated?  Nobody is complaining of performance issues and all the users are configured the same way (ie same cluster, URL etc.) so I cannot explain the reason for such high usage.

Not applicable

@Brendan: It would depends on what the 3000 hits are. if they are Pings than I don't think that could cause log growth. In this blog you can review the ActiveSync spec docs to see what each command can do.

Not applicable

Similar to Chad's question, can I set the Data parameter to run based on a variable.  For example, if I schedule this to run each day, I would want to pull just the previous day's log files -- Today's date minus one.  Can that be done?

Not applicable

It would be very useful to build this sort of functionality into the Exchange 2010 MP for SCOM if possible.

Not applicable

@VRunyon: Try this

-Date $(get-date (get-date).Adddays(-1) -Format "MM-dd-yyyy")

Not applicable

I tried to post earlier, but it didn't get through. Anyway.... good work on this one. I appreciate this tool. I pulled numbers from my environment and we are getting an entry that shows the username and then one entry that shows no user name. So every device has two entries- one wiht a username and one that is blank. The one that shows no username is generating the same number of 4xxx errors as hits. We only use iPhones in our environment. Any idea why we would see the entry with no username associated to it, and how can we determine the actual 4xxx error that is being generated? Is is normal for an iPhone to generate a lot of 4xxx errors? Also, what qualifies as a "hit?" Thanks for the blog. It has helped me a great deal.

Not applicable

OT: When Exchange Management Shell will support transactions?

Not applicable

@John1975: I have gotten this question more than once. What is happening is a device is coming in with an authenticated request. This will be all in the row with a user name. The second row with the same DeviceId is an unauthenticated request. This could be an app on the device attempting to access the Mailbox but not dissipating the request to the Mail app but trying to do the request on its own. As you stated for each Hit we see a 4xx count. This is because the request was denied with a response 401 or 403.

As to the question regarding what quantifies a Hit, any HTTP request that is logged in IIS and is sent to the URI stem of /Microsoft-Server-ActiveSync.

Not applicable

When i run the script, im getting the following with the error below.  The CSV file remains empty.  Does anyone know why? Thanks for this tool!

Building Log Parser Query...

Gathering Statistical data

Running Log Parser Command against the IIS Log(s): c:inetpublogslogfilesw3svc1*.log

Error: Cannot find #Fields directive

LogParser Command finished CSV, File location: c:easreportsEASyncOutputReport-Multiple_Files.csv

Not applicable

I'm getting an error when running the script that cs-uri-query is an unknown field. I've tried it with and without the -disablecloumndetect switch, it doesn't help.

[PS] F:Program FilesMicrosoftExchange ServerScriptsCustom Scripts>.ActiveSyncReport.ps1 -IIS

Log "\<servername>e$logfilesW3SVC1" -LogparserExec "C:Program FilesLog Parser 2.2LogParser.exe"

-ActiveSyncOutputFolder F:_SourceCAS -MinimunHits 1000 -disablecolumndetect "cs-uri-query"

Building Log Parser Query...

Gathering Statistical data

Running Log Parser Command against the IIS Log(s): \<servername>e$logfilesW3SVC1*.log

Error: SELECT clause: Syntax Error: unknown field 'cs-uri-query'

To see valid fields for the W3C input format type:

LogParser -h -i:W3C

LogParser Command finished CSV, File location: C:TempEASyncOutputReport-cs-uri-query_.csv

Not applicable

Perhaps you like to correct the example and description for the "-Date"-Parameter:

the script expects the format YYYY-MM-DD: "... if ($date) { Date should be in YYYY-MM-DD format..." (from inside the script) and throws here an error for "-Date 31-01-2012":

PS C:tmp> .ActiveSyncReport.ps1 ... -Date 01-31-2012 ....

Get-Date : Der Parameter "Date" kann nicht gebunden werden. Der Wert "01-31-2012" kann nicht in den Typ "System.DateTime" konvertiert werden. Fehler: "Die Zeichenfolge wurde nicht als gültiges DateTime erkannt."

Bei C:tmpActiveSyncReport.ps1:697 Zeichen:28

+                 $filterdate = (Get-Date <<<<  $date -format yyMMdd)

   + CategoryInfo          : InvalidArgument: (:) [Get-Date], ParameterBindingException

   + FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.PowerShell.Commands.GetDateCommand

"-Date 2012-01-31 ...." works.

Not applicable

Nice!

ex-VMC boys getting it done ;)

Not applicable

@Brian:  Thanks for the date parameters -- it works perfectly!  

