Outlook

Hide ‘Do not forward’ in Outlook

Posted on by Adam Fowler

If you’ve noticed this option in Outlook, you might wonder where it comes from:

On a new/reply email window in Outlook, under the ‘Options’ tab is a button called ‘Permission’ (which in the future based on the time of writing, is changing to be called ‘Security’). This by default has three or four options, which seem to be dependent on the version of Outlook being run (MSI vs CTR). Click To Run has another called ‘Encrypt-Only’ which I haven’t tested yet.

These options are actually using Azure Information Protection (AIP) to encrypt your email. That’s a giant topic in itself, but the one liner is that wherever you send an encrypted email to, needs to sign in to view the message. In some scenarios this works seamlessly, such as sending to an external user also using Exchange Online. In other scenarios they’ll need to click a button to log in and view the email via their browser.

The ‘Tenant name – Confidential’ and ‘Tenant name – Confidential View Only’ are default AIP labels. You can view/edit these by going to your Azure portal and looking under Azure Information Protection > Classifications > Labels. 

As you’ll see in the screenshot above, the two labels I mentioned are listed, and you can go into those and disable them if you don’t want them to appear for your users (there’s a toggle for ‘Enabled’ set to ‘On’, set that to ‘Off’). You could also completely disable Azure Information Protection, but that might cause you other problems if you want to use AIP in any way.

You might be wondering why you’d want to turn these off, encryption and security is good right? You might not be ready for users to start using this yet for support reasons, you might have a different method of securing emails, or you might be using a 3rd party backup system. That backup system won’t be able to read encrypted emails by default – so unless you can get that working somehow, you will only have copies of emails that contain a link to the actual content that require the right access to get to the contents – not a true backup.

Getting back to the title of this article – Do No Forward. If you’re at this stage, you may have noticed that it’s not actually a label listed. As covered in this documentation, it’s inbuilt rather than being a customisable policy, template or tag.

You can turn off this single function in the Azure portal under Azure Information Protection > Policies > Policy: Global and toggling the ‘Add the Do Not Forward button to the Outlook ribbon’ to Off:

There is a registry trick to disable this from Outlook too, which was given to me by Microsoft Support:

Open registry key editor:
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\DRM
14.0 = 2010
15.0 = 2013
16.0 = 2016
2.On the Edit menu, point to New, and then click DWORD (32-bit) Value.

Type DisableDNF, and then press ENTER.

In the Detailspane, right-click DisableDNF, and then click Modify.

In the Value databox, type 1, and then click OK.

Exit Registry Editor.

This will at least grey out the option so it can’t be used. The option will still be usable in Outlook via Web, and if I find a solution to that I’ll update this post. As far as I know at this stage, it can’t be hidden or removed.

Update: It’s possible to hide this in OWA also.

The ‘Encrypt’ or ‘Protect’ button (Right now I see different options in different tenants) can be hidden with this PowerShell command:

Set-IRMConfiguration -SimplifiedClientAccessEnabled $false

Although this hides the option, there’s also a ‘Set Permissions’ menu options in the ellipsis that can be hidden with this PowerShell command:

Get-OwaMailboxPolicy | Set-OwaMailboxPolicy -IRMEnabled $false 

Those two together should stop any user being able to encrypt an email themselves via OWA.

Finally, you could look at completely disabling rights management in all forms on Azure Active directory, which can be done here:

https://account.activedirectory.windowsazure.com/RmsOnline/Manage.aspx?brandContextID=O365

Users Managing Email Groups and Exchange Online

Posted on by Adam Fowler

For a very long time, users have been able to manage email group members via the Outlook client. Going into the Address Book, finding the group in the Global Address list, going into Properties and choosing ‘Modify Members’:

From there, someone can add or remove members as long as they’d been added to the “Managed By” field against the object in Active Directory, as well as ticking the box “Manager can update membership list” below it.

Easy! Except, that no longer works if the user is in Exchange Online, and the Email Group is from on-premises AD rather than Azure AD/Office 365. It’s not supported. This problem has been around for a while, back in 2015 Perficent wrote about this same topic. The options given for managing these groups are:

  • Exchange Admin Center
  • Exchange Management Console
  • Exchange Management Shell

None of those are what you want your standard users touching in my opinion – although you can give someone access to the Exchange Admin Center and only see the distribution groups they own – but for me, I’m still on Exchange 2010 so this isn’t an option.  This leaves you with a few options:

1. Change all your email groups to Cloud based groups. If this makes sense for you, doing this will let the manager of a cloud based group add/remove members via the Outlook Address Book.
You can also look at changing distribution groups over to Office 365 Groups (which are also cloud based), which give a whole bunch of different features beyond a what a distribution group can do, while giving the same standard DG experience.

2. Make all requests come through to IT so you can make the changes yourself. Not great for anyone involved, as it’s double/triple handling something where the user could quickly do it themselves.

3. Create Dynamic Distribution Groups and let automation do it’s thing – which will work for some, but exceptions to rules and the inability to see who’s in a group can make this frustrating for some.

4. Provide another way for staff to change group members themselves.

I’ve gone with option 4 – as I’m a big fan of Adaxes which I’ve written about a few times on my blog before, and they have a nice way of giving users a web interface that only lets staff manage the groups they’re the owner of.

There’s other ways to do this as well of course and other 3rd party solutions that can expose ways of adding/removing members of a on-premises distribution group – but remember there could be up to a half hour delay in syncing the change from AD to AAD via Azure AD Connect. If possible, look at adding a trigger at the end of a group change to do a delta sync:

Start-ADSyncSyncCycle -PolicyType Delta

That’ll be the quickest way to get the change up quickly, as staff may be used to the change working immediately.

There’s a lot to consider on how you’ll manage this, so make sure it’s sorted before you migrate – or expect a lot more tickets going through your helpdesk.

Office Support and Recovery Assistant Tool

Posted on by Adam Fowler

I was just made aware of this useful tool by Microsoft Support – the Microsoft Support and Recovery Assistant for Office 365 (also known as ‘SaRA’).

Even better, it’s not just for Office 365, other Office products can be scanned using this tool such as Outlook in Office 2010, 2013 and 2016.

The article above has a step by step guide for scanning Outlook for problems. It takes a few minutes to run, but will identify a bunch of possible issues you may have. But, from the results I see, I’d say everyone should run this tool regardless!

For example, my scan came up with this as one of the issues found:

The link goes here which then goes into details about the problem. I had noticed in Outlook 2016 by default, that users had sometimes mentioned they could no longer delete items from mailboxes they only had Inbox access to, and I assumed this was a change in behavior from Outlook 2010. This tells you how to toggle that setting if you’d rather the deleted items go to the other person’s mailbox, which removes the need for the delegate to have access to someone else’s deleted items.

If I’d run this at the start of the Office 2016 deployment during testing, it would have given me a better idea of potential issues that might come up. Here’s another one:

That’s not ideal at all! Again the link goes into more detail and this one seems really important –

Since it was patched in 2010 and 2013, but 2016 needs a registry change to fix it (why would they not just change the registry value in 2016 with an update?). This is something that may never get picked up without running this utility.
I’ve now got some work ahead of me to go through the rest of the issues from my scan, do testing and hopefully improve things. I’ve only looked at the Outlook component so far, and there’s other scans I’ll also need to try. Check it out and hopefully it’ll help you too.

Outlook 2016 Secondary Mailbox Cached Mode

Posted on by Adam Fowler

After migrating to Outlook 2016 from 2010, I noticed this inconsistency.

If you use secondary mailboxes in Outlook, you’re probably going to want them in Online Mode rather than Cached Mode. With Cached Mode on, you’ll have an OST file created for each extra mailbox you add, and you’ll hit performance issues if you have over 500 folders over all mailboxes added to the account.

One of the ways to avoid these performance issues is turning off ‘Download shared folders’ in the mailbox settings:

‘Download shared folders’ disabled

This can be done manually, or company wide with the Group Policy setting “Disable shared mail folder caching” found in User Configuration / Administrative Templates / Microsoft Outlook 2016 / Outlook Options / Delegates. Enabling this will disable and grey out the option as per the screenshot above.

