I just had a problem with some newly created shared mailboxes not getting properly configured in ProofPoint using an LDAP import. I narrowed the problem down to this AD attribute msExchUserAccountControl being set to 2 (disabled), and the import profile using that attribute to filter out disabled accounts.
I know that when creating a shared mailbox the AD object itself is disabled (AD attribute Enabled = False), and that's a big part of the reason to use shared mailboxes, but why is the mailbox also disabled on the AD object?
When the user is disabled in AD, certain properties of the mailbox are stored in the Information Store instead of the AD object. That flag tells Exchange to look in the IS instead of the AD object.
Why ProofPoint is filtering out those objects is (based on my limited knowledge of the ProofPoint product) that the users who send on behalf of the mailbox won't have access to the keys to decrypt or authenticate incoming messages for that mailbox. But that is a question to ask them.
And don't bother changing that property because the Recipient Update Service will just change it back.