Supporting Windows Mail 8.1 in your organization

Published Oct 18 2013 12:35 PM 146K Views

Windows 8.1 and Windows RT include a built-in email app named Windows Mail. Mail includes support for IMAP and Exchange ActiveSync (EAS) accounts.

This article includes some key technical details of Windows Mail in Windows 8.1. (See Supporting Windows 8 Mail in your organization for Windows 8.0.) Use the information to help you support the use of Mail in your organization. Read this article start to finish, or jump to the topic that interests you. Use the reference links throughout the article for more information.

NOTE Mail, Calendar, and People apps run on Windows 8.1 and Windows RT. Although this article discusses the Mail app, please note that much of the information in this article also applies to the Calendar, and People apps. When connected to a server that supports Exchange ActiveSync, the Calendar, and People apps may also display data that was downloaded over the Exchange ActiveSync connection.

Protocol Support

Mail lets users connect to any service provider that supports either of the following two protocols:

ProtocolProtocol versions & standardsFunctionality

Exchange ActiveSync (EAS)

  • EAS 2.5
  • EAS 12.0
  • EAS 12.1
  • EAS 14.0
  • EAS 14.1
  • Send and receive email
  • Sync email, contacts & calendar
  • ActiveSync Policies
  • Remote Wipe


  • Send and receive email only
  • Contacts and calendar data not synchronized
  • Microsoft Exchange does not support Public Folders via IMAP. See IMAP support in Exchange 2013.

Post Office Protocol (POP) is not supported.

NOTE All Windows Communications apps (Mail, Calendar, and People) can use the data that is synchronized using Exchange ActiveSync. After a user connects to their account in the Mail app, their contacts and calendar data is available in the other Windows Communications Apps and vice versa.

Sync Configuration

Mail can be configured to synchronize data at different times as follows:

  • Push email (default)
  • Polling at fixed intervals
  • Manually

If a push email connection can’t be established, it will automatically switch to poll at fixed intervals.

Push Email

Push email requires that accounts are either Exchange ActiveSync (which all support Push) or IMAP with the IDLE extension. Not all IMAP servers support IDLE, and it is supported only for the Inbox folder.

When a push connection can’t be established, Mail will change to polling on 30 minute intervals. Push email on Exchange ActiveSync requires that HTTP connections must be maintained for up to 60 minutes, and IMAP IDLE requires TCP connections to be maintained for up to 30 minutes.

Account Setup Features

Windows 8.1 and Windows RT users can add email accounts to Mail using the Settings charm. The Settings charm is always available on the right side of the Windows 8.1 and Windows RT screen. (For more visual details about Charms & the Windows 8.1 user interface, see Search, share, print & more.)

NOTE This section provides an overview of account setup in Mail. For step-by-step procedures for setting up an account, see What else do I need to know? at the end of this guide.

To make it as easy as possible to add accounts, account setup only prompts the user to enter the email address and password for the account they want to set up. From that data, Mail attempts to automatically configure the account as follows:

  1. The domain portion of the email address is matched against a database of well-known service providers (such as If it’s a match, its settings are automatically configured.
  2. The domain portion of the email address is used to discover the user's email settings using the Autodiscover.
  3. If automatic configuration fails, the user is prompted for additional details such as an email server name and domain name.

Add an Exchange ActiveSync account

Screenshot: Exchange ActiveSync configuration in Windows Mail
Figure 1: Exchange ActiveSync (EAS) configuration in Windows Mail

If automatic configuration fails, the following additional information is required to connect to a server via Exchange ActiveSync:

  • Server address
  • Domain
  • Username

Add an IMAP/SMTP account

Screenshot: IMAP/SMTP configuration in Windows Mail
Figure 2: IMAP/SMTP configuration in Windows Mail

The information required to connect to a server via IMAP/SMTP is:

  • Email address
  • Username
  • Password
  • IMAP email server
  • IMAP SSL (if your IMAP server requires SSL encryption)
  • IMAP port
  • SMTP email server
  • SMTP SSL (if your SMTP server requires SSL encryption)
  • SMTP port
  • Whether SMTP server requires authentication
  • Whether SMTP uses the same credentials as IMAP (If not, user must also provide SMTP credentials)

Security Features

Mail provides administrators with some level of security through Exchange ActiveSync policies (Mobile Device Mailbox Policies in Exchange 2013). It doesn’t support any means of managing or securing PCs that are connected via IMAP. EAS includes support for certificate-based authentication and remote wipe.

