Applies ToOffice 2016 Office 2013 Microsoft 365 Apps for enterprise Microsoft 365 Business Standard Microsoft 365 Business Basic Microsoft 365 Apps for business Windows 10, version 2004, all editions Windows Server version 2004 Windows 10, version 20H2, all editions Windows Server, version 20H2, all editions Windows 10, version 1909, all editions Windows Server version 1909 Windows 10, version 1809, all editions Windows Server version 1809 Windows Server 2019, all editions Windows 10, version 1803, all editions Windows 10, version 1803 (Enterprise, Education, IoT Enterprise) Windows 10, version 1607, all editions Windows Server 2016, all editions Windows 10

Summary

Starting in the May 11, 2021 Windows and Microsoft Office updates, an option to make your applications more secure has been added to allow you to disable remote references in query execution.

Starting in the October 12, 2021 Windows updates, an option is added to log a Windows event when an application attempts to open an external database through a SQL query.

You might need to do this when you allow unprivileged users to run custom SQL queries by using the Jet Red Database Engine or Access Connectivity Engine (ACE).

By default, no changes are made to accessing Jet or ACE by installing these updates. 

More information

Access to remote databases

If you disable using the Jet Red Database Engine or the Access Connectivity Engine (ACE) to access remote databases, you may receive error messages that resemble the following when you run your SQL queries:

  • Microsoft Access: If a user executes a query in Access, the following error message is displayed:

Error message dialog box

Text of error message

Operation is not supported for this type of object

Microsoft Access

Operation is not supported for this type of object.

  • Microsoft Access: If a user executes code that runs a query, a run-time error 3251 is displayed, unless the error message is handled in code:

Error message dialog box

Text of error message

Run-time error 3251

Microsoft Visual Basic for Applications

Run-time error '3251'

Operation is not supported for this type of object.

Warning: If you choose to re-enable the following registry values after disabling them, it might make your device vulnerable to attack by a malicious user or malicious software. We do not recommend that you re-enable these registry values after they are disabled. However, we are providing this information so that you can choose to implement this at your own discretion. Use this at your own risk.

Warning: Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

Auditing of remote database access attempts

Note: Auditing is only available for Jet Red Database Engine at this time.

Auditing is added in Event viewer that logs a Windows event under "Application and Service logs'\Microsoft\Windows\JetRed."

By default, auditing is enabled and controlled through a new DWORD AllowQueryRemoteTables_Audit in which 1 enables auditing, and 0 disables auditing.

If this feature is enabled, the Windows event "level" is "Informational" and the "message" is "External Database open attempted."

If this feature is disabled, then the "level" is "Error" and the "message" is "External Database open attempt blocked."

The Details tab for the event will contain both the path to the external database and the executable as shown in the following example:

  • EventData Database Path: C:\PathToMyDb\myDatabase.mdbExecutable: C:\PathtoMyApplication\myApplication.exe

Jet Red Database Engine

To disable using the Jet Red Database Engine to access a remote database, add the following to the registry:

For x64-based devices:

  • Registry location: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Jet\4.0\EnginesDWORD name: AllowQueryRemoteTablesValue data: 0

For x86-based devices:

  • Registry location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Jet\4.0\EnginesDWORD name: AllowQueryRemoteTablesValue data: 0

Note To re-enable the Jet Red Database Engine to access a remote database, change Value data to 1.

To disable auditing when the Jet Red Database Engine attempts to access a remote database, add the AllowQueryRemoteTables_Audit DWORD to the registry:

For x64-based devices:

  • Registry location: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Jet\4.0\EnginesDWORD name: AllowQueryRemoteTables_AuditValue data: 0

For x86-based devices:

  • Registry location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Jet\4.0\EnginesDWORD name: AllowQueryRemoteTables_AuditValue data: 0

Note To re-enable the Jet Red Database Engine to audit access attempts to a remote database, change Value data to 1.

Access Connectivity Engine (ACE)

To disable using the Access Connectivity Engine (ACE) to access a remote database, add the following DWord and value to the registry as indicated in the following table:

  • DWORD name: AllowQueryRemoteTables

  • Value data: 0

Installation Type

Office Version

OS Bitness

Office Bitness

Registry Path

C2R

365 / 2019 / 2016

x64

x64

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ ClickToRun\REGISTRY\MACHINE\Software\Microsoft\ Office\16.0\Access Connectivity Engine\Engines

C2R

365 / 2019 / 2016

x86

x86

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Office\ 16.0\Access Connectivity Engine\Engines

C2R

365 / 2019 / 2016

x64

x86

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\ Microsoft\Office\16.0\Access Connectivity Engine\Engines

C2R

2013

x64

x64

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Office\ 15.0\Access Connectivity Engine\Engines

C2R

2013

x86

x86

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Office\ 15.0\Access Connectivity Engine\Engines

C2R

2013

x64

x86

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\ Microsoft\Office\15.0\Access Connectivity Engine\Engines

MSI

2016

x64

x64

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\ AccessConnectivity Engine\Engines

MSI

2016

x86

x86

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\ AccessConnectivity Engine\Engines

MSI

2016

x64

x86

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ Microsoft\Office\16.0\Access Connectivity Engine\Engines

MSI

2013

x64

x64

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\15.0\ AccessConnectivity Engine\Engines

MSI

2013

x86

x86

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\15.0\ AccessConnectivity Engine\Engines

MSI

2013

x64

x86

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ Microsoft\Office\15.0\Access Connectivity Engine\Engines

Note To re-enable the Access Connectivity Engine (ACE) to access a remote database, change Value data to 1.

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.