Supporting Windows 8 Mail App in the Enterprise
In a recent project we faced an interesting problems using the Windows 8 Mail App.
Windows 8 include a built-in email app named Mail (also referred to as Windows 8 Mail or the Windows 8 Mail app). We used a Standard User Account without any local Admin privileges, logged on to the Domain and tried to add our Exchange information to the mail app. After adding our Account information an error is popping up “ To sync firstname.lastname@example.org, you will need to change this PC’s settings to match the mail server’s security settings .”
After some investigation about this error we found out there are few settings Enterprises need to prepare before using the mail app in an environment with logged down user rights.
The Windows 8 Mail to allows users using ActiveSync (EAS) for Exchange synchronization. If you add your account to the Mail application your Exchange policies will pushed down and the stronger policy will take presence (http://blogs.technet.com/b/exchange/archive/2012/11/26/supporting-windows-8-mail-in-your-organization.aspx). If your EAS is stronger than your Domain or local policy the Windows Policy Engine requires admin access to apply policy changes, since non-admins are not allowed to make changes to computer/account configurations, you will get the issue documented above.
In a next step you have to compare the policy that is applied on the device(s) against what is being requested by the Exchange server.
Control the corresponding Group Policy (Computer Configuration / Windows Settings / Security Settings / Local Policies / Security Options /) to have the same settings as you have configured in Exchange. If both are identical you can add your Exchange Account without getting any popup.
AllowSimpleDevicePassword : Windows Policy Engine would try to apply this policy,
MaxInactivityTimeDeviceLock : Windows Policy Engine would try to apply this policy,
MaxDevicePasswordFailedAttempts : Windows Policy Engine would try to apply this policy,
DevicePasswordExpiration : Windows Policy Engine would try to apply this policy,
DevicePasswordHistory : Windows Policy Engine would try to apply this policy,
RequireDeviceEncryption : Windows Policy Engine would try to apply this policy,
MinDevicePasswordComplexCharacters : domain accounts, password length and complex characters are not governed by EAS,
MinDevicePasswordLength : domain accounts, password length and complex characters are not governed by EAS,
This post was contributed by Lutz Seidemann , a Solution Architect with Microsoft Consulting Services.