Outlook Programmatic Access in Office 365 Pro Plus & RDS 2019

kenneth patterson 1 Reputation point
2021-05-26T18:28:16.84+00:00

I see this thread is discussed many times and I have read through most every one of the current documented cases but I still cannot find an answer to my issue. Hopefully I'm just missing something small to get this issue resolved. I have a customer with a 2012 DC and a 2019 RDS that runs Office 365 Pro Plus. Multiple email accounts that are being used off of the RDS box but only one per user profile. Most users don't use these email accounts for their personal/business use. These email accounts are a mixture of 365, POP and IMAP accounts. My customer has written VBA scripts that send Excel data using Outlook behind the scenes for each profile. The users are being prompted with the Programmatic Access security warning when the email kicks off to send the data. I can run Outlook in admin mode, change the Programmatic Access option not to prompt and this works for a while until something unknown (maybe windows updates) happens then the settings go back to prompting. The last time the script had sent 6 emails over a period of 6 days then it changed back. There is current Avast antivirus software running on the RDS box but according to previous documentation I see that Windows security center doesn't recognize antivirus software on Windows server operating

systems. I need to find a way to eliminate the prompting during the send for ALL/ANY user(s). We understand the risks by turning off Programmatic Access but need it turned off for now. I've added registry settings also under the admin account but these don't replicate when a general user logs into the server. I've attached several screen shots of how the environment looks in admin mode and in general user mode along with Outlook version information.

100001-adminoutlooksettings.jpg

Above is what Outlook settings look like logged into the RDS as Admin to the domain. All are greyed out and not changeable and nothing selected.

99899-adminregsettings.jpg

Above is what the Programmatic Access registry settings looks like logged into the RDS as Admin on the domain.

99947-bkoutlooksettings.jpg

Above is what Outlook settings look like logged into the RDS as a standard user to the domain. All are greyed out but "Warn Me" is selected.

99966-bkregsettings.jpg

Above is what the Programmatic Access registry settings looks like logged into the RDS as a standard user on the domain. One thing that is odd here is that the version here states 14.0 and the version when logged into the RDS as administrator shows 16.0. There is only one version and have only been one version ever installed here on the server. Not sure why Microsoft would indicate two different versions.

99948-outlookversion.jpg

Above is current Outlook version information.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,191 questions
{count} votes

10 answers

Sort by: Most helpful
  1. kenneth patterson 1 Reputation point
    2021-06-01T22:56:43.383+00:00

    So, more details after doing a little more investigation.

    1. Logged in as administrator to the domain, opened regedit and removed the following three keys, rebooted, logged back in as administrator to the domain, opened Outlook as administrator and I was able to change the Programmatic access option to "Never Warn me":

    [HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\16.0\outlook\Security]
    "promptoomaddressinformationaccess"=dword:00000002
    "promptoomaddressbookaccess"=dword:00000002
    "AdminSecurityMode"=dword:00000003

    1. logged out as administrator on the system and logged in as standard user, opened Outlook (without running as administrator), checked the Programmatic access setting and it was set to "Never Warn Me" but greyed out.

    I've left the settings like this for now and will notify the actual users in the morning to try their normal routines and see how long the settings stay as they are now.

    0 comments No comments

  2. Andy YOU 3,076 Reputation points
    2021-06-06T10:45:37.417+00:00

    HI kennethpatterson-4715,

    Thank you for posting further more information.

    “One thing that is odd here is that the version here states 14.0 and the version when logged into the RDS as administrator shows 16.0”
    "Question #6. The policy settings for a new user with or without an email account setup looks like the image below."

    1.From above information, I think that you are using Office 2010(version 14.0) administrative template files (ADM, ADMX/ADML) and applying office2010 administrative Template policy to end users for Office 365 Pro Plus.

    I tested this Office 2010 Administrative Template in my lab, there were some policy items missing like below.
    I think it will affect your current version outlook.
    for example: there are missing below items
    configure simple MAPI name resolution prompt
    configure simple MAPI message opening prompt
    configure simple MAPI sending prompt

    102762-221.png

    The picture for Office 2010 Administrative Template applied
    102793-231.png

    2.I think we can use below "Microsoft 365 Apps for enterprise, Office 2019, and Office 2016" administrative Template files (ADM/ADMX/ADML), then apply the same policies to our testing accounts for our problematical outlook.

    102803-201.png

    102794-211.png

    Administrative Template files (ADMX/ADML) and Office Customization Tool for Microsoft 365 Apps for enterprise, Office 2019, and Office 2016 download link
    https://www.microsoft.com/en-us/download/details.aspx?id=49030

    Install Administrative Template files for Microsoft Office
    https://www.alitajran.com/install-administrative-template-files-for-microsoft-office/

    Create Central Store for Group Policy Administrative Templates
    https://www.alitajran.com/create-central-store-group-policy-for-administrative-templates/

    how to disable Programmatic Access in Group Policy for a user
    https://social.technet.microsoft.com/Forums/office/en-US/c80ed8ee-5faa-4489-b865-d8362989fbfe/how-to-disable-programmatic-access-in-group-policy-for-a-user

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  3. kenneth patterson 1 Reputation point
    2021-06-08T16:29:40.68+00:00

    Okay I logged in as one of the standard users and recognized what you had pointed out. The client has a Citrix server also with Office 2010 and those policies were applied to the Citrix server and the users that were logging in there. This is what I found. I'll find a way to eliminate these for the new RDS box and see how it changes things and post it soon.

    103534-image.png


  4. Saidovic 11 Reputation points
    2023-07-11T17:39:32.1266667+00:00

    try this seetings, it works for me:

    Note: in my case, I am u sing O365 PP 32 bit on Win 10 64 bit. May be the registry key path will be different if you use O365 PP 64 bit on OS 64 bit:

    Computer Configuration (Enabled)
    Preferences/Windows Settings/Registry
    
    Hive          HKEY_LOCAL_MACHINE 
    Key path      SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Office\16.0\Outlook\Security 
    Value name    ObjectModelGuard 
    Value type    REG_DWORD 
    Value data    0x2 (2) 
    
    User Configuration (Enabled)
    Administrative Templates/Microsoft Outlook 2016/Security/Security Form Settings
    Policy: Outlook Security Mode >> Enabled  
                           Outlook Security Policy: Outlook Default Security 
    
    0 comments No comments

  5. Scott Miller 0 Reputation points
    2024-10-24T15:31:40.9466667+00:00

    The registry key change doesn't work.

    I've got it set to 2. It will change on it's own.

    I've got several routines that send emails about 2 minutes apart. Watching it run, I've seen the email send without a prompt and two minutes later then next one warns and I have to hit 'Allow'.

    The weirdest part of this is that it will work flawlessly for 2 months straight then I'll have problems for a week.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.