Outlook Programmatic Access in Office 365 Pro Plus & RDS 2019

Question

I see this thread is discussed many times and I have read through most every one of the current documented cases but I still cannot find an answer to my issue. Hopefully I'm just missing something small to get this issue resolved. I have a customer with a 2012 DC and a 2019 RDS that runs Office 365 Pro Plus. Multiple email accounts that are being used off of the RDS box but only one per user profile. Most users don't use these email accounts for their personal/business use. These email accounts are a mixture of 365, POP and IMAP accounts. My customer has written VBA scripts that send Excel data using Outlook behind the scenes for each profile. The users are being prompted with the Programmatic Access security warning when the email kicks off to send the data. I can run Outlook in admin mode, change the Programmatic Access option not to prompt and this works for a while until something unknown (maybe windows updates) happens then the settings go back to prompting. The last time the script had sent 6 emails over a period of 6 days then it changed back. There is current Avast antivirus software running on the RDS box but according to previous documentation I see that Windows security center doesn't recognize antivirus software on Windows server operating

systems. I need to find a way to eliminate the prompting during the send for ALL/ANY user(s). We understand the risks by turning off Programmatic Access but need it turned off for now. I've added registry settings also under the admin account but these don't replicate when a general user logs into the server. I've attached several screen shots of how the environment looks in admin mode and in general user mode along with Outlook version information.

Above is what Outlook settings look like logged into the RDS as Admin to the domain. All are greyed out and not changeable and nothing selected.

Above is what the Programmatic Access registry settings looks like logged into the RDS as Admin on the domain.

Above is what Outlook settings look like logged into the RDS as a standard user to the domain. All are greyed out but "Warn Me" is selected.

Above is what the Programmatic Access registry settings looks like logged into the RDS as a standard user on the domain. One thing that is odd here is that the version here states 14.0 and the version when logged into the RDS as administrator shows 16.0. There is only one version and have only been one version ever installed here on the server. Not sure why Microsoft would indicate two different versions.

Above is current Outlook version information.

Answer 1

HI kennethpatterson-4715,

Thanks for your waiting.

I discover that there is a document to solve your this issue, please check if Resolution Method 1 and Resolution Method 2 can help you.

A program is trying to send an e-mail message on your behalf warning in Outlook

https://learn.microsoft.com/en-us/outlook/troubleshoot/security/a-program-is-trying-to-send-an-email-message-on-your-behalf

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

For those who still strugle with this. If GPOs aren't working for you and no matter what mentioned above registry keys you change and still no go.
Look in your registry here:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Office\16.0\Outlook\Security]
For us it turned out to be a correct place to create/change key 'ObjectModelGuard' and that solved it.

Answer 3

Thanks JiaYou-MSFT for your help but I think you missed out on reading what procedures I have already tried.

Answer 4

HI kennethpatterson-4715,

Thanks for your reply.

1."I can run Outlook in admin mode, change the Programmatic Access option not to prompt and this works for a while until something unknown (maybe windows updates) happens then the settings go back to prompting."
Do you recall when you change "the Programmatic Access option not to prompt"?
Then we can enter below command to check which update patches (office update/skype/lync etc) installed recently then check if there is any office related update listed in "installed updates" in control panel like below picture.
get-hotfix

2.Do your end user set automatically forward outlook email to their personal email or third-party email?

3.Windows Security Center is not supported on server operating system versions, so I think setting "never warn me about suspicious activity" solution, meanwhile you can't set it for standard users (none administrators) and you can set it for administrators ( both local admin and domain admin), Is it true?
Could you share the method about how did you set "never warn me about suspicious activity" for each domain user? by using logon script or domain administrative Template policy?

Antivirus status shown as Unavailable (This version of Windows does not support antivirus detection)
https://learn.microsoft.com/en-us/outlook/troubleshoot/security/outlook-trust-center-shows-antivirus-status-as-unavailable

4.Is there office 2010 related software installed on problematical w2019 server?

5.Are you using the latest office or outlook administrative Template files (ADM/ADMX/ADML), then apply these policies for your problematical outlook?
Administrative Template files (ADMX/ADML) and Office Customization Tool for Microsoft 365 Apps for enterprise, Office 2019, and Office 2016
https://www.microsoft.com/en-us/download/details.aspx?id=49030

6.If we create a local standard test user on problematical w2019 RDS server then logon this local none admin user, is there 14.0 or 16.0 office key for this local none admin user?
(1)HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\14.0
(2)HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 5

Question #1. On May 11th I logged in as administrator to the domain and ran Outlook as administrator and changed the programmatic access setting. I don't remember for sure if that changed the one for the standard users or not at that time but I do remember checking the two users that we had setup at that time to make sure that the programmatic access setting was set "not to warn". I'm just not sure if changing it when I logged in as administrator to the domain got it for the users or if I went to one of the users and ran Outlook in admin mode to change the setting. I do remember that I only had to login to one account and run Outlook as Administrator which changed the settings for the other users. The user uses Excel and runs a VBA script that sends an email using Outlook and the IMAP account that we have setup on that profile. This worked 6 times and on the 7th time on May 18th the warning reappeared to the user.

The event 44's are the start of a download of a Windows Update
The event 19's are the successful installation of a Microsoft Defender Antivirus update
The event 43's are the start of the installation of the Microsoft Defender Antivirus update

Attached below is a list of all the updates that have been applied to the RDS 2019 box.

Question #2. "Do your end user set automatically forward outlook email to their personal email or third-party email?"

I don't know if you mistyped some of these words or your English is not good and this is what you came up with? I'm going to assume that you meant "Does" instead of "Do" in your sentence above and I'm going to assume that you meant "setup" instead of "set" in your sentence above.

The end user setup does not "forward" emails. The end user setup sends emails to the same email address every time which is one of the customer's email addresses that it sends the email to every time and one of the customer's email addresses that it uses to send the email. Each user has a predefined unique email assigned to them. The end user doesn't use this email account or Outlook for their personal or business use. The email setup in Outlook is strictly used for this process they are trying to accomplish.

Question #3. In order to set the programmatic access setting to "Do not warn" prior to the registry changes I logged in as the standard user, right clicked on the Outlook icon and chose "Run as Administrator". This enabled me to be able to change the settings. With the registry changes that I have done I am no longer able to do that at this time. This change also showed up under the other standard users.

Question #4. Office 2010 is not installed on this server.

Question #5. We have not changed any Outlook administrative template files. What ever is default should be in place.

Question #6. The policy settings for a new user with or without an email account setup looks like the image below.