Supporting Windows 8 Mail App in the Enterprise
In a recent project we faced an interesting problems using the Windows 8 Mail App.
Windows 8 include a built-in email app named Mail (also referred to as Windows 8 Mail or the Windows 8 Mail app). We used a Standard User Account without any local Admin privileges, logged on to the Domain and tried to add our Exchange information to the mail app. After adding our Account information an error is popping up “ To sync username@yourdomainname.com, you will need to change this PC’s settings to match the mail server’s security settings .”
![clip_image002[5]](https://msdntnarchive.z22.web.core.windows.net/media/TNBlogsFS/prod.evol.blogs.technet.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/00/61/27/metablogapi/2045.clip_image0025_6F1A37FF.jpg "clip_image002[5]")
After some investigation about this error we found out there are few settings Enterprises need to prepare before using the mail app in an environment with logged down user rights.
The Windows 8 Mail to allows users using ActiveSync (EAS) for Exchange synchronization. If you add your account to the Mail application your Exchange policies will pushed down and the stronger policy will take presence (https://blogs.technet.com/b/exchange/archive/2012/11/26/supporting-windows-8-mail-in-your-organization.aspx). If your EAS is stronger than your Domain or local policy the Windows Policy Engine requires admin access to apply policy changes, since non-admins are not allowed to make changes to computer/account configurations, you will get the issue documented above.
In a next step you have to compare the policy that is applied on the device(s) against what is being requested by the Exchange server.
Control the corresponding Group Policy (Computer Configuration / Windows Settings / Security Settings / Local Policies / Security Options /) to have the same settings as you have configured in Exchange. If both are identical you can add your Exchange Account without getting any popup.
AllowSimpleDevicePassword : Windows Policy Engine would try to apply this policy,
MaxInactivityTimeDeviceLock : Windows Policy Engine would try to apply this policy,
MaxDevicePasswordFailedAttempts : Windows Policy Engine would try to apply this policy,
DevicePasswordExpiration : Windows Policy Engine would try to apply this policy,
DevicePasswordHistory : Windows Policy Engine would try to apply this policy,
RequireDeviceEncryption : Windows Policy Engine would try to apply this policy,
MinDevicePasswordComplexCharacters : domain accounts, password length and complex characters are not governed by EAS,
MinDevicePasswordLength : domain accounts, password length and complex characters are not governed by EAS,
This post was contributed by Lutz Seidemann , a Solution Architect with Microsoft Consulting Services.
The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use.
Comments
Anonymous
January 01, 2003
thanksAnonymous
May 29, 2013
Hi - It seems to be impossible to define a user display name in outgoing mail. The Win 8 mail app seems to magically grab it from somewhere and completely ignores what is defined in account settings 'Your Name'. This seems bafflingly amateurish. I have no idea how to report the issue. Maybe you do. Thanks.Anonymous
November 13, 2013
Is there a way to configure the mail app with a script? Best would be powershell. So add Accounts automatically for the domain users.Anonymous
October 08, 2014
Thanks for this, I also found this link helpful when trying to link the Activsync Policies to Group Policy settings.http://technet.microsoft.com/en-gb/library/dn282287.aspxAnonymous
February 06, 2015
Hey there,
thanks for this article.
I found a solution to set the EAS policys without Admin privileges.
Once you configure successfully a Client you can see your EAS-Policies at:
"HKEY_LOCAL_MACHINESYSTEMControlSet001ControlEASPolicies"
You can distribute these DWORDs (no subkeys) via GPO, after that the users where able to confiure the MailApp without Admin privileges