Exchange ActiveSync Policy Support

Exchange ActiveSync devices can be managed using Exchange ActiveSync policies. Mail supports the following EAS policies. :

  • Password required
  • Allow simple password
  • Minimum password length (to a maximum of 8 characters)
  • Number of complex characters in password (to a maximum of 2 characters)
  • Password history
  • Password expiration
  • Device encryption required (on Windows RT and editions of Windows that support BitLocker. See What's New in BitLocker for details about BitLocker improvements in Windows 8.1.)
  • Maximum number of failed attempts to unlock device
  • Maximum time of inactivity before locking

Important If AllowNonProvisionableDevices is set to false in an EAS policy and the policy contains settings that are not part of this list, the device won’t be able to connect to the Exchange server.

Getting into Compliance

Most of the policies listed above can be automatically enabled by Mail, but there are certain cases where the user has to take action first. These are:

  • Server requires device encryption:
    • User has a device that supports BitLocker but BitLocker isn’t enabled. User must manually enable BitLocker.
    • User has a Windows RT device that supports device encryption but it is suspended. User must reboot.
    • User has a Windows RT device that supports device encryption, but it isn’t enabled. User must sign into Windows with a Microsoft account.
  • An admin on this PC doesn’t have a strong password: All admin accounts must have a strong password before continuing.
  • The user’s account doesn’t have a strong password: User must set a strong password before continuing.

Windows 8 Picture Passwords and ActiveSync Policy

If a Windows 8.x user uses a picture password and Exchange ActiveSync policy requires a password, the user will still need to create and enter a password in accordance with the policy.

ActiveSync Policy v/s Group Policy on domain-joined Windows 8.1 devices

If a Windows 8.1 PC is joined to an Active Directory domain and controlled by Group Policy, there may be conflicting policy settings between Group Policy and an Exchange ActiveSync policy. In the event of any conflict, the strictest rule in either policy takes precedence. The only exception is password complexity rules for domain accounts. Group policy rules for password complexity (length, expiry, history, number of complex characters) take precedence over Exchange ActiveSync policies – even if group policy rules for password complexity are less strict than Exchange ActiveSync rules, the domain account will be deemed in compliance with Exchange ActiveSync policy.

Certificate-Based Authentication

Communications applications can connect to a corporate Exchange service configured to require certificate-based authentication. User authentication certificates can be provisioned to Windows 8.1 devices by administrators or end-users can browse to certificate and install to user certificate storage.

User can add and connect an email account using a certificate. (For account setup, password entry is required per standard account setup.) User may be prompted to give the Mail application permission to access their user certificate, and should accept the prompt to enable certificate usage. In cases where multiple certificates are available, the user can go to account Settings to select the desired certificate.

Non-PIN protected software certificates are supported.

Remote Wipe

Mail supports the Exchange ActiveSync remote wipe directive, but unlike Windows Phone (which deletes all data on the device), Mail scopes the data deleted to the specified Exchange ActiveSync account for which the remote wipe command is issued. The user's personal data is not deleted. Additionally, attachments saved from that account are made inaccessible.

For example, if a user has an account for personal use and a account for work use, a remote wipe directive from the server would impact Windows 8.1 and Windows Phone 7 as follows:

DataWindows Phone 7Windows 8.1 Mail email Deleted Deleted contacts Deleted Deleted calendars Deleted Deleted attachments Deleted Not deleted, but not accessible email Deleted Not deleted contacts Deleted Not deleted calendars Deleted Not deleted attachments Deleted Not deleted
Other documents, files, pictures, etc. Deleted Not deleted

Account Roaming

To make it as easy as possible for users to have all of their accounts set up on all of their devices, Windows 8.1 uploads vital account information to the user’s Microsoft account. This information includes email address, server, server settings, and password. When a user signs into a new PC with their Microsoft account, their email accounts are automatically set up for them.

Passwords are not uploaded from a PC for any accounts which are controlled by any Exchange ActiveSync policies. Users will have to enter their password to begin syncing a policy-controlled account on a new PC.

If using client certificate authentication, the client certificate, and the certificate selection for an account will not be roamed. Users will have to select their desired client certificate to begin syncing a client certificate account on a new PC.

