In a recent customer engagement the senior messaging architect wanted to restrict the versions of Outlook connecting to the Exchange servers. This was due to the fact that there were some old and unsupported versions of Exchange and some incentive had to be applied to those business groups to ensure that all the stragglers were updated. As mentioned in a previous post, do not overlook Outlook patching. Some of the observed machines were multiple years out of date.
Understanding the Outlook Versions Connecting to Exchange
The Exchange 2010 RPC Client Access logs were used to determine the versions of Outlook which were present in the environment. A quick and easy way is to use Log Parser Studio’s pre-canned report to analyse the RPC Client Access logs to report on the Outlook version.
Once you have the Outlook versions, you can determine where to draw the line.
For reference purposes the below table shows the RTM builds of Outlook. Service pack information is not included.
| Outlook Version | Build |
| 97 | 8.0 |
| 2000 | 9.0.0.2711 |
| 2002 | 10.0.2627.2625 |
| 2003 | 11.0.5608.5606 |
| 2007 | 12.4518.1014 |
| 2010 | 14.0.4760.1000 |
| 2013 | 15.0.4481.1003 |
| 2016 VLK | 16.0.4266.1003 |
How to Restrict Outlook Versions In Exchange 2010 Onwards
Exchange 2010 introduced the Set-RPCClientAccess cmdlet. This is how the restrictions to Outlook versions are applied. Exchange 2007 and previous versions used a different methodology. Since Exchange 2007 has almost transitioned out of its extended support lifecycle at the time of writing it will not be covered here.
If we review the details listed on the Set-RPCClientAccess cmdlet, the BlockedClientVersion parameter is what we need to work with:
The BlockedClientVersion parameter specifies which versions of Microsoft Outlook are restricted from connecting. The Exchange RPC Client Access service rejects Outlook connections if versions are in the range specified. This setting affects MAPI and Outlook Anywhere client connections. The value must be less than 256 characters in length.
Versions should be single numbers in the format X.Y.Z where X is a major version number, Y is the minor revision number, and Z specifies the build, and ranges should be delimited by semicolons (for example, 0.0.0-5.9.9; 7.0.0-65535.65535.65535). For more information, see Configure Outlook client blocking.
By default there are no entries listed in the BlockedClientVersions. We can see this by using Get-RpcClientAccess
Note that the Set-RpcClientAccess cmdlet uses BlockedClientVersion, whereas the Get-RpcClientAccess cmdlet uses the plural which is BlockedClientVersions. There is an “s” at the end of the latter.
Exchange Log Details
The below is an excerpt from an Exchange 2010 SP3 RU14 RPC Client Access log file. The lines were separated for easier reading. Noted that the Outlook build is 14.0.7172.5000 which is an Outlook 2010 based client. The test account is called Local-1 (since this is one of my hybrid labs). The extra digits at the end of the LegacyExchangeDN are due to the changes introduced with Exchange 2010 SP1 RU6. Newly created LegDNs will have three random characters appended to help reduced duplicates.
#Software: Microsoft Exchange
#Version: 14.03.0227.000
#Log-type: RCA Protocol Logs
#Date: 2016-09-13T23:14:31.023Z
#Fields: date-time,session-id,seq-number,client-name,organization-info,client-software,client-software-version,client-mode,client-ip,server-ip,protocol,application-id,operation,rpc-status,processing-time,operation-specific,failures
2016-09-13T23:14:31.023Z,2,0,/o=TailspintoysCanada/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Local-1687,,OUTLOOK.EXE,14.0.7172.5000,Classic,10.0.0.10,fe80::1dd8:2fb8:3094:bc27%35,ncacn_ip_tcp,,Connect,0,00:00:00.5796323,"SID=S-1-5-21-600719655-2052185052-986975721-3120, Flags=None",
2016-09-13T23:14:31.997Z,2,1,/o=TailspintoysCanada/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Local-1687,,OUTLOOK.EXE,14.0.7172.5000,Classic,,,ncacn_ip_tcp,,OwnerLogon,0,00:00:00.9744801,"Logon: Owner, /o=TailspintoysCanada/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Local-1687 in database Mailbox Database 0902775998 last mounted on TAIL-CA-EXCH-2.Tailspintoys.ca at 8/11/2016 3:41:54 AM, currently Mounted; LogonId: 0",
2016-09-13T23:14:32.949Z,2,16,/o=TailspintoysCanada/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Local-1687,,OUTLOOK.EXE,14.0.7172.5000,Classic,,,ncacn_ip_tcp,,OwnerLogon,0,00:00:00.0155913,"Logon: Owner, /o=TailspintoysCanada/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Local-1687 in database Mailbox Database 0902775998 last mounted on TAIL-CA-EXCH-2.Tailspintoys.ca at 8/11/2016 3:41:54 AM, currently Mounted; LogonId: 1",
2016-09-13T23:14:35.545Z,2,60,/o=TailspintoysCanada/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Local-1687,,OUTLOOK.EXE,14.0.7172.5000,Classic,,,ncacn_ip_tcp,,,1144 (rop::WrongServer),00:00:00,"Redirected: not a user's home public server, suggested new server: /o=TailspintoysCanada/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=TAIL-CA-EXCH-2",RopHandler: Logon:
Restricting Outlook Versions – Incorrect Syntax
If we remember from the Set-RpcClientAccess cmdlet, the Outlook range is to be specified using three groups of numbers in a X.Y.Z format. We may be tempted to try and block the Outlook version listed above (14.0.7172.5000) using the below syntax:
Get-ClientAccessServer | Set-RPCClientAccess -BlockedClientVersion “14.0.7172”
When you then test to see if that client is blocked, it is not and can still connect. Then you might try this syntax to again try to block 14.0.7172.5000:
Get-ClientAccessServer | Set-RPCClientAccess -BlockedClientVersion “14.0.7172.5000”
Invoke-Command : Cannot bind parameter 'BlockedClientVersions' to the target. Exception setting "BlockedClientVersions": "Invalid string format. Expected dash-separated ranges, open-ended ranges or singular version numbers in format X.Y.Z where X is less than 128, Y is less than 256 and Z is less than 65536; ranges are delimited by commas or semicolons (eg. -5.9.9;5.2653.11-5.2653.22;5.2653.24;9.0.0-). Note, that MAPI client versions are reported in X.0.Y.Z format, and for this command, they should be specified as X.Y.Z. See http://support.microsoft.com/?kbid=288894 for more information."
[PS] C:\>Get-ClientAccessServer | Set-RPCClientAccess -BlockedClientVersion “14.0.7172.5000”
Invoke-Command : Cannot bind parameter 'BlockedClientVersions' to the target. Exception setting "BlockedClientVersions": "Invalid
string format. Expected dash-separated ranges, open-ended ranges or singular version numbers in format X.Y.Z where X is less tha
n 128, Y is less than 256 and Z is less than 65536; ranges are delimited by commas or semicolons (eg. -5.9.9;5.2653.11-5.2653.22;
5.2653.24;9.0.0-). Note, that MAPI client versions are reported in X.0.Y.Z format, and for this command, they should be specified
as X.Y.Z. See http://support.microsoft.com/?kbid=288894 for more information."
At C:\Users\rmilne.TAILSPINTOYS\AppData\Roaming\Microsoft\ExchangeRemotePowerShelltail-exch-1.tailspintoys.catail-exch-1.tails
pintoys.ca.psm1:57115 char:29
+ $scriptCmd = { & <<<< $script:InvokeCommand `
+ CategoryInfo : WriteError: (:) [Set-RpcClientAccess], ParameterBindingException
+ FullyQualifiedErrorId : ParameterBindingFailed,Microsoft.Exchange.Management.SystemConfigurationTasks.SetRpcClientAccess
Restricting Outlook Versions – Correct Syntax
Why did the above commands not work? As always the devil is in the details. If we re-read the hep content: “Note, that MAPI client versions are reported in X.0.Y.Z format, and for this command, they should be specified as X.Y.Z”.
The MAPI version is reported with an zero which is not used in the Set-RpcClientAccess cmdlet. In short we need to drop the second element out of the reported Outlook build. Thus to block the specific Outlook 2010 build of 14.0.7172.5000 we must remove the second element and specify the version as 14.7172.5000 – the command could look like the below:
Get-ClientAccessServer | Set-RPCClientAccess -BlockedClientVersion “14.7172.5000”
When making changes in the test lab, the updates values were quickly processed. I did not have to restart the RPC Client Access service.
Restricting Outlook Versions – Test Client
The below is the test machine which is running Outlook 2010 SP2 build 14.0.7172.5000. The Help –> About screen is show for completeness.
Now that we blocked this version of Outlook from connecting, what happens when we try to connect Exchange using an existing profile?
The below shows that we are blocked from accessing Exchange due to the version of Outlook that is used. Time to use OWA! Note that the error message may bubble up behind the Outlook splash screen. Check the taskbar to see if there are two Outlook windows, and bring the error message to the front.
Clicking OK to the first error message, then displays the cannot open your default e-mail folders error. Again the error message is quite clear on the reason why.
Trying to create a new Outlook 2010 profile did succeed in creating the profile. However launching Outlook with the new profile did not allow it to connect since the Outlook version was blocked. If we review the RPC Client Access log, it is quite clear that this user has been blocked and why.
#Software: Microsoft Exchange
#Version: 14.03.0227.000
#Log-type: RCA Protocol Logs
#Date: 2016-09-14T16:45:01.906Z
#Fields: date-time,session-id,seq-number,client-name,organization-info,client-software,client-software-version,client-mode,client-ip,server-ip,protocol,application-id,operation,rpc-status,processing-time,operation-specific,failures
2016-09-14T16:45:01.906Z,2,0,/o=TailspintoysCanada/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Local-1687,,OUTLOOK.EXE,14.0.7172.5000,Classic,10.0.0.10,fe80::1dd8:2fb8:3094:bc27%35,ncacn_ip_tcp,,Connect,1247 (rpc::ClientVerDisallowed),00:00:00.7496139,"SID=S-1-5-21-600719655-2052185052-986975721-3120, Flags=None",RpcDispatch: [RpcServerException] Client version is not allowed: 14.0.7172.5000 based on the service-wide settings. (StoreError=ClientVerDisallowed)
Removing All BlockedClientVersions
To completely remove all of the entries from the BlockedClientVersion field, set it to $Null.
Get-ClientAccessServer | Set-RPCClientAccess -BlockedClientVersion $Null
Note that there are no client versions indicated with the yellow arrow after running the cmdlet to set the value to $Null.
Sample Blocked Selections
The below are some sample selections. Consult the list of Outlook build numbers, and make the appropriate choices for your environment.
Block Outlook 2003
Get-ClientAccessServer | Set-RPCClientAccess -BlockedClientVersion “11.5510.0-11.8326.0”
Block Outlook 2003 and 2007
You can change the last block range to be 8.02.4-14.0.0 to catch any Outlook 2007 clients.
Cheers,
Rhoderick
