Solved MS OFFICE GPO issue:Outlook (various version) GPO Win7-10 not applying to all machines.
-
@stess good to see you back again
-
Have not seen this issue, I'm afraid.
-
-
is there any pattern between the ones working and not working? Office version, OU placement, SG membership, etc?
-
@Brains said in MS OFFICE GPO issue:Outlook (various version) GPO Win7-10 not applying to all machines.:
is there any pattern between the ones working and not working? Office version, OU placement, SG membership, etc?
The program varies...
GPO applied to top User OU.
As for applications...I do not see any pattern. According to an article (that I could not find now) stated that ClicktoRun for O365 Business do not support GPO. However, I found one user with O365 Business that has Safe Sender list updated. At the same time I have couple users running H&B2013.msi and failed to get Safe Sender List updated. Plus, There are two ProPlus2013 that still getting Banner, while three other Proplus2013 do not have the same banner. All five machines were identical from processors to application installed date. -
I'm also interested in what the gpresult shows.
https://technet.microsoft.com/en-us/library/bb456989.aspx -
I found a bypass to this issue. Again... not sure where I read it from (open around 50+ tabs). Someone mentioned that if I
install Proplus ClicktoRun > signin using Business subscription account > Push office to Update (downgrade from Proplus to Business) > While keep Regedit intact (I have not compare regedit yet).
This does appears to fix the problem, and it is now be able to pick up Safe Sender list pushed through GPO (after GPUPDATE). Going to run some more experiments.
I will post GPResult when I got a chance to touch those machines. -
The first thing I check with something like that is make sure all your domain controllers are syncing the sysvol. If not the computers that hit one DC will get the updated GPO and the ones that hit a stale DC may not get the policy.
-
@Mike-Davis said in MS OFFICE GPO issue:Outlook (various version) GPO Win7-10 not applying to all machines.:
The first thing I check with something like that is make sure all your domain controllers are syncing the sysvol. If not the computers that hit one DC will get the updated GPO and the ones that hit a stale DC may not get the policy.
This is definitely a good idea, though, I'm sure because I'm crazy.. I normally look on the PC to see what DC it's pulling from, and check that specific one for the information.
-
So after multiple tests, reinstall, refresh, and snapshots.... I finally came to a conclusion (disclaimer: this is personal result, and not Microsoft official solution):
The GPO is working as intended, but it was intended for ProPlus (and above). For whatever reason unknown to us, Microsoft made Office 365 Business unable to pickup GPO (seem to be during installation).
Workaround: As stated in previous comment, you will need to install ProPlus (2013/2016 | 32bit/64bit), then sign in with an account with Office 365 Business subscriptions. Because Office detects that the sign in accord do not have ProPlus, you will still get "Activation required". To fix the activation required, hit Update Now, which will downgrade ProPlus to Business. The only differences we noticed is Business do not have Skype for Business, Access, and Publisher. The rest of the application still works, and GPO now work as we expected.
If you already have Office 365 Business installed, it is highly recommended to uninstall > restart first. Otherwise, the solution may not work.
Again, this is Not Microsoft official solution.
Recap: Uninstall O365 Business (if installed) > Restart > Install O365 ProPlus > signin with Business subscription > Update (to trigger downgrade from Pro to Business) > Profit!
-
LOL not surprised by this at all! MS seems to be making their non top of the line (read most expensive) have a lot of caveats, such as GPOs that only work for Enterprise Windows, not Pro.
