Microsoft has just released the following KB Article:
Conditional Access is slow to unblock devices for email access in System Center Configuration Manager
Symptoms
When you run Microsoft System Center 2012 R2 Configuration Manager Service Pack 1 or System Center 2012 Configuration Manager Service Pack 2 on a server, you may experience the following performance issue or race condition:
- Performance issueAfter Conditional Access is enabled and deployed, and devices are enrolled and compliant with the compliance policies that are deployed, performance tests reveal up to a 10-minute delay to unblock devices so that they start to receive email messages. The unblocking of devices occurs when compliance messages are received through a fast channel. This processing had dependencies that caused delays.
This update removes the dependencies on data and obtains this data from the fast compliance messages instead. This provides significant improvement in unblocking time. The unblocking time after the fix is typically less than 1 minute.
- Race conditionIf you set up on-premises Conditional Access during the Exchange Connector’s full/delta sync, a race condition may occur in a rare scenario. This prevents the Conditional Access Policy from taking effect.
This issue occurs because hybrid conditional access may not be enabled during a full sync of the System Center Configuration Manager Exchange Connector. During the full sync, a shared SQL connection can sometimes prevent the Conditional Access Policy from writing against SQL.
This update locks the SQL connection during the enabling of Conditional Access.