Microsoft Accounts

By default, users are required to have a Microsoft account, formerly known as Windows Live ID, to use the Windows Communications apps. This will usually be the Microsoft account that the user is signed into Windows with, but if they have not done so, they will be prompted to provide one before proceeding.

If the Microsoft account is…Mail will… or Hotmail account Automatically sync email, Calendar and Contacts using Exchange ActiveSync
Not an or Hotmail account
(for example,
Prompt the user to provide password for their email account

Can my organization remove the requirement for a Microsoft account?

You can apply a Group Policy to a device to make a Microsoft Account optional for the Windows Communications apps.

Note, the Group Policy setting is configured in Computer Configuration node in the Group Policy and applies to all users of the computer/device to which it's applied. The policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. Windows RT devices can use Local Group Policy.

To apply the Group Policy setting:

  1. Launch GPEdit by opening the “run” prompt (Windows key + r), and entering GPEdit.msc
  2. Go to Computer Configuration > Administrative Templates > Windows Components > App runtime
  3. Select Allow Microsoft accounts to be optional to configure the policy

If the Group Policy is applied and a Microsoft account is not used, the Communications apps will:

  1. Prompt the user for a work account (i.e. an Exchange ActiveSync account) password
  2. If account credentials are provided, use Exchange ActiveSync to synchronize email, Contacts and Calendar from the work account

A user can add additional accounts if desired. You can use corporate firewalls or other mechanisms to block access to any consumer email services as needed.

The following functionality will be unavailable to a user without a Microsoft Account:

  • Windows Store Application Installs
  • Account Settings roaming to additional devices
  • Connectivity to additional 3rd party services (e.g. Social sites)
  • Email communication from Microsoft regarding any updates to Microsoft Services Agreement.

Data Consumption

By default, Mail only downloads one month of email (up from 2 weeks in Windows 8.0). This is user configurable and can potentially download the user’s entire mailbox. For Exchange ActiveSync accounts, all contacts are downloaded and calendar events are downloaded only for three months behind the current date and 18 months ahead.

Additionally, messages can be only partially downloaded to reduce bandwidth use as follows:

ContentOn unmetered networksOn metered networks
Message bodies Truncated to the first 100KB or 20KB depending on folder and device conditions Truncated to the first 20KB. For more details see Engineering Windows 8 for mobile networks.
Attachments Some attachments are downloaded automatically when device conditions allow.
Attachments for messages in junk folder are not downloaded automatically.
Never downloaded automatically.

Embedded images in email messages are downloaded on-demand as the user reads them, and attachments which are not downloaded can be downloaded on-demand as the user attempts to open them.

Mail downloads all folders for an account. Users can configure the period of email which is downloaded to adjust the size of data for an account. Mail does not enforce any limits on number and size of attachments users can send.

Automatic Replies

Mail allows users to view and set their automatic reply messages (aka Out of Office or OOF messages). There is a visual indication when auto-reply is enabled. Users can view and set automatic reply plain text content. For corporate accounts, separate internal and external auto-reply messages are supported.

There is no date/time support for specifying start or end time for automatic replies.

Enterprise Connectivity

Authenticated Proxies

The communications applications can connect over LAN or WiFi connections via authenticated proxies which use standard authentication methods including: NTLM, Digest, Negotiate, and Basic authentication.

Any user credentials entered can be cached for the session, or remembered persistently.

Self-Signed Certificates

The communications applications warn the user with a prompt providing an option to connect anyway when trying to connect to services with common service certificate issues. See Self-Signed Certificates in Limitations below for details and recommendations.


The following features are currently not supported by Mail:

  • Direct mailbox connections using POP: Only EAS and IMAP protocols are supported.

    Note This does not mean that Windows 8.1 does not support POP. This post is about the Mail app. See Using email accounts over POP on Windows 8.1 and Windows RT 8.1 for workarounds.

  • Opaque-Signed and Encrypted S/MIME messages When S/MIME messages are received in Mail, it displays an email item with a message body that begins with “This encrypted message can’t be displayed.”

    To view email items in the S/MIME format, users must open the message using Outlook Web App, Microsoft Outlook, or another email program that supports S/MIME messages. For more information, see Opaque-Signed and Encrypted S/MIME Message on MSDN.

Self-Signed Certificates in Windows Mail 8.1

Users may experience connectivity errors when trying to connect to an Exchange server that uses a self-signed certificate or a certificate with other common issues. The user may receive the following error message.

