Planning Guide For Microsoft Office 2010 - For IT Professionals
Planning Guide For Microsoft Office 2010 - For IT Professionals
Planning Guide For Microsoft Office 2010 - For IT Professionals
Microsoft Corporation
Published: December 2010
Author: Microsoft Office System and Servers Team ([email protected])
Abstract
This book contains information about how to plan a deployment of Microsoft Office 2010. The audience
for this book includes IT generalists, IT operations, help desk and deployment staff, IT messaging
administrators, consultants, and other IT professionals.
The content in this book is a copy of selected content in the Office 2010 Resource Kit technical library
(http://go.microsoft.com/fwlink/?LinkId=181453) as of the publication date. For the most current content,
see the technical library on the Web.
This document is provided as-is. Information and views expressed in this document, including URL
and other Internet Web site references, may change without notice. You bear the risk of using it.
Some examples depicted herein are provided for illustration only and are fictitious. No real association
or connection is intended or should be inferred.
This document does not provide you with any legal rights to any intellectual property in any Microsoft
product. You may copy and use this document for your internal, reference purposes.
2010 Microsoft Corporation. All rights reserved.
Microsoft, Access, Active Directory, Backstage, Excel, Groove, Hotmail, InfoPath, Internet Explorer,
Outlook, PerformancePoint, PowerPoint, SharePoint, Silverlight, Windows, Windows Live, Windows
Mobile, Windows PowerShell, Windows Server, and Windows Vista are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries.
The information contained in this document represents the current view of Microsoft Corporation on the
issues discussed as of the date of publication. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft
cannot guarantee the accuracy of any information presented after the date of publication.
ii
Contents
Getting help ...................................................................................................................................... xvii
iii
Plan desktop configurations for Office 2010 ..................................................................................... 38
iv
Restricting permission on e-mail messages ............................................................................... 54
Outlook 2010 and e-mail protocols and servers ......................................................................... 54
Upgrading from an earlier version of Outlook ................................................................................... 55
Upgrading with Cached Exchange Mode enabled ..................................................................... 55
Additional issues to consider when planning an upgrade ................................................................. 55
Upgrading from other mail and scheduling programs ....................................................................... 56
v
Synchronization, disk space, and performance considerations ........................................................ 89
Manual synchronization of Exchange accounts no longer necessary ........................................ 89
Offline Address Book access advantages .................................................................................. 90
Offline folder (.ost file) recommendations ................................................................................... 90
Managing performance issues ................................................................................................... 91
Managing Outlook folder sharing ................................................................................................ 91
Public Folder Favorites considerations ....................................................................................... 92
Managing Outlook behavior for perceived slow connections ............................................................ 92
Options for staging a Cached Exchange Mode deployment ............................................................. 93
Upgrading current Cached Exchange Mode users to Outlook 2010 ................................................ 95
Deploying Cached Exchange Mode to users who already have .ost files ........................................ 96
Configuring Cached Exchange Mode ............................................................................................... 96
Additional resources .......................................................................................................................... 98
Cached Exchange Mode in a Remote Desktop Session Host environment: planning considerations
(white paper) .................................................................................................................................. 99
vi
Educating users about the Personal Archive............................................................................ 130
Outlook data files (.pst) in your organization ............................................................................ 130
Choose security and protection settings for Outlook 2010 ............................................................. 135
Overview ......................................................................................................................................... 135
Specify how security settings are enforced in Outlook ................................................................... 136
Customize security settings by using Group Policy .................................................................. 136
How administrator settings and user settings interact in Outlook 2010 .......................................... 138
Working with Outlook COM add-ins ................................................................................................ 138
Customize ActiveX and custom forms security in Outlook 2010 .................................................... 139
Customize how ActiveX controls behave in one-off forms ....................................................... 139
Customize custom forms security settings ............................................................................... 140
Customize programmatic settings in Outlook 2010 ........................................................................ 141
Additional settings ........................................................................................................................... 142
vii
Plan for spelling checker settings in Office 2010 ............................................................................ 166
Office 2010 general spelling checker settings ................................................................................ 167
InfoPath 2010 spelling checker settings ......................................................................................... 169
OneNote 2010 spelling checker settings ........................................................................................ 169
Outlook 2010 spelling checker settings .......................................................................................... 170
PowerPoint 2010 spelling checker settings .................................................................................... 171
Publisher 2010 spelling checker settings ........................................................................................ 171
Word 2010 spelling checker settings .............................................................................................. 172
viii
Understand security threats and countermeasures for Office 2010 ............................................... 212
Information security risks ................................................................................................................ 212
Threats to desktop productivity applications ................................................................................... 213
Active content threats ............................................................................................................... 213
Unauthorized access threats .................................................................................................... 214
External content threats ............................................................................................................ 215
Browser threats ......................................................................................................................... 215
Zero-day exploit threats ............................................................................................................ 215
Default countermeasures in Office 2010 ......................................................................................... 216
ActiveX control settings ............................................................................................................ 216
Add-in settings .......................................................................................................................... 217
Cryptography and encryption settings ...................................................................................... 217
Data Execution Prevention settings .......................................................................................... 217
Digital signature settings........................................................................................................... 217
External content settings .......................................................................................................... 217
File Block settings ..................................................................................................................... 218
Office File Validation settings ................................................................................................... 218
Password complexity settings .................................................................................................. 218
Privacy options ......................................................................................................................... 218
Protected View settings ............................................................................................................ 219
Trusted Documents settings ..................................................................................................... 219
Trusted Locations settings ........................................................................................................ 219
Trusted Publishers settings ...................................................................................................... 219
VBA macro settings .................................................................................................................. 220
ix
Plan security settings for add-ins for Office 2010 ........................................................................... 233
About planning add-in settings ........................................................................................................ 233
Disable add-ins on a per-application basis ..................................................................................... 234
Require that application add-ins are signed by trusted publisher ................................................... 234
Disable notifications for unsigned add-ins ...................................................................................... 234
Plan security settings for ActiveX controls for Office 2010 ............................................................. 236
About planning settings for ActiveX controls ................................................................................... 236
Disable ActiveX controls ................................................................................................................. 237
Change the way ActiveX controls are initialized ............................................................................. 239
Related ActiveX control settings ..................................................................................................... 240
Plan security settings for VBA macros for Office 2010 ................................................................... 241
About planning VBA and VBA macro settings ................................................................................ 241
Change the security warning settings for VBA macros ................................................................... 242
Disable VBA .................................................................................................................................... 243
Change how VBA macros behave in applications that are started programmatically .................... 243
Change how encrypted VBA macros are scanned for viruses ....................................................... 244
Related VBA macro settings ........................................................................................................... 245
Plan Office File Validation settings for Office 2010 ......................................................................... 253
About planning Office File Validation settings ................................................................................. 253
Turn off Office File Validation .......................................................................................................... 254
Change document behavior when validation fails ........................................................................... 255
Turn off Office File Validation reporting .......................................................................................... 256
x
Determine minimum password length requirement .................................................................. 259
Determine the password rules level ......................................................................................... 259
Determine domain time-out value ............................................................................................. 260
Related password length and complexity settings .......................................................................... 260
Plan cryptography and encryption settings for Office 2010 ............................................................ 262
About cryptography and encryption in Office 2010 ......................................................................... 262
Cryptography and encryption settings............................................................................................. 263
Compatibility with previous versions of Office ................................................................................. 266
xi
Setting up IRM for Office 2010 ........................................................................................................ 319
Setting up RMS server access ................................................................................................. 319
Installing the Rights Management client software .................................................................... 319
Defining and deploying permissions policies ............................................................................ 319
Configuring IRM settings for Office 2010 ........................................................................................ 322
Office 2010 IRM settings .......................................................................................................... 322
Office 2010 IRM registry key options ........................................................................................ 323
Configuring IRM settings for Outlook 2010 ..................................................................................... 325
Outlook 2010 IRM settings ....................................................................................................... 325
Outlook 2010 IRM registry key options ..................................................................................... 326
xii
Define business objectives and security requirements ................................................................... 345
Evaluate your current environment ................................................................................................. 346
Design managed configurations based on business and security requirements ............................ 347
Determine the scope of application ................................................................................................. 348
Test and stage Group Policy deployments ..................................................................................... 348
Involve key stakeholders ................................................................................................................. 349
xiii
Virtualization delivery methods ....................................................................................................... 370
Delivery methods ...................................................................................................................... 370
Virtualization changes and updates ................................................................................................ 372
Enhancements from SoftGrid ................................................................................................... 372
Application virtualization client architecture .................................................................................... 373
Plan to deploy Office 2010 in a Remote Desktop Services (Terminal Services) environment ....... 391
Planning a Remote Desktop Services environment ........................................................................ 391
Evaluating licensing requirements ............................................................................................ 391
Evaluating software requirements ............................................................................................ 391
Server requirements ................................................................................................................. 392
Client requirements................................................................................................................... 392
Evaluating recommended guidelines and best practices ......................................................... 393
Configuring Remote Desktop Session Host server ......................................................................... 394
Disabled versus Absent ............................................................................................................ 394
Customizing the Office 2010 installation ......................................................................................... 394
Installing Office 2010 on a Remote Desktop Services-enabled computer...................................... 395
Perform a manual installation of Office 2010 ........................................................................... 395
Setup customizations of Office 2010 related to Remote Desktop Services (Terminal Services) ... 398
Install on first use ............................................................................................................................ 398
Screen flickering .............................................................................................................................. 398
TSAbsent and TSDisabled .............................................................................................................. 398
xiv
Volume Licensing overview ............................................................................................................. 409
Changes in activation policy ..................................................................................................... 410
Why is activation necessary? ................................................................................................... 410
Privacy ...................................................................................................................................... 410
Office Activation Technologies ........................................................................................................ 410
Key Management Service (KMS) ............................................................................................. 411
Multiple Activation Key (MAK) .................................................................................................. 412
Volume License product keys ................................................................................................... 412
xv
Example: Medium to large organization that has corporate-connected desktop computers and
portable computers ................................................................................................................ 432
Plan and assess the Office 2010 environment and configuration ................................................... 433
Obtain the product keys .................................................................................................................. 434
Install KMS on the host computer ................................................................................................... 434
KMS activation steps ....................................................................................................................... 434
VAMT management steps ............................................................................................................... 434
Scenario: Secure network - KMS or MAK activation of Office 2010 ............................................... 438
Secure network ............................................................................................................................... 438
Considerations ................................................................................................................................ 438
Scenario: Roaming or disconnected computers - KMS or MAK activation of Office 2010 ............. 440
Roaming or disconnected networks ................................................................................................ 440
Considerations ................................................................................................................................ 441
Scenario: Test or development lab - KMS or MAK activation of Office 2010 ................................. 442
Test or development lab network .................................................................................................... 442
Considerations ................................................................................................................................ 443
xvi
Getting help
Every effort has been made to ensure the accuracy of this book. This content is also available online in
the Office System TechNet Library, so if you run into problems you can check for updates at:
http://technet.microsoft.com/office
If you do not find your answer in our online content, you can send an e-mail message to the Microsoft
Office System and Servers content team at:
[email protected]
If your question is about Microsoft Office products, and not about the content of this book, please
search the Microsoft Help and Support Center or the Microsoft Knowledge Base at:
http://support.microsoft.com
xvii
Planning the deployment of Office 2010
This section provides an overview of the Setup architecture for Office 2010, and information about how
to plan for desktop configurations, security, and applications including Microsoft Access 2010, Microsoft
Excel 2010, and Microsoft Outlook 2010. It also provides planning information for migration and
upgrading from previous versions of Office, as well as planning for virtualization and Remote Desktop
Services.
In this section:
Article Description
Setup architecture overview for Office 2010 Provides an overview of the Setup architecture for
Office 2010, setup sequence of events, language-
neutral design and deployment of multiple
languages, customization methods, required local
installation source, and updates process.
Plan a migration and upgrade strategy for Office Provides information about how to plan the
2010 installation of the Microsoft Office 2010 suites, and
how to migrate the user data, such as user and
computers settings and documents created from
the previously installed versions of Microsoft
Office.
Plan desktop configurations for Office 2010 Provides information and guidelines about items to
consider before you deploy Office 2010.
Plan for volume activation of Office 2010 Provides an overview of Microsoft Volume
Licensing and Office Activation Technologies for
Office 2010 and how describes how to plan for
volume activation.
1
Setup architecture overview for Office 2010
The basic Setup architecture in Microsoft Office 2010 is the same as the architecture introduced in the
2007 Microsoft Office system. The Setup architecture streamlines all aspects of installing, customizing,
and maintaining Office. The Setup program unifies and manages the complete installation process. This
includes customizing users' Office configuration, deploying multiple languages at the same time, and
applying software updates to new installations. This article contains an overview of the Setup
architecture, setup sequence of events, language-neutral design and deployment of multiple languages,
customization methods, required local installation source, and updates process.
The Setup architecture helps administrators manage areas such as the following more efficiently:
Deployment process so that Office is installed in the most efficient way for their environment.
Customization of Office so that users get optimal configuration on their computers.
Deployment of language-specific features for users who are located in offices around the world.
Deployment of Office in a way that makes future maintenance, including software updates, as
efficient as possible.
In versions of Office earlier than the 2007 Office system, a single Office product such as Microsoft
Office Standard was contained in a single Windows Installer (MSI) file. An MSI file is a relational
database that Windows Installer uses to install a product. As with the 2007 Office system, the Office
2010 products consist of multiple MSI files, and no single MSI file represents a complete product. A
language-neutral core package (MSI file) is combined with one or more language-specific packages to
make a complete product. For example, an Office product such as Microsoft Office Professional Plus
2010 consists of the core package plus one or more language-specific packages. Setup assembles the
individual packages, orchestrates a seamless installation, and handles customization and maintenance
tasks during and after installation of Office on users' computers.
Office 2010 introduces native 64-bit versions of Office products to support 64-bit processors, which are
becoming the standard for systems ranging from servers to desktop computers. Office 2010 also
provides support for 32-bit Office 2010 applications that run on 64-bit Windows operating systems by
using Windows-32-on-Windows-64 (WOW64). WOW64 is the x86 emulator that enables 32-bit
Windows-based applications to run seamlessly on 64-bit Windows. Office 2010 lets users continue to
use existing third-party Office add-ons, which are primarily 32-bit because no 64-bit versions are
available yet for many add-ons. Providing support for 32-bit Office 2010 running on 64-bit operating
systems prevents blocking the 32-bit add-ons. For more information about 64-bit editions of Office
2010, see 64-bit editions of Office 2010 (http://technet.microsoft.com/library/faab55b2-bb6c-4636-811e-
24f6939548d1(Office.14).aspx).
2
In this article:
Setup process
Language-neutral design
Streamlined customization model
Required local installation source
Consolidated update process
Setup process
Typically, the first step in a corporate installation of Office is to create a network installation point a
task as simple as copying all the files and folders from the Office product CD to a shared network
location. At a minimum, the network installation point contains the language-neutral core package plus
language-specific folders for one language. This installation point serves as the initial source for all
users who install Office.
In the simplest scenario, you deploy an Office product from the network installation point with one
language version and a single set of customizations for all users. Setup handles this scenario
automatically. If you deploy multiple products or languages, you can add them to the same network
installation point and specify exactly which products and languages to include in the installation. In all of
these scenarios, Setup performs the same tasks to assemble the correct set of MSI files and to
complete the installation.
Note:
The Office 2010 does not let you create an administrative installation point by running Setup
with the /a command-line option to extract compressed source files, as was possible with Office
versions earlier than the 2007 Office system. All installations now occur from the compressed
source.
In this section:
Setup sequence of events
Including more than one product on the installation point
Running Setup interactively
3
5. Create a local installation source on the user's computer.
6. Install Office.
7. Apply the customization file.
8. Apply software updates.
Run Setup
Setup.exe is the program that begins all the mechanisms of the installation process. It is located at the
root of the network installation point. You run Setup one time for each Office product that you install.
When it runs, Setup searches the network installation point for an Office product to install. If the
installation point contains more than one Office product, Setup gives the user a choice of products to
install.
You can circumvent the selection process and determine which Office product is installed by pointing
Setup.exe to the Config.xml file in a core product folder. For example, if you want to install Microsoft
Office Professional Plus 2010, you can use the following command line:
\\server\share\Office14ProPlus\setup.exe /config
\\server\share\Office14ProPlus\Pro.WW\Config.xml
where Office14ProPlus is the root of the network installation point.
In versions of Office earlier than the 2007 Office system, Setup.exe called Windows Installer
(Msiexec.exe) to install Office. Although Setup still uses Windows Installer, Setup bypasses the
Windows Installer executable program. The Msiexec.exe command line cannot be used to install the
Office 2010 (or the 2007 Office system).
Note:
This version of Setup.exe recognizes only a few command-line options. For more information,
see Setup command-line options for Office 2010 (http://technet.microsoft.com/library/0f489f42-
4c01-41d1-8b52-3a2a2da8f731(Office.14).aspx).
Check prerequisites
When Setup starts, it checks for several installation prerequisites. This includes minimum operating
system requirements and administrative permissions. A user must be an administrator of the client
computer to install Office, or you must use a tool such as Microsoft Systems Management Server
(SMS) or Microsoft System Center Configuration Manager 2007 to run the installation by using elevated
permissions.
When you run Setup.exe from the x64 folder, Setup determines whether there are 32-bit Office
applications installed. If Setup detects 32-bit Office applications, it displays an error message that
informs users that they must first uninstall all 32-bit Office applications if they want to continue with the
installation of Office 2010 64-bit. The error lists the installed 32-bit Office applications. If Setup does not
detect 32-bit Office applications, it installs the 64-bit edition of Office 2010.
4
When you run Setup.exe from the x32 folder, Setup determines whether there are 64-bit Office 2010
applications installed. If Setup detects 64-bit Office 2010, an error message displays and Setup is
blocked. If Setup does not detect 64-bit Office 2010, it installs the 32-bit edition of Office 2010. For
more information, see 64-bit Setup process (http://technet.microsoft.com/library/faab55b2-bb6c-4636-
811e-24f6939548d1.aspx#BKMK_SetupProc) in 64-bit editions of Office 2010
(http://technet.microsoft.com/library/faab55b2-bb6c-4636-811e-24f6939548d1(Office.14).aspx).
Note
To install Office on computers where users lack administrative permissions, you must run
Setup in a context that provides it with administrative permissions. After Office is installed,
users without administrative permissions can run all installed features. This includes installing
features on demand.
For example, in organizations where users are not the administrators of their computers,
administrators can use the following methods of providing Office Setup with the appropriate
permissions:
Note:
The Setup.xml and Package.xml files are signed and cannot be modified. Altering these
files causes Setup to fail.
Setup customization file Early in the installation process, Setup determines whether you have
specified a Setup customization file (.msp file) for the product that is being installed. A Setup
customization .msp file is created when administrators use the Office Customization Tool (OCT) to
customize an installation of Office 2010. The OCT is part of the Setup program and is the
recommended tool for most customizations. The customization file contains all the modifications
that you specify for an installation. This includes customizations that control the installation process.
5
The OCT is available in volume licensed versions of Office 2010. To determine whether your Office
2010 installation is a volume licensed version, check the Office 2010 installation disk to see
whether it contains a folder named Admin. If the Admin folder exists, the disk is a volume license
edition; otherwise, the disk is a retail edition.
If no customization file is specified on the command line or in the Config.xml file, Setup searches
the Updates folder on the installation point for a customization file specific to the product that is
being installed. By default, the Updates folder is included on the installation point. In most cases, it
is the recommended location in which to store both a Setup customization .msp file and software
updates for all the Office products included on the installation point.
Important
If you plan to deploy multiple Setup customization files (.msp files), you can place only one
customization .msp file for each Office 2010 product that you are installing in the Updates folder
for an initial installation. Only one Setup customization .msp file (patch) for each Office 2010
product that you are installing is supported in the Updates folder. You must deploy the rest of
the customization .msp files for a product after the Office installation is completed.
If you are deploying multiple Office 2010 products, such as Microsoft Office Professional Plus
2010 and Microsoft Visio Professional 2010, you can include one customization .msp file for
Office Professional Plus 2010 and one customization .msp file for Visio Professional 2010 in
the Updates folder. The customization .msp files that you place in the Updates folder will be
deployed first. Therefore, they must include any Setup customizations that cannot be changed
after the installation, for example, the installation location.
If you are deploying an initial installation of Office 2010 and you also want to deploy Office 2010
software updates, such as service packs and hotfixes, Setup can apply the product updates as
part of the installation process. You can place the Office 2010 product updates in the Updates
folder. In scenarios such as this where the Updates folder includes both one Setup
customization .msp file and product updates, Setup applies only the Setup customization .msp
file with the initial installation and the product updates are applied after the installation is
complete.
Setup uses XML data appended to the customization file to determine how to install the product
for example, whether to run quietly or which features to display in the feature tree. Settings in a
customization file overwrite default settings contained in the Setup.xml and Package.xml files.
For more information about Setup customization files, see Streamlined customization model. For
information about how to use the OCT, see Office Customization Tool in Office 2010
(http://technet.microsoft.com/library/8faae8a0-a12c-4f7b-839c-24a66a531bb5(Office.14).aspx).
Config.xml file Each core product folder contains a Config.xml file that directs Setup to install that
product. You can edit Config.xml to customize the installation process. For example, you can use
elements in Config.xml to specify which products or languages to include in the installation.
Settings in Config.xml take precedence over settings in a customization file and default settings
contained in the Setup.xml and Package.xml files.
6
For more information about how and when to edit Config.xml, see Config.xml file in Office 2010
(http://technet.microsoft.com/library/e16af71c-fed4-40da-a886-95e596c3999e(Office.14).aspx).
Install Office
When the installation starts, Setup checks for required disk space and feature dependencies, and then
calls Windows Installer to install the correct set of packages (MSI files) on the user's computer from the
local installation source. Setup uses the XML data described previously to determine which set of MSI
files to include. The progress bar that Setup displays to users during the installation takes the whole
installation process into account. This includes applying customizations and software updates from the
Updates folder.
Note:
7
Although Setup uses Windows Installer to install Office, Windows Installer alone cannot install
the individual MSI files independent of Setup.
Note:
If you plan to deploy multiple Setup customization .msp patches, you can place only one Setup
customization .msp file for each Office 2010 product in the Updates folder for an initial
installation. You must deploy the rest of the customization .msp files after the Office installation
is complete. As mentioned previously, only one customization for each product patch in the
Updates folder is supported. The customization .msp file that you place in the Updates folder
will be deployed first so it must include any Setup customizations that cannot be changed after
the installation, for example, the installation location.
If you create different configurations for different groups of users, we recommend that you store the
customization files in another location and then use the /adminfile option on the Setup command line to
specify the file that you want. For example:
\\server\share\Office14\setup.exe /adminfile \\server\share\Office14\MyUpdates\Engineering.msp
where Office14 is the root of the network installation point.
Note:
When you precache the local installation source, Setup copies the Updates folder from the
network installation point to the local installation source. In this manner, your customizations
can be included in offline installation scenarios. This is the only circumstance in which Setup
caches the customization file on the local computer before the installation. For more
information, see Precache the local installation source for Office 2010
(http://technet.microsoft.com/library/ff0a01a5-33d8-407c-ac52-50edccb32786(Office.14).aspx).
8
perspective, the complete process is a single event. This model preserves the original installation point
and still lets you give new users the most up-to-date version of the product.
Note:
The Updates folder is used only for initial or new installations of Office 2010. The Updates
folder can contain only one Setup customization .msp patch, and multiple service packs and
hotfixes that are in .msp format only.
For more information about the software update process, see Consolidated update process.
Note:
When you copy multiple Office products to the same installation point, you might be prompted
to overwrite shared Setup files. Because these files are duplicated among all Office 2010
products, you do not need to recopy any of the duplicate folders. This efficient design saves
space and ensures consistency when you create and replicate network installation points.
9
Language-neutral design
In Office 2010 (and in the 2007 Office system), an Office product such as Office Professional Plus 2010
is organized as follows:
Language-neutral elements are grouped in one core package (MSI file).
Language-specific elements are organized in separate packages by application.
This arrangement of files simplifies international deployments. The most basic installation of an Office
product consists of the core package plus one language. Adding more languages is as simple as
copying additional Single Language Packs (SLPs) to the network installation point all work with the
core product in exactly the same way. All language versions of Office, including the English language
version, are deployed in the same manner. Setup combines the language-neutral core package with the
language-specific packages in a seamless installation process.
Important:
The current Office 2010 release includes English, Chinese, French, German, Japanese,
Spanish, and Russian language sources only. Later releases will provide additional languages.
In this section:
Language versions of Office
Language packs for Office
10
You cannot deploy an individual application in Office 2010 by detaching the language-specific folder
that contains the individual MSI file, such as the Word.en-us folder. However, you can determine which
applications and features are installed on users' computers by customizing the installation.
Note:
None of the MSI files on an Office installation point can be installed independently by using
Windows Installer or any other method. Also, none of the digitally signed XML files (Setup.xml
and Package.xml) can be edited or altered. In Office 2010, Setup is required to collect the files
and installation information and to orchestrate the installation process.
Note:
In versions of Office earlier than the 2007 Office system, enterprise customers added
languages by deploying Multilanguage User Interface (MUI) packs after a U.S. English version
of Office was installed. Localized versions, such as the Japanese version of Office Standard
Edition, were not identical to the core version with a Japanese MUI pack. This design was
simplified and improved in the 2007 Office system and is the same in Office 2010.
11
Using the Office Customization Tool
You customize an Office installation by using the Office Customization Tool, a component of Setup,
which is included in volume licensed versions of Office 2010 client. Start the OCT by running Setup with
the /admin command-line option. By using the OCT, create a Setup customization file (.msp file), which
you place in the Updates folder in the network installation point. As mentioned previously, the Updates
folder is used only for initial or new installations of Office 2010, and only one customization patch in the
Updates folder is supported. A Setup customization file is an expanded form of a Windows Installer
.msp file. Each file is configured for a specific product, such as Office Professional Plus 2010 or
OneNote 2010. When you run Setup to install an Office product, Setup looks in the Updates folder for a
customization file that corresponds to the product that you are installing. As Setup installs the product, it
applies the customizations from this file. You can create more than one Setup customization file to
configure Office for different groups of users. When you run Setup, you specify the appropriate
customization file to use for each installation by using the Setup command-line option /adminfile, or by
using Config.xml (see Using the Config.xml file to customize Office).
For complete details on how to use the OCT to create a Setup customization file, see Office
Customization Tool in Office 2010 (http://technet.microsoft.com/library/8faae8a0-a12c-4f7b-839c-
24a66a531bb5(Office.14).aspx).
Note:
Office 2010 does not support side-by-side installations of 64-bit and 32-bit Office, including
across applications. For example, there is no support for side-by-side installations of the 2007
Office system 32-bit with Office 2010 64-bit, or for Microsoft SharePoint Workspace 2010 64-bit
and Microsoft Excel 2010 32-bit. You cannot use the Office 2010 customization tools to
configure side-by-side installations or customizations of 64-bit and 32-bit Office. For example,
you cannot create a custom side-by-side installation by using 64-bit Microsoft Office
Professional 2010 and 32-bit Visio 2010 single image. For more information about 64-bit Office
2010, see 64-bit editions of Office 2010 (http://technet.microsoft.com/library/faab55b2-bb6c-
4636-811e-24f6939548d1(Office.14).aspx).
12
For information about how to customize Setup, see Customize Setup before installing Office 2010
(http://technet.microsoft.com/library/9c14db60-b591-41f9-a94b-50627d2daa81(Office.14).aspx).
Note:
There are some customizations that Setup applies only when you are installing Office for the
first time. These include: specifying where to install Office on the user's computer, defining the
product key, and removing previous versions of Office applications. The OCT identifies which
customizations apply only to a new installation.
Note:
If you specify both a Setup customization file and the Config.xml file, the customizations that
you define in Config.xml take precedence over the same customizations in the customization
file.
For a complete description of the contents and format of the Config.xml file, see Config.xml file in Office
2010 (http://technet.microsoft.com/library/e16af71c-fed4-40da-a886-95e596c3999e(Office.14).aspx).
13
Using Setup command-line options
Setup recognizes only a few command-line options in the Office 2010. This is the same as for 2007
Office system. The OCT is the primary tool to configure Setup properties and specify other
customizations.
You can use Setup.exe commands to perform the following tasks:
Run the Office Customization Tool to create a Setup customization (.msp) file.
Apply the specified Setup customization file to the installation. For example, you can specify a path
of a specific customization file (.msp file) or to the folder where you store customization files.
Specify the Config.xml file that Setup uses during the installation.
Run Setup in maintenance mode and make changes to an existing Office installation.
Run Setup to repair the specified product from the user's computer.
Run Setup to remove the specified product from the user's computer.
For more information about the Setup.exe commands, see Setup command-line options for Office 2010
(http://technet.microsoft.com/library/0f489f42-4c01-41d1-8b52-3a2a2da8f731(Office.14).aspx). For
information about Windows Installer properties that were used in previous versions of Office, and about
properties that can be used when you install Office 2010, see Setup properties in Office 2010
(http://technet.microsoft.com/library/41f07f9b-f0d0-489d-a185-d7b96f21f561(Office.14).aspx).
Note:
Most of the Office 2010 policy settings are also available in the OCT (OPA settings). To
configure initial default settings in a Setup customization .msp file, administrators can use the
OCT. However, users can modify most of the settings after the installation. Use Group Policy if
you want to enforce specific configurations. Group Policy settings have precedence over OCT
settings.
14
Required local installation source
In Office 2010, Setup creates a local installation source on the user's computer as part of the default
installation process. Setup installs all Office 2010 products in a two-step process. First, Setup copies
compressed installation source files to the user's computer. Second, Setup calls Windows Installer to
perform the actual installation from the local installation source. After the installation is complete, the
local installation source remains available for any Setup operations that require access to an original
source. Minimum disk space requirements include the local installation source.
Note:
In Microsoft Office 2003, large organizations typically installed the product from an
administrative installation point; installing from a local installation source was optional. In the
Office 2010, however, the administrative installation option no longer exists, and the local
installation source is a required part of the design.
The local installation source makes the process of distributing software updates more efficient and
reliable. Neither the network installation point nor the user's local installation source is ever updated
directly. Users' installations remain synchronized when they apply the client version of software
updates.
Additional benefits of having a complete installation source always available on the local computer
include the following:
You can deploy the local installation source to users before they install Office. This minimizes the
effect on the network and ensures that all users install the product and begin to use Office 2010
applications at exactly the same time.
Users can perform maintenance tasks, such as applying software updates, without being prompted
for their Office CD or a network source.
Traveling users, or users who have slow or intermittent network connections, can run Setup without
access to the network if they have a local installation source installed in advance.
These benefits come at minimal cost. Although the local installation source does use some hard disk
space, creating the local installation source and installing Office takes approximately the same amount
of time as installing Office by itself.
In this section:
Creating a local installation source on users' computers
Deploying the local installation source by itself
15
Each package that comprises an Office product both the language-neutral core package and one or
more language-specific packages has a separate download code and is cached in the subfolder
under MSOCache\All Users. Setup always caches a complete local installation source, which includes
all the files associated with the product that is being installed. If the installation point includes multiple
languages, Setup caches only the packages for the languages that are installed on the user's
computer.
When additional Office products are installed on the user's computer, those products are cached in the
same local installation source.
Note:
If a user installs a second Office product on a different drive, Setup creates a second local
installation source at the root of that drive. In this scenario, shared files might be duplicated
between the two local installation sources. However, this design ensures that each local
installation source is complete and functions correctly.
Users cannot unintentionally delete the local installation source or remove it by using the Setup user
interface or the Windows Disk Cleanup Wizard. If the MSOCache folder is deleted or corrupted, Setup
automatically re-creates or repairs the folder the next time that a source is required. If users do not
have sufficient disk space, they are prompted to free some space. You can rely on the fact that every
user has access to a source when you distribute new updates or customizations.
Note:
Once the local installation source is created, its location on the user's computer is fixed. Unless
the user specifies a different drive, additional Office products installed later are always added to
the existing MSOCache\All Users folder.
16
For more information, see Run Setup from the local installation source to install Office 2010
(http://technet.microsoft.com/library/7897ccea-d9e2-4cdf-bb63-53090da8fd0d(Office.14).aspx).
Note:
You can use the Updates folder to incorporate the installation of updates with an initial
installation of the Office 2010 products. Only Windows Installer update files that are contained
in this folder are installed with the initial installation. Therefore, you must extract the updates
from Microsoft Self-Extractor packages. You can also place a Setup customization .msp patch
in the Updates folder to customize initial installations.