This script was a lifesaver for our Exchange server last week when I found the post.  Log files were being generated like crazy, filling up the volume and threatening to crash the server.  I could use ExMon to see which user was generating the logs but without your script I didn't know why.  Turns out that he had a bad calendar entry that had generated over 11,000 meeting requests in 11 hours and his iPhone was attempting to sync over 18 times per minute to resolve this meeting request.  We turned off his calendar sync and the traffic died off immediately.

Again, thanks for the info!

Not applicable

good job, Thank you

Not applicable

Several bugs in the script:

Line 721: replace with

if ($IISLogs.Count -gt 1) {

Also I suggest to delcare IISLogs with type [String[]] rather than [array] (line 48); this makes the script deal better with passed array of paths.

In Create-HTML, around line 593-602 - the function works but this is somehow by chance :) :

Replace

>>

$html = ConvertTo-HTML -Head $HTMLHeader -Body $body

$body = "<h2><TT>Exchange ActiveSync Report on $title<TT></h2><TT>For additional <b>unfiltered</b> information on device hits please refer to the CSV $outfile</TT><BR /><BR />"

if ($table.count -le 0) {

$body += "No Devices have excited the Minimum Number of Hits (<b>$MinimumHits</b>)"

}

else { $body += ($table | Select $HTMLCSVHeaders.split(",") | ConvertTo-HTML -Fragment) }

$body += "</body></html>"

return ($HTMLHeader += $body)

<<

with

>>

$body = "<h2><TT>Exchange ActiveSync Report on $title<TT></h2><TT>For additional <b>unfiltered</b> information on device hits please refer to the CSV $outfile</TT><BR /><BR />"

if ($table.count -le 0) {

$body += "No Devices have excited the Minimum Number of Hits (<b>$MinimumHits</b>)"

}

else { $body += ($table | Select $HTMLCSVHeaders.split(",") | ConvertTo-HTML -Fragment) }

$body += "</body></html>"

ConvertTo-HTML -Head $HTMLHeader -Body $body

<<

Not applicable

Also line 698:

Replace line:

Write-Host "Trying to find IIS logs from this date: $title"

With:

Write-Host "Trying to find IIS logs from this date: $filterdate"

Not applicable

Turns out that he had a bad calendar entry that had generated over 11,000 meeting requests in 11 hours and his iPhone was attempting to sync over 18 times per minute to resolve this meeting request.  We turned off his calendar sync and the traffic died off immediately.

<a href="bestburnhamboilers.net">burnham boilers</a>

Not applicable

Usually if a device is sending over 1000 requests per day, we consider this ‘high usage’. If the hits (requests) are above 1500, there could be an issue on the device or environment. In that case, the device & its user’s activity should be further investigated."  This information is very important and useful which gives the idea about a typical user behavior and the user profile.

口臭

http://mouthfresher.com/

Not applicable

If the hits (requests) are above 1500, there could be an issue on the device or environment. In that case, the device & its user’s activity should be further investigated."  This information is very important and useful which gives the idea about a typical user behavior and the user profile.

<a href="markething.org/">House of brokers</a>

Not applicable

This is fantastic, I have clubbed it with mine script to troubleshoot fast growing transactional logs

exchangedomino.wordpress.com/.../troubleshooting-fast-growing-transactional-logs-part-2

Not applicable

I ran this in my organization, I have about 100 users that are well over 1k hits, some users had 40k, 50k, 100k, even 175 hits, all of these requests for 'Sync' commands. How do we block this? the 175k was an iPad on the latest iOS 5 software..Some of these devices are essentially sending a 'Sync' command every second if not 3 times every second. I don't think throttling helps as this basically stops 'concurrent' connections, however how do we stop devices so they only send 'Sync' command or we only 'accept' sync commands on particular intervals so they do not send 100k requests in 24 hours for example. This is killing CAS.

Not applicable

@Frenchie: The best thing to do is to remove the partnership from the device thus stopping the device from attempting to sync at all. Now that is not the best thing for the end user. If possible identify what is wrong with the device (know build issue and upgrade, user workflow education, 3rd party installed on device that is causing the issue). Also in some organizations cannot afford to wait for a user to disable the device so there are ways with reverse proxy server/device (Ex. Threat Management Gateway) to block the User or User-Agent (if known bad device). This will allow the Exchange environment to be functional and give the admin time to work out the issues with the suspect device.

Copper Contributor

Will this script support Exchange 2016 & O365 hybrid environment ? Thank you !

Version history
Last update:
‎Apr 27 2020 02:27 PM
Updated by: