Tuesday, April 18, 2017

Block all Outlook versions earlier than X version

For one reason or another, some organizations have the requirement to block older versions of Outlook from connecting to their Exchange environment. This can easily be done on a per-mailbox or on a per-mailbox server basis.

Let’s say we want to block user nuno from accessing his mailbox using all Outlook versions earlier than 11.8010.8036. To achieve this, we run the following cmdlet:
Set-CASMailbox nuno -MAPIBlockOutlookVersions "-11.8010.8036"

When the user tries to use an older version of Outlook, he will get the following message (in this case I blocked all versions of Outlook):

Followed by:

To restore access to the mailbox to any version of Outlook, we simply clear the MAPIBlockOutlookVersion parameter:
Set-CASMailbox nuno -MAPIBlockOutlookVersion $null

To achieve the same but on a per-server basis, we need to use a Registry Key on all servers. In the next example, we create the Disable MAPI Clients registry value to block access to all mailboxes for Outlook clients prior to version 14.0.0:
New-ItemProperty "HKLM:\System\CurrentControlSet\Services\MSExchangeIS\ParametersSystem" -Name "Disable MAPI Clients" -PropertyType String -Value "0.0.0-5.9.9, 14.0.0-"

Important: be careful when restricting client access because server-side Exchange components must also use MAPI to log on. Some components report their client version as the component name (such as SMTP or OLE DB), while others report the Exchange build number (such as 6.0.4712.0). For this reason, we must avoid restricting clients that have version numbers that start with 6.x.x.

No comments:

Post a Comment