Enable users without local admin to configure Windows 8.1 Mail App through EAS

Posted: June 16, 2014 in Uncategorized

As an addition to an excellent blog post on howto support the Windows 8.1 Mail App in Enterprise environments me and my colleague Christiaan Evenhuis did some research on which Group Policy settings matches the corresponding Exchange ActiveSync policies.

The results:

EAS AD Group Policy / Local Security policy
Require alphanumeric password Password must meet complexity requirements
Require encryption on device BitLocker Drive Encryption \ Operating System Drives (multiple settings)
On Enterprise Domain joined clients you should use SCCM to enable encryption
Require encryption on storage card BitLocker Drive Encryption \ Removable Data Drives
Allow simple password Password must meet complexity requirements
Number of failed attempts allowed Interactive logon: Machine account lockout threshold
Minimum password length Minimum password length
Time without user input before password must be re-entered Interactive logon: Machine inactivity limit
Password expiration (days) Maximum password age

 

Make sure the settings in AD are more locked down to prevent the Windows 8.1 Mail App to invoke configurations that will require local admin permissions. During tests we found out that the Windows Policy provider works on a per computer basis. So when testing, re-deploy your machine to undo policy settings.

Cheers!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s