There’s a problem with a server’s security certificate. It might not be safe to connect to the server because… <details>.

You can use one of the following options to resolve this issue.

To resolve issue with self-signed certificates…Use this option if…
Install a certificate signed by a trusted certification authority (CA) on the server
  • You want Exchange to work for all clients without prompting
  • You do not want your users to ignore or bypass certificate-related errors
  • You want to avoid installing a self-signed certificate or a certificate signed by an untrusted CA on all devices
Install the server’s self-signed certificate on the device
  • You want to save the cost of a certificate signed by a trusted CA
  • You want Exchange to work from Windows 8.1 devices that have the self-signed certificate installed.
Instruct users to ignore common certificate issues
  • You want to avoid the cost of a CA-signed certificate or do not want to install the server’s self-signed certificate on all devices
  • Users are knowledgeable about certificate-related errors

At the prompt, users can connect anyway to ignore common service certificate issues such as self-signed certificates, allowing the communications applications to use an encrypted connection to the email service with the certificate issue. If users choose to connect anyway and ignore the service certificate issues, their selection will be remembered, (can be viewed and changed any time via Settings for account).

We recommend that users select Cancel when they receive a certificate-related error and contact the administrator to fix the issue (option 1).

See Digital Certificates and SSL for more information.

Install a server’s self-signed certificate on the device

This enables Exchange to work for Windows 8.1 devices that have the certificate installed.

Note The administrator must provide a certificate file (.cer). The certificate can be installed to the trusted root certificate authority store for either of the following options:

  • For the current user This option does not require admin rights but must be completed for each user on the device.
  • For the local device This option requires administrator rights and needs to be done only one time for a device.

The user or the system administrator can use the .cer file to install the certificate. To do this, use one of the following methods:

  • Use the command-line

    At an elevated command prompt, run the following command:

    certutil.exe -f -addstore root.cer

    NOTE The command installs the certificate for all users on the device.

  • Use the Certificate Import Wizard

    1. Double-click the certificate file. A certificate dialog opens.
    2. Click Install Certificate. A Certificate Import Wizard window opens.
    3. Select the option to install the certificate for only the current user or for the local device.
    4. Select Place all certificates in the following store
    5. Click Browse to open the store selection dialog. Select Trusted Root Certification Authorities.
    6. Select the store, and then click Ok. You are returned to Certificate Import Wizard dialog, and the certificate store and certificate to be installed into that store are displayed.

Troubleshooting Mail Client Connectivity

If a Mail user can't successfully connect to an account, consider the following:

  • Verify that the user is using the latest version of the Mail app. A user can check for updates to the Mail app by doing the following: from the Start screen, go to Store > Settings > App updates > Check for updates.
  • To rule out any transient issues, the user can wait a few minutes and try again.
  • Some cloud-based email services (for example, Microsoft Office 365) require that the user register their account before they can use email clients such as Mail. Office 365 users register their account when they sign in to the service for the first time. If the user is not an Office 365 user, the user registers their account when they sign in to their account using their Microsoft account or sign in to Outlook Web App. The user must sign out of Outlook Web App before they try to connect using Mail again.

TIP The user will see the following message if they haven't registered their account: “We couldn’t find the settings for. Provide us with more info and we’ll try connecting again.”

What else do I need to know?


Not applicable
Any update on this issue

Not applicable


Not applicable

Very interesting!

#Shameless Blog Plug: But if for whatever reason you need to block the Windows 8 Mail app in Exchange 2010 & 2013 or Office 365, check my blog post on this:

Not applicable

Which other app supports Allow Microsoft accounts to be optional policy?

Not applicable

@Miha: That would be a question for the app developer or team. The app details in Windows Store may include this information.

Not applicable

What about Picture Password and the Mail App? Exchange Mobile Device Policies to block or allow Picture Password?

Not applicable

@Stive: Windows 8.* Picture Passwords are treated the same as fingerprints in iOS7. If users use them, they'll still need to create & enter a password if your mobile device policies require a password. See warning in

Mobile Device Mailbox Policies in Exchange 2013 documentation.

Not applicable

1) Does CBA work with a 3-tier CA?

2) Does CBA work with a 4096 root?

3) When checking the settings in the mail app, it tells me that I have to select a certificate, but does not deliver a choice of certificates. I am using the same certificate on the device as on a Windows Phone / iOS device / Android device for client certificate-based authentication. Any help would be gratefully appreciated..

