OffCAT scan alert when Outlook Object Model security is enabled

Symptoms
When you run the Office Configuration Analyzer Tool (OffCAT), the scan that is performed is automatically configured as an Offline scan. An example of this is shown in the following figure.



Also, the following issue is displayed in the report:

Offline scan forced by OffCAT due to group policy value for Outlook object model access
Cause
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

This alert occurs when you have the following data configured in the Windows Registry. This configuration causes Outlook to automatically deny requests from any programs, like OffCAT, that attempt to access Outlook data.

Outlook 2010 and later versions:

Key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\x.0\Outlook\Security
DWORD: AdminSecurityMode
Value: 3
And one or both of the following registry keys:

Key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\x.0\Outlook\Security
DWORD: PromptOOMAddressInformationAccess
Value: 0

OR

Key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\x.0\Outlook\Security
DWORD: PromptOOMAddressBookAccess
Value: 0

Note: In the above registry key path, x.0 corresponds to your version of Outlook (16.0 = Outlook 2016, 15.0 = Outlook 2013, 14.0 = Outlook 2010)

Resolution
If you need to perform a full scan of Outlook using OffCAT, you can temporarily modify the PromptOOMAddressInformationAccess and/or PromptOOMAddressBookAccess registry values to 1. This will cause Outlook to no longer automatically deny requests (from any program, not just OffCAT) to access Outlook data and will instead prompt you to approve the access request. The value of 1 is the default setting for this feature.

The available value data for these registry values is listed below.

0: Automatically deny
1: Prompt user
2: Automatically approve

The above registry data in the Policies hive may be controlled by a Group Policy. The Policy may need to be modified to permanently modify these settings.


Properties

Article ID: 2941697 - Last Review: 01/13/2016 08:33:00 - Revision: 5.0

Outlook 2016, Microsoft Outlook 2013, Microsoft Outlook 2010

  • KB2941697
Feedback