Supporting Windows Mail 8.1 in your organization
Windows 8.1 and Windows RT include a built-in email app named Windows Mail. Mail includes support for IMAP and Exchange ActiveSync (EAS) accounts.
This article includes some key technical details of Windows Mail in Windows 8.1. (See Supporting Windows 8 Mail in your organization for Windows 8.0.) Use the information to help you support the use of Mail in your organization. Read this article start to finish, or jump to the topic that interests you. Use the reference links throughout the article for more information.
NOTE Mail, Calendar, and People apps run on Windows 8.1 and Windows RT. Although this article discusses the Mail app, please note that much of the information in this article also applies to the Calendar, and People apps. When connected to a server that supports Exchange ActiveSync, the Calendar, and People apps may also display data that was downloaded over the Exchange ActiveSync connection.
Protocol Support
Mail lets users connect to any service provider that supports either of the following two protocols:
Protocol | Protocol versions & standards | Functionality |
---|---|---|
Exchange ActiveSync (EAS) |
|
|
IMAP + SMTP |
|
|
Post Office Protocol (POP) is not supported.
NOTE All Windows Communications apps (Mail, Calendar, and People) can use the data that is synchronized using Exchange ActiveSync. After a user connects to their account in the Mail app, their contacts and calendar data is available in the other Windows Communications Apps and vice versa.
Sync Configuration
Mail can be configured to synchronize data at different times as follows:
- Push email (default)
- Polling at fixed intervals
- Manually
If a push email connection can’t be established, it will automatically switch to poll at fixed intervals.
Push Email
Push email requires that accounts are either Exchange ActiveSync (which all support Push) or IMAP with the IDLE extension. Not all IMAP servers support IDLE, and it is supported only for the Inbox folder.
When a push connection can’t be established, Mail will change to polling on 30 minute intervals. Push email on Exchange ActiveSync requires that HTTP connections must be maintained for up to 60 minutes, and IMAP IDLE requires TCP connections to be maintained for up to 30 minutes.
Account Setup Features
Windows 8.1 and Windows RT users can add email accounts to Mail using the Settings charm. The Settings charm is always available on the right side of the Windows 8.1 and Windows RT screen. (For more visual details about Charms & the Windows 8.1 user interface, see Search, share, print & more.)
NOTE This section provides an overview of account setup in Mail. For step-by-step procedures for setting up an account, see What else do I need to know? at the end of this guide.
To make it as easy as possible to add accounts, account setup only prompts the user to enter the email address and password for the account they want to set up. From that data, Mail attempts to automatically configure the account as follows:
- The domain portion of the email address is matched against a database of well-known service providers (such as Outlook.com). If it’s a match, its settings are automatically configured.
- The domain portion of the email address is used to discover the user's email settings using the Autodiscover.
- If automatic configuration fails, the user is prompted for additional details such as an email server name and domain name.
Add an Exchange ActiveSync account
If automatic configuration fails, the following additional information is required to connect to a server via Exchange ActiveSync:
- Server address
- Domain
- Username
Add an IMAP/SMTP account
The information required to connect to a server via IMAP/SMTP is:
- Email address
- Username
- Password
- IMAP email server
- IMAP SSL (if your IMAP server requires SSL encryption)
- IMAP port
- SMTP email server
- SMTP SSL (if your SMTP server requires SSL encryption)
- SMTP port
- Whether SMTP server requires authentication
- Whether SMTP uses the same credentials as IMAP (If not, user must also provide SMTP credentials)
Security Features
Mail provides administrators with some level of security through Exchange ActiveSync policies (Mobile Device Mailbox Policies in Exchange 2013). It doesn’t support any means of managing or securing PCs that are connected via IMAP. EAS includes support for certificate-based authentication and remote wipe.
Exchange ActiveSync Policy Support
Exchange ActiveSync devices can be managed using Exchange ActiveSync policies. Mail supports the following EAS policies. :
- Password required
- Allow simple password
- Minimum password length (to a maximum of 8 characters)
- Number of complex characters in password (to a maximum of 2 characters)
- Password history
- Password expiration
- Device encryption required (on Windows RT and editions of Windows that support BitLocker. See What's New in BitLocker for details about BitLocker improvements in Windows 8.1.)
- Maximum number of failed attempts to unlock device
- Maximum time of inactivity before locking
Important If AllowNonProvisionableDevices is set to false in an EAS policy and the policy contains settings that are not part of this list, the device won’t be able to connect to the Exchange server.
Getting into Compliance
Most of the policies listed above can be automatically enabled by Mail, but there are certain cases where the user has to take action first. These are:
- Server requires device encryption:
- User has a device that supports BitLocker but BitLocker isn’t enabled. User must manually enable BitLocker.
- User has a Windows RT device that supports device encryption but it is suspended. User must reboot.
- User has a Windows RT device that supports device encryption, but it isn’t enabled. User must sign into Windows with a Microsoft account.
- An admin on this PC doesn’t have a strong password: All admin accounts must have a strong password before continuing.
- The user’s account doesn’t have a strong password: User must set a strong password before continuing.
Windows 8 Picture Passwords and ActiveSync Policy
If a Windows 8.x user uses a picture password and Exchange ActiveSync policy requires a password, the user will still need to create and enter a password in accordance with the policy.
ActiveSync Policy v/s Group Policy on domain-joined Windows 8.1 devices
If a Windows 8.1 PC is joined to an Active Directory domain and controlled by Group Policy, there may be conflicting policy settings between Group Policy and an Exchange ActiveSync policy. In the event of any conflict, the strictest rule in either policy takes precedence. The only exception is password complexity rules for domain accounts. Group policy rules for password complexity (length, expiry, history, number of complex characters) take precedence over Exchange ActiveSync policies – even if group policy rules for password complexity are less strict than Exchange ActiveSync rules, the domain account will be deemed in compliance with Exchange ActiveSync policy.
Certificate-Based Authentication
Communications applications can connect to a corporate Exchange service configured to require certificate-based authentication. User authentication certificates can be provisioned to Windows 8.1 devices by administrators or end-users can browse to certificate and install to user certificate storage.
User can add and connect an email account using a certificate. (For account setup, password entry is required per standard account setup.) User may be prompted to give the Mail application permission to access their user certificate, and should accept the prompt to enable certificate usage. In cases where multiple certificates are available, the user can go to account Settings to select the desired certificate.
Non-PIN protected software certificates are supported.
Remote Wipe
Mail supports the Exchange ActiveSync remote wipe directive, but unlike Windows Phone (which deletes all data on the device), Mail scopes the data deleted to the specified Exchange ActiveSync account for which the remote wipe command is issued. The user's personal data is not deleted. Additionally, attachments saved from that account are made inaccessible.
For example, if a user has an Outlook.com account for personal use and a Contoso.com account for work use, a remote wipe directive from the Contoso.com server would impact Windows 8.1 and Windows Phone 7 as follows:
Data | Windows Phone 7 | Windows 8.1 Mail |
---|---|---|
Contoso.com email | Deleted | Deleted |
Contoso.com contacts | Deleted | Deleted |
Contoso.com calendars | Deleted | Deleted |
Contoso.com attachments | Deleted | Not deleted, but not accessible |
Outlook.com email | Deleted | Not deleted |
Outlook.com contacts | Deleted | Not deleted |
Outlook.com calendars | Deleted | Not deleted |
Outlook.com attachments | Deleted | Not deleted |
Other documents, files, pictures, etc. | Deleted | Not deleted |
Account Roaming
To make it as easy as possible for users to have all of their accounts set up on all of their devices, Windows 8.1 uploads vital account information to the user’s Microsoft account. This information includes email address, server, server settings, and password. When a user signs into a new PC with their Microsoft account, their email accounts are automatically set up for them.
Passwords are not uploaded from a PC for any accounts which are controlled by any Exchange ActiveSync policies. Users will have to enter their password to begin syncing a policy-controlled account on a new PC.
If using client certificate authentication, the client certificate, and the certificate selection for an account will not be roamed. Users will have to select their desired client certificate to begin syncing a client certificate account on a new PC.