Not applicable

@CBA not working: The Mail team's looking into it. 1 & 2 should just work if Windows show them as valid certificates. Regarding 3, how many certificates do you have for that user/email on the device?

Not applicable

Hi Bharat Suneja,

I have tried with various amounts of certificates, sometimes just 1 or 2, sometimes 10 or 12, including various types of certificate templates,  

The certificate chain is also OK

The reason for question 1, was that we have a 3-tier, and also somebody else is reporting the same problem over at

The reason for question 2 is that when we use iOS devices, Safari seems to not support 3-tier CAs, or roots above a certain key length.

Not applicable

@CBA not working: Could you email me (bsuneja at microsoft) details of the account's certificates installed on the device so team can dig deper?

From command prompt or PS:

certutil.exe -v -user -store MY > mycerts.txt

This will dump command output to mycerts.txt file which you can attach in email.

Is this limited to a single account/device? Have you tried same account on a different device? Another account on another device?

Not applicable

Email Sent. Tried with 2 different accounts, and 3 different devices. Both accounts working fine with iOS/Android/WP7. TIA.

Not applicable

Certs not working in Windows 8.1 Mail. Certs work fine on everything else. Please post the solution when found.

Not applicable

Well, this is my first visit to your blog! We are a group of volunteers and starting a new initiative in a community in the same niche. Your blog provided us valuable information to work on. You have done a marvellous job! The IEEE Computer Society is the world s premier organization of computing professionals, with rich offerings in publications, standards, certifications, conferences, and more. Website:

Not applicable

@Bharat: My question regarding "Which other app supports Allow Microsoft accounts to be optional policy?" was directed at the built in apps, not 3rd party. Do you perhaps know which support this great feature?

Additionally I applied the "Allow Microsoft accounts to be optional" GPO, I sign in as a regular user, provision the account and get a warning: "Make your Windows user account an administrator".  Do users need to be admins in order to use Mail? Is there perhaps another setting that could be causing this?

Not applicable

Why Windows Mail is introduced ..? IMAP is slowly going away from the market and only required integrate with few applications ...You have already OWA, OA and AS..?

Not applicable

@Rajeev: IMAP was not introduced in Mail in Windows 8.1 - it has been supported since Mail 8 (on Windows 8 RTM). It's still in widespread use (particularly with services that don't support Exchange ActiveSync) and recommended over POP3.

Not applicable

Got it Bharat Suneja, Thank You.

Not applicable

I prefer not to download automatically any external images or attachments. I have set it on preferences, but the app  downloads a portion of images and attachments each time it syncs. How to fix it?

Not applicable

I have windows 8.1 and the updated Mail application.  

No matter what method I try, or account I try to add, I cannot get the mail client to ask for use of a certificate for EAS auth.   It consistently asks for username and password and then just notes that I "may need a certificate to connect this system."

I have a certificate in my user store.  I've verified that and that I have the private key.  I have other applications which work with that certificate.    What am I missing?

Not applicable

I am having the exact same problem, I have spent days trying every certificate integration angle I could think of and every time it does the same thing below. I have confirmed that the ActiveSync server address will prompt for the cert if I enter via the browser so it can see and communicate with the server but the mail app just refuses to prompt.

From JasonH:

I have windows 8.1 and the updated Mail application.  

No matter what method I try, or account I try to add, I cannot get the mail client to ask for use of a certificate for EAS auth.   It consistently asks for username and password and then just notes that I "may need a certificate to connect this system."

I have a certificate in my user store.  I've verified that and that I have the private key.  I have other applications which work with that certificate.    What am I missing?

Not applicable

Folks, thanks for reporting the certificate-based authentication issues. The Mail team is investigating. I will update the post when/if the team has more to share.

We will continue to gather feedback from comments here and respond as required. For help with troubleshooting specific issues in your environment, you can post details in Exchange forums ( or contact Support (

Not applicable

From my testing it appears that if you don't have AllowNonProvisionableDevices checked, the mail app will never sync and continues to complain that the PC can't meet the security requirements.  I unchecked all requirements in the Password tab for my test ActiveSync policy on Exchange 2010, and the app would still not sync, but as soon as I checked AllowNonProvisionableDevices it started to sync.

Anyway to find out what it's complaining about?

Version history
Last update:
‎Jul 01 2019 04:15 PM
Updated by: