MS OFFICE GPO issue:Outlook (various version) GPO Win7-10 not applying to all machines.
- 
 Hello all, I haven't visit Mangolassi for months... Good to be back  We are having issue with Outlook GPO where it will implement to some, but not all, and not all the time.... This drives me nuts as there is no errors...it just decide to not do it. We have vaiours version of Outlook (Home&Business 2013, Office365 Business 2013/2016, Office365 Proplus 2013/2016), and we have implement Office GPO for these applications. The problem we are facing now is some Office does not pick up the GPO, while the others do. We are certain that the GPO is working since other policies are being applied (only Office is not). For example: User 1 and User 2 both use the same Office (O365 Business 2013). Both of the get the "upgrade to 2016" banner. We pushed out GPO and one of them no longer see the banner, while the other still see the banner. At the same time...we push Junk Safe Sender list and User 2 get the update on Outlook, but not User 1. I have personally look at about 10 Outlook with various version... I could not found any pattern at all. 1 H&B2013 get the Safe Sender updated, while the other H&B2013 does not. Same with O365 Business. I am still on hold with Office support (Microsoft) as I am typing this post. I might get an answer soon... 
 Has anyone seen these kind of problem before? How to resolve it?EDIT: FIX: Uninstall O365 Business (if installed) > Restart > Install O365 ProPlus > signin with Business subscription > Update (to trigger downgrade from Pro to Business) > Profit! 
- 
 Have you run GPResult on the offending machines? 
- 
 We have. It did deployed successfully. Microsoft rep suggested install using .msi instead of click2run. Still testing (looking for the .msi installer) 
- 
 @stess good to see you back again  
- 
 Have not seen this issue, I'm afraid. 
- 
 
- 
 is there any pattern between the ones working and not working? Office version, OU placement, SG membership, etc? 
- 
 @Brains said in MS OFFICE GPO issue:Outlook (various version) GPO Win7-10 not applying to all machines.: is there any pattern between the ones working and not working? Office version, OU placement, SG membership, etc? The program varies... 
 GPO applied to top User OU.
 As for applications...I do not see any pattern. According to an article (that I could not find now) stated that ClicktoRun for O365 Business do not support GPO. However, I found one user with O365 Business that has Safe Sender list updated. At the same time I have couple users running H&B2013.msi and failed to get Safe Sender List updated. Plus, There are two ProPlus2013 that still getting Banner, while three other Proplus2013 do not have the same banner. All five machines were identical from processors to application installed date.
- 
 I'm also interested in what the gpresult shows. 
 https://technet.microsoft.com/en-us/library/bb456989.aspx
- 
 I found a bypass to this issue. Again... not sure where I read it from (open around 50+ tabs). Someone mentioned that if I install Proplus ClicktoRun > signin using Business subscription account > Push office to Update (downgrade from Proplus to Business) > While keep Regedit intact (I have not compare regedit yet). This does appears to fix the problem, and it is now be able to pick up Safe Sender list pushed through GPO (after GPUPDATE). Going to run some more experiments. 
 I will post GPResult when I got a chance to touch those machines.
- 
 The first thing I check with something like that is make sure all your domain controllers are syncing the sysvol. If not the computers that hit one DC will get the updated GPO and the ones that hit a stale DC may not get the policy. 
- 
 @Mike-Davis said in MS OFFICE GPO issue:Outlook (various version) GPO Win7-10 not applying to all machines.: The first thing I check with something like that is make sure all your domain controllers are syncing the sysvol. If not the computers that hit one DC will get the updated GPO and the ones that hit a stale DC may not get the policy. This is definitely a good idea, though, I'm sure because I'm crazy.. I normally look on the PC to see what DC it's pulling from, and check that specific one for the information. 
- 
 So after multiple tests, reinstall, refresh, and snapshots.... I finally came to a conclusion (disclaimer: this is personal result, and not Microsoft official solution): The GPO is working as intended, but it was intended for ProPlus (and above). For whatever reason unknown to us, Microsoft made Office 365 Business unable to pickup GPO (seem to be during installation). Workaround: As stated in previous comment, you will need to install ProPlus (2013/2016 | 32bit/64bit), then sign in with an account with Office 365 Business subscriptions. Because Office detects that the sign in accord do not have ProPlus, you will still get "Activation required". To fix the activation required, hit Update Now, which will downgrade ProPlus to Business. The only differences we noticed is Business do not have Skype for Business, Access, and Publisher. The rest of the application still works, and GPO now work as we expected. If you already have Office 365 Business installed, it is highly recommended to uninstall > restart first. Otherwise, the solution may not work. Again, this is Not Microsoft official solution. Recap: Uninstall O365 Business (if installed) > Restart > Install O365 ProPlus > signin with Business subscription > Update (to trigger downgrade from Pro to Business) > Profit! 
- 
 LOL not surprised by this at all! MS seems to be making their non top of the line (read most expensive) have a lot of caveats, such as GPOs that only work for Enterprise Windows, not Pro. 