Microsoft Accounts
By default, users are required to have a Microsoft account, formerly known as Windows Live ID, to use the Windows Communications apps. This will usually be the Microsoft account that the user is signed into Windows with, but if they have not done so, they will be prompted to provide one before proceeding.
If the Microsoft account is… | Mail will… |
---|---|
Outlook.com or Hotmail account | Automatically sync email, Calendar and Contacts using Exchange ActiveSync |
Not an Outlook.com or Hotmail account (for example, dave@contoso.com) |
Prompt the user to provide password for their email account |
Can my organization remove the requirement for a Microsoft account?
You can apply a Group Policy to a device to make a Microsoft Account optional for the Windows Communications apps.
Note, the Group Policy setting is configured in Computer Configuration node in the Group Policy and applies to all users of the computer/device to which it's applied. The policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. Windows RT devices can use Local Group Policy.
To apply the Group Policy setting:
- Launch GPEdit by opening the “run” prompt (Windows key + r), and entering GPEdit.msc
- Go to Computer Configuration > Administrative Templates > Windows Components > App runtime
- Select Allow Microsoft accounts to be optional to configure the policy
If the Group Policy is applied and a Microsoft account is not used, the Communications apps will:
- Prompt the user for a work account (i.e. an Exchange ActiveSync account) password
- If account credentials are provided, use Exchange ActiveSync to synchronize email, Contacts and Calendar from the work account
A user can add additional accounts if desired. You can use corporate firewalls or other mechanisms to block access to any consumer email services as needed.
The following functionality will be unavailable to a user without a Microsoft Account:
- Windows Store Application Installs
- Account Settings roaming to additional devices
- Connectivity to additional 3rd party services (e.g. Social sites)
- Email communication from Microsoft regarding any updates to Microsoft Services Agreement.
Data Consumption
By default, Mail only downloads one month of email (up from 2 weeks in Windows 8.0). This is user configurable and can potentially download the user’s entire mailbox. For Exchange ActiveSync accounts, all contacts are downloaded and calendar events are downloaded only for three months behind the current date and 18 months ahead.
Additionally, messages can be only partially downloaded to reduce bandwidth use as follows:
Content | On unmetered networks | On metered networks |
---|---|---|
Message bodies | Truncated to the first 100KB or 20KB depending on folder and device conditions | Truncated to the first 20KB. For more details see Engineering Windows 8 for mobile networks. |
Attachments | Some attachments are downloaded automatically when device conditions allow. Attachments for messages in junk folder are not downloaded automatically. |
Never downloaded automatically. |
Embedded images in email messages are downloaded on-demand as the user reads them, and attachments which are not downloaded can be downloaded on-demand as the user attempts to open them.
Mail downloads all folders for an account. Users can configure the period of email which is downloaded to adjust the size of data for an account. Mail does not enforce any limits on number and size of attachments users can send.
Automatic Replies
Mail allows users to view and set their automatic reply messages (aka Out of Office or OOF messages). There is a visual indication when auto-reply is enabled. Users can view and set automatic reply plain text content. For corporate accounts, separate internal and external auto-reply messages are supported.
There is no date/time support for specifying start or end time for automatic replies.
Enterprise Connectivity
Authenticated Proxies
The communications applications can connect over LAN or WiFi connections via authenticated proxies which use standard authentication methods including: NTLM, Digest, Negotiate, and Basic authentication.
Any user credentials entered can be cached for the session, or remembered persistently.
Self-Signed Certificates
The communications applications warn the user with a prompt providing an option to connect anyway when trying to connect to services with common service certificate issues. See Self-Signed Certificates in Limitations below for details and recommendations.
Limitations
The following features are currently not supported by Mail:
-
Direct mailbox connections using POP: Only EAS and IMAP protocols are supported.
Note This does not mean that Windows 8.1 does not support POP. This post is about the Mail app. See Using email accounts over POP on Windows 8.1 and Windows RT 8.1 for workarounds.
-
Opaque-Signed and Encrypted S/MIME messages When S/MIME messages are received in Mail, it displays an email item with a message body that begins with “This encrypted message can’t be displayed.”
To view email items in the S/MIME format, users must open the message using Outlook Web App, Microsoft Outlook, or another email program that supports S/MIME messages. For more information, see Opaque-Signed and Encrypted S/MIME Message on MSDN.
Self-Signed Certificates in Windows Mail 8.1
Users may experience connectivity errors when trying to connect to an Exchange server that uses a self-signed certificate or a certificate with other common issues. The user may receive the following error message.
There’s a problem with a server’s security certificate. It might not be safe to connect to the server because… <details>.
You can use one of the following options to resolve this issue.
To resolve issue with self-signed certificates… | Use this option if… |
---|---|
Install a certificate signed by a trusted certification authority (CA) on the server |
|
Install the server’s self-signed certificate on the device |
|
Instruct users to ignore common certificate issues |
|
At the prompt, users can connect anyway to ignore common service certificate issues such as self-signed certificates, allowing the communications applications to use an encrypted connection to the email service with the certificate issue. If users choose to connect anyway and ignore the service certificate issues, their selection will be remembered, (can be viewed and changed any time via Settings for account).
We recommend that users select Cancel when they receive a certificate-related error and contact the administrator to fix the issue (option 1).
See Digital Certificates and SSL for more information.
Install a server’s self-signed certificate on the device
This enables Exchange to work for Windows 8.1 devices that have the certificate installed.
Note The administrator must provide a certificate file (.cer). The certificate can be installed to the trusted root certificate authority store for either of the following options:
- For the current user This option does not require admin rights but must be completed for each user on the device.
- For the local device This option requires administrator rights and needs to be done only one time for a device.
The user or the system administrator can use the .cer file to install the certificate. To do this, use one of the following methods:
-
Use the command-line
At an elevated command prompt, run the following command:
certutil.exe -f -addstore root.cer
NOTE The command installs the certificate for all users on the device.
-
Use the Certificate Import Wizard
- Double-click the certificate file. A certificate dialog opens.
- Click Install Certificate. A Certificate Import Wizard window opens.
- Select the option to install the certificate for only the current user or for the local device.
- Select Place all certificates in the following store
- Click Browse to open the store selection dialog. Select Trusted Root Certification Authorities.
- Select the store, and then click Ok. You are returned to Certificate Import Wizard dialog, and the certificate store and certificate to be installed into that store are displayed.
Troubleshooting Mail Client Connectivity
If a Mail user can't successfully connect to an account, consider the following:
- Verify that the user is using the latest version of the Mail app. A user can check for updates to the Mail app by doing the following: from the Start screen, go to Store > Settings > App updates > Check for updates.
- To rule out any transient issues, the user can wait a few minutes and try again.
- Some cloud-based email services (for example, Microsoft Office 365) require that the user register their account before they can use email clients such as Mail. Office 365 users register their account when they sign in to the service for the first time. If the user is not an Office 365 user, the user registers their account when they sign in to their account using their Microsoft account or sign in to Outlook Web App. The user must sign out of Outlook Web App before they try to connect using Mail again.
TIP The user will see the following message if they haven't registered their account: “We couldn’t find the settings for. Provide us with more info and we’ll try connecting again.”
What else do I need to know?
- Set up your Office 365 or Exchange-based email in Windows 8 Mail
- Mail app for Windows: FAQs
- 2784275 How to configure an Exchange account and how to troubleshoot Exchange account connectivity issues in the Mail app in Windows 8 and Windows RT
- 2792112 80070057 error, and Windows Phone 8 cannot sync with Microsoft Exchange
- 2464593 Error 85010013, 8600C2B, or 86000C29 when you try to synchronize a Windows Phone-based device to an Exchange server
- You may also find Building the Mail app and Right from the Start: Delivering the best email experience on any tablet with Windows 8.1 on the Building Windows 8 blog of interest.
Updates
- 10/21/2013: Added note about Windows 8.x picture passwords and Exchange ActiveSync policies.
- 10/21/2013: Added link to Using email accounts over POP on Windows 8.1 and Windows RT 8.1.