Password requested after adding Metro email account

[Doug]

I have Surface Pro and have been pleasantly surprised.

However I set things up so I didn't have to ogin each time the computer "slept". Screen saver was working. All was good. I have a domain account.

Then I added an account (my domain email) to the Metro email application.

Now after the 15 minutes of no activity goes by the screen save pops in. That is OK, except now I am required to enter my password each time to get at the system.

I want to use the Metro email, but I don't want to enter the password every time.

Doug

 

[machistmo]

Metro pulled in the security settings that are attached to your Domain. Whatever your Domain requires, your Surface now requires.

 

[DOS]

^^ 2nd, this should happen to all computers under that domain. If it's a work environment, there probably isn't anything you can do about it... well, unless you're the Network Admin.

 

[Doug]

Hi,
Thanks for the quick response. The password policy that I understand at the domain level is all being recognized.

If I don't use the Metro Email, everything works properly. If the computer is not active for the 15 minutes, it sleeps. When I try to access the system, the desktop comes back and it does not require a login password. This all works as expected.

It is only when I add the email account the Metro Email application does a problem occur. I leave the computer idle and after the set time it gos into sleep mode as expected. Now however when I enter a key to wake up the Surface, the domain password is required.

So this seems to be directly related to the Metro Email.

This in my mind should not be a domain passwprd policy issue. The domain password policy is related to the password lenghth, complexity, reuse, etc. Not related to computer idle time.

Doug

 

[machistmo]

I say again the domain security policy was pushed to your System. It is working as intended.

 

[machistmo]

The domain security policies are more extensive than just the password complexity. If your company falls under SOX or just follows standard Windows domain security, the behavior you describe is absolutely, 100% working as intended.

If you stopped and read the pop up box when you added the account you would see it telling you that you must allow the domain security policy to be applied to your system if you want to access the account.

Again, working as intended.

 

[Doug]

Ok I hear the "as intended".

I guess I am just dense.

It is OK to have my computer set to be wide open using Windows 8. I can login and have it set so I can walk away and the login screen will not be required.

But if I turn on the Metro Email application, that code will force a login password to be required.

I just want to make sure I understand the security.

Thanks,

doug

 

[machistmo]

Again its a set of policies around security that the device must allow to be changed. The password on wake is standard stuff. The sleep is the part that insures the device is locked if left unattended for 15 minutes. Standard stuff. That's right, when the email is up and the machine is left alone, it will follow the domain security policies to protect that account according to the domain polices that account is governed through. Again, working as intended. Its pretty standard stuff.

and I wish I was in Northern California. God I miss San Ramon!

 

[malberttoo]

Doug,

As a domain admin, I can make it so that if you try to connect your Surface's Mail program to my company, and get your company mail that way, that the domain also forces a set of rules onto your device as well. So BESIDES the password complexity issue (must be a certain length, have certain characters, etc), I can also see to it that if you connect to my email system, I can push certain rules onto your machine that affect it's behavior, such as: when the user is connected to our email system, then force a 10-minutes screen saver time-out, and force them to enter their password every time the screen saver times out. So, if you successfully connect to the email system, then your machine also (in the background) adopts these rules. That's what Machistmo is trying to explain to you.

Your IT people may have had good reasons for adopting these policies, or they may have just been playing around and forgot to undo their changes. You can at least ask, and see if they will relax their rules on this issue.

Otherwise, if you choose to use Mail to connect to your employer's system, you must do so with the knowledge that your Surface may take on some different security characteristics while doing so.

This explanation is a bit simplistic, but I hope it helps.

 

[Doug]

Thanks fr the details.

They always help.

Doug

 

[mervincm]

We have the same approach. As an enterprise, we see your email an as assert we own and are responsible for. As such, we have to make sure that if that email is on a device that is likely to be lost or stolen, it must have meet OUR minimum security standards. One of those standards is that a password is required on boot and on wake from sleep, and that after a minimum idle time of about 15 minutes, an auto lock is engaged. We configure our exchange servers to enforce this. When you connect your device using activesync, there is a little handshake that occurs where the server tells the client that these restrictions must be in place, or you don't get any data. The MS email client, being a good citizen, warns you about the requirement, and if you agree puts those security enhancements in place.

If you don't want those restrictions, you should instead use another connection method (say pop), if supported. Be warned that your email host likely turns the others off to avoid this behaviour.

 

[bkuhn]

Metro pulled in the security settings that are attached to your Domain. Whatever your Domain requires, your Surface now requires.

We have the exact same problem. Our domain (SBS2003) has no group policies set re: screensavers at all.