However, I was previously doing this through a registry setting ‘CacheOthersMail’ under HKEY_CURRENT_USER\Software\Policies\Microsoft\office\16.0\outlook\cached mode with the value set to 0. This worked on Outlook 2010 fine I believe, but in 2016 it did something slightly strange. Although clicking on a secondary mailbox’s folders showed they were in Online Mode with the status bar status of ‘Online’, the ‘Download shared folders’ tickbox was still enabled. I’ve confirmed this on both CTR and MSI versions of Office 2016.

At first I thought nothing of this, as it seemed to be working as intended. However, after a while I worked out that having it configured this way lead to performance issues, and people who had over 500 folders had cases where the inbox would stop updating. Changing the tickbox setting resolved the issue, despite the secondary mailboxes before and after this showing as ‘Online’. I didn’t dig into this any further so I can’t explain what was actually going on, but at a guess it was still doing some sort of sync or connection on each folder despite it being in Online Mode.

My advice is – make sure the ‘Download shared folders’ tickbox is off rather than just checking that the folders show as being ‘Online’. If you really need a secondary mailbox in cached mode but want to disable it by default, you could add it as a seperate mailbox account which will have it’s own cached mode settings.

 

 

Outlook 2013 & 2016 Blank Screens and Crashing

Posted on by Adam Fowler

Update 2nd May 2018:

Microsoft have just released the LAA patch for the issues below, KB4018376 for Outlook 2013, and KB4018372 for Outlook 2016. It seems to work, as I can see a lot more memory available for Outlook 2016 after this patch, and will update later once I can confirm the below issues are resolved.

Original Blogpost:

Since going from Outlook 2010 to 2016, I’ve noticed several issues. They’re outlined on this TechNet article which lists:

  • Buttons on the Outlook ribbon failing to paint properly
  • Email messages displaying either blank or black in the Reading Pane
  • The Navigation Pane failing to draw all folders properly
  • Various rectangles appearing in the Outlook user interface (UI)

There’s also just Outlook crashing/freezing/running slow. This has been an ongoing problem, and I suspected 3rd party addins to be the culprits. That’s sort of true, however it turns out it’s an overall memory issue with 32 bit Outlook having ~2GB of RAM to access, shared amongst all the 32 bit apps running on your computer.

If you want to know that low memory is the cause of your issues, one way is to use the Sysinternals VMMap utility and follow these instructions. If your free memory is under 250MB, then you’re working below the requirements of what Outlook needs to have available to continue running smoothly.

The article above is very well written and detailed, with the primary remediation suggestion being to go 64 bit Office. This isn’t a short term realistic solution for many companies who have legacy 32 bit addons, or vendors who just haven’t got there with 64 bit addins yet. It only takes 1 addin for that idea to come crashing down, and then there’s the testing of all the re-written apps, and then deploying out; an uninstall of the whole Office 2013 or 2016 32 bit suite, uninstalling all the addins, deploying Office 64 bit, deploying the new addins… it’s potentially a huge project to take on.

There is hope though for those of us who can’t go 64 bit (again the article has many suggestions), which is a new feature called Large Address Aware (LAA). It doubles the amount of memory (4GB) available to the Office apps. It’s already rolled out to Outlook 2016 build 1709. That makes sense if you’re using the Click to Run (CTR) version of Office 2016, but the MSI version that many still use hasn’t got this update yet. Referring to the TechNet article again on this issue, there’s no exact specific mention that LAA will come to the Click to Run version of Outlook 2016, so we’ll have to wait and see.

If you’re experiencing a less than great experience with Outlook 2013 or 2016, it’s worth understanding the above and seeing if you’re affected. This may drive you to change to Office 2016 CTR, Office 2016 64 bit, or even both – or leave you to work out how you can improve the experience, with potentially disabling Outlook addins that aren’t necessary.

I am trying to work with Microsoft on this issue too, so feel free to ask any questions or make any comments and I’ll see if I can assist.