Supporting Windows 8 Mail App in the Enterprise

In a recent project we faced an interesting problems using the Windows 8 Mail App.

Windows 8 include a built-in email app named Mail (also referred to as Windows 8 Mail or the Windows 8 Mail app). We used a Standard User Account without any local Admin privileges, logged on to the Domain and tried to add our Exchange information to the mail app. After adding our Account information an error is popping up “ To sync username@yourdomainname.com, you will need to change this PC’s settings to match the mail server’s security settings .”

clip_image002[5]

After some investigation about this error we found out there are few settings Enterprises need to prepare before using the mail app in an environment with logged down user rights.

The Windows 8 Mail to allows users using ActiveSync (EAS) for Exchange synchronization. If you add your account to the Mail application your Exchange policies will pushed down and the stronger policy will take presence (https://blogs.technet.com/b/exchange/archive/2012/11/26/supporting-windows-8-mail-in-your-organization.aspx). If your EAS is stronger than your Domain or local policy the Windows Policy Engine requires admin access to apply policy changes, since non-admins are not allowed to make changes to computer/account configurations, you will get the issue documented above.

In a next step you have to compare the policy that is applied on the device(s) against what is being requested by the Exchange server.  

Control  the corresponding Group Policy (Computer Configuration / Windows Settings / Security Settings / Local Policies / Security Options /) to have the same settings  as you have configured in Exchange. If both are identical you can add your Exchange Account without getting any popup.

AllowSimpleDevicePassword                                     : Windows Policy Engine would try to apply this policy,
MaxInactivityTimeDeviceLock : Windows Policy Engine would try to apply this policy,
MaxDevicePasswordFailedAttempts : Windows Policy Engine would try to apply this policy,

DevicePasswordExpiration                                          : Windows Policy Engine would try to apply this policy,
DevicePasswordHistory : Windows Policy Engine would try to apply this policy,
RequireDeviceEncryption : Windows Policy Engine would try to apply this policy,

MinDevicePasswordComplexCharacters               : domain accounts, password length and complex characters are not governed by EAS,
MinDevicePasswordLength                                         : domain accounts, password length and complex characters are not governed by EAS,

 

 

This post was contributed by Lutz Seidemann , a Solution Architect with Microsoft Consulting Services.

The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use.

Comments

  • Anonymous
    January 01, 2003
    thanks

  • Anonymous
    May 29, 2013
    Hi - It seems to be impossible to define a user display name in outgoing mail. The Win 8 mail app seems to magically grab it from somewhere and completely ignores what is defined in account settings 'Your Name'. This seems bafflingly amateurish. I have no idea how to report the issue. Maybe you do. Thanks.

  • Anonymous
    November 13, 2013
    Is there a way to configure the mail app with a script? Best would be powershell. So add Accounts automatically for the domain users.

  • Anonymous
    October 08, 2014
    Thanks for this, I also found this link helpful when trying to link the Activsync Policies to Group Policy settings.http://technet.microsoft.com/en-gb/library/dn282287.aspx

  • Anonymous
    February 06, 2015
    Hey there,

    thanks for this article.

    I found a solution to set the EAS policys without Admin privileges.
    Once you configure successfully a Client you can see your EAS-Policies at:

    "HKEY_LOCAL_MACHINESYSTEMControlSet001ControlEASPolicies"

    You can distribute these DWORDs (no subkeys) via GPO, after that the users where able to confiure the MailApp without Admin privileges