I’ve Made A Huge Mistake

Microsoft has beaten me to the punch and when I say beaten I mean I’m not updating my blog fast enough, on how to deploy safe senders in Outlook.

http://support.microsoft.com/kb/2252421

It’s a very good detailed write up which clears up what people generally get held up on. Usually you load up the ADM template for Outlook, specify the path to your import file, fire up Outlook and nothing in the safe senders list. You then scratch head, run a gpupdate.exe /force and try again, still nothing. The trick is one of these registry keys that is not in this policy has to be set to tell Outlook to indeed yes please load this list up.

Key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1x.0\Outlook\Mail

Key: HKEY_CURRENT_USER\Software\Microsoft\Office\1x.0\Outlook\Mail

DWORD: JunkMailImportLists
Value: 1

Version 11.0 is 2003, 12.0 is 2007 and 14.0 is 2010.

Ok so how do we push this key out to the environment? In the KB it lists out a few choices you can use such as, Group Policy, LoginScript, and Outlook Customization tool. In the KB they actually give you the new ADM file to upload to your domain controller to push out this new key. Those guys thought of everything! Since it is using this key, HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1x.0\Outlook\Mail your Outlook client will always re-import the list. What if though your list doesn’t change that much, maybe once every 6 months or even longer. Every time you launch Outlook you are going to get an RPC call across the network to check this list, see that there is no new to update and continue to load. Why do you want your clients to make this unnecessary RPC call when you KNOW there is nothing new. Granted if we are FORCING what will always be in this list then yes we’d want Outlook to check on each launch and add the appropriate users or domains to the list. But if you are just adding some “suggested” safe senders and if people choose to remove them well then that is ok too. If that is the case why don’t we have Outlook only check the list when we KNOW there is a new update for them. To do that we use the HKEY_CURRENT_USER\Software\Microsoft\Office\1x.0\Outlook\Mail

Once Outlook loads, it will set this value from 1 back to 0 and no longer check the list. Sounds exactly like we may want to do, now how do we roll this out? First we could use Group Policy using a custom ADM template like above to flip this key. However this isn’t really what we want as every time the policy refreshes, it will set they key back to 1 then check the list again on next launch. This is better than the other key but really, not that much better. Solution: enter the loginscript.

The way I went about solving this problem was to read/write a registry key to check the value, if the value you have matches what’s in the script then we don’t need to import our new list. If it doesn’t match, change the HKEY_CURRENT_USER\Software\Microsoft\Office\1x.0\Outlook\Mail back to 1 so when the user launches Outlook it will indeed re-import the new list. Also since you are checking a PER USER setting, you need to get the SID of the user so you can store your custom key in the correct location. This is needed especially if you have a machine shared by multiple people. The example below is for Outlook 2007.

Function SafeSenders()

On error resume next
‘needed for first run if no regkey exists, will through an error, need script to continue to run

Dim ojbFSO, shell, serialnumber, scriptrun

Set ObjFSO = CreateObject(“Scripting.FileSystemObject”)
set shell =CreateObject(“wscript.shell”)

Set oWshNetwork = CreateObject(“WScript.Network”)

‘Getting Sid
Set oUserAccount = GetObject(“winmgmts://./root/cimv2″) _
.Get(“Win32_UserAccount.Domain=’” & oWshNetwork.UserDomain & “‘” _
& “,Name=’” & oWshNetwork.UserName & “‘”)

sUserSID = oUserAccount.SID
‘Debug
‘msgbox sUserSID

reglocation = “HKEY_USERS\” & sUserSID & “\YOUR CUSTOM KEY\SafeSenders”

‘Debug
‘Msgbox reglocation

‘Current Version
serialnumber = “whateveryouwant”

‘Registry Key Location
scriptrun = shell.regread(reglocation)

‘Debug
‘Msgbox ScriptRun

if scriptrun = serialnumber Then
‘Current Version already run on machine, nothing left to do in this function
‘Debug
‘Msgbox “Script already ran, exiting function”
Exit Function

End if

shell.RegWrite “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Outlook\Options\Mail\JunkMailImportLists”,”1″, “REG_DWORD”

shell.RegWrite reglocation,serialnumber, “REG_SZ”
‘Script completed, updating registry
‘Debug
‘msgbox sUserSID

End Function

Some people haven’t upgraded to Outlook 2010 Beta yet, can you believe them? Actually in the real world, many people are still on Outlook 2003. After you drop in Exchange 2010 into your environment, anyone that has Outlook 2003 can’t connect. What gives?

The problem is what gets us every time. The default settings. By default Exchange 2010 requires RPC connections to be encrypted. By default Outlook 2003 does not use RPC encryption. Whoops. How do we fix this?

Choice 1.) Disable Exchange 2010 requiring RPC connections to be encrypted. I really don’t like that choice.

Choice 2.) Either by GPO or Manually, update Outlook 2003 Profiles to use encryption as well as any new Outlook 2003 profiles rolling out, make sure they are configured to RPC encryption as well.

Choice 3.) Force people to upgrade to Outlook 2007 or Outlook 2010.They get other benefits besides this for upgrading as well, DR, performance, Mail Tips, etc.

Note This could also be a problem for Outlook 2007 profiles if you disabled RPC encryption when rolling it out.

http://support.microsoft.com/kb/2006508

For those that have installed Outlook 2007 Feb Update, http://support.microsoft.com/kb/961752/ or have installed Office 2007 SP2, when you start up Outlook for the first time after the update, Outlook has to do some optimization on your mailbox. This can take some time, it took over 15 minutes for my mailbox though it is rather large (over 15,000 items). While it is doing this it displays a message “Preparing Outlook for first use”. This may confuse some people since they have already used Outlook before. A better way to say it may have been “Preparing Outlook for first use after SP2 was installed”. More importantly you can modify the text to whatever you want in this message, “Optimizing for Performance, Please Call Help Desk With Any Questions”.

How do we do this?

1.) Install the hotfix or SP2 for Office.

2.) Go to the registry at HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Preferences and add a new string value called StoreUpgradeProgressTitle.

3.) In the value data box type whatever you want your message to be.

Pretty simple and a way to give you more control of what is being communicated to your end users.

Links

Outlook 2007 Feb Update http://support.microsoft.com/kb/961752/

Office 2007 SP2 Download http://office.microsoft.com/en-us/downloads/default.aspx

Original KB Article on Customizing http://support.microsoft.com/kb/969791

Outlook has performance trouble when there are too many items in critical path folders such as Calendar, Contacts, Inbox and Send Item folder. Some numbers to keep in mind.

3,500 to 5,000 is a good gage according to the support article. The Exchange team blog also states that keeping the Inbox, Contacts and Calendar to 1,000 or less. The key to remember is that it isn’t necessarily the size of the times, but the number of items. Also if they are a blackberry user, that adds about 3.4 to 4 IOPS to their user account.

http://msexchangeteam.com/archive/2005/03/14/395229.aspx

http://support.microsoft.com/default.aspx?scid=kb;EN-US;905803

In Outlook 2003, when putting in cached mode, you can set offline folders to have encryption. You do this by going to More Settings (When selecting Cached Mode), Offline Folder Settings. There are three different settings.

-No Encryption

-Compressible Encryption (default)

-High Encryption

The encryption of these folders was not too good, so it has been removed from Outlook 2007. The now recomended way is to use EFS on the file system, and let that handle the encryption.

If you have noticed that your free busy info is becomming corrupted more and more frequently a security patch from March may be the culprit. If you have applied MS08-15 http://support.microsoft.com/default.aspx?scid=kb;EN-US;945432 there has been more corruption especially when network connectivity is lost. Try running this hotfix http://support.microsoft.com/default.aspx?scid=kb;EN-US;951982. Also you can always run outlook.exe /cleanfreebusy to republish your free busy info.