When you run Setup to install Office on a client computer, Setup looks in the Updates folder for
software updates and incorporates the updates automatically as it installs Office. If there are multiple
updates in the folder, Setup applies only those updates that are targeted at the Office product being
installed. If the Updates folder includes both a Setup customization .msp patch and product updates,
Setup applies only the Setup customization .msp patch with the initial installation and the product
updates are applied after the installation completes. Setup also applies the updates in the correct
sequential order. The result is that the user receives the latest updates with the new installation of
Office.
Tip:
17
To direct Setup to look for software updates in a folder other than the Updates folder, use the
SetupUpdates element in the Config.xml file. For more information, see SetupUpdates
element (http://technet.microsoft.com/library/e16af71c-fed4-40da-a886-
95e596c3999e.aspx#ElementSetupUpdates) in Config.xml file in Office 2010
(http://technet.microsoft.com/library/e16af71c-fed4-40da-a886-95e596c3999e(Office.14).aspx).
Note:
After Office is installed on a client computer, reinstalling Office reapplies only those software
updates that were applied with the original installation. If you copied new software updates in
the Updates folder, they are not applied during the reinstallation.
See Also
Office Customization Tool in Office 2010 (http://technet.microsoft.com/library/8faae8a0-a12c-4f7b-839c-
24a66a531bb5(Office.14).aspx)
Config.xml file in Office 2010 (http://technet.microsoft.com/library/e16af71c-fed4-40da-a886-
95e596c3999e(Office.14).aspx)
Setup command-line options for Office 2010 (http://technet.microsoft.com/library/0f489f42-4c01-41d1-
8b52-3a2a2da8f731(Office.14).aspx)
Setup properties in Office 2010 (http://technet.microsoft.com/library/41f07f9b-f0d0-489d-a185-
d7b96f21f561(Office.14).aspx)
Setup changes introduced in the 2007 Office system (http://technet.microsoft.com/library/5623705c-
ac5c-453c-a623-385b08b28b31(Office.14).aspx)
Customization overview for Office 2010 (http://technet.microsoft.com/library/72a93ebf-389a-491a-94c8-
d7da02642139(Office.14).aspx)
18
Plan a migration and upgrade strategy for
Office 2010
This section provides information about how to plan the installation of the Microsoft Office 2010 suites,
and how to migrate the user data, such as user and computers settings and documents created from
the previously installed versions of Microsoft Office.
In this section:
Article Description
Plan an upgrade to Office 2010 Describes the upgrade process for Microsoft
Office 2010, including the various upgrade options
and data migration paths.
Migrate user data registry keys in Office 2010 Lists the registry keys that are migrated when you
use either the in-place upgrade or the uninstall-
upgrade of Office 2010.
Choose an option for deploying Office 2010 Provides areas of functionality you can use to
deploy Office 2010, including network share,
Group Policy startup scripts, managed
deployment, application virtualization, and
presentation virtualization.
19
Plan an upgrade to Office 2010
This article describes the upgrade process for Microsoft Office 2010, including the various upgrade
options and data migration paths.
In this article:
Overview of the upgrade process
Compare upgrade options and understand data migration
Migrate documents
The process of upgrading to Office 2010 can be divided into two primary tasks:
Install the new Microsoft Office 2010 suites.
Migrate the user data, such as user and computers settings and documents created from the
previously installed version of Microsoft Office.
20
When you plan an upgrade strategy, first decide on the option for upgrading to Office 2010 that is best
for the organization. The upgrade type then helps determine the available choices for data migration
and how data migration is performed.
New operating system upgrade Migration performed after the new operating
system and Office 2010 are installed.
Migration of data to Office 2010 includes both the user and computer settings and the documents that
were created from earlier versions of Office. For a list of the registry keys that are migrated, see Migrate
user data registry keys in Office 2010.
The documents created from the previously installed version of Office remain on the computers in their
current formats and can be migrated or converted, as needed, at another time if an in-place upgrade or
uninstall upgrade is used. When performing a new operating system upgrade, you must move the
documents from the source computers to a migration store before you install the new operating system
and upgrade the computers to Office 2010.
After you decide on the best option for the organization, you have to determine the best migration
strategy for the documents created by using earlier versions of Office.
Important:
21
Migration to Office 2010 is currently not supported by using either the User State Migration Tool
(USMT) version 4.0, or the Microsoft Deployment Toolkit (MDT) 2010. We recommend that you
do not attempt to use either tool for your Office 2010 migration at this time. This article will be
updated when a fix is available.
Migrate documents
The following diagram shows the tasks involved in planning to migrate documents to Office 2010.
See Also
Migrate user data registry keys in Office 2010
22
Migrate user data registry keys in Office 2010
The registry keys for Microsoft Office 2003 and 2007 Microsoft Office system applications that are
included and excluded by using either the in-place upgrade or the uninstall-upgrade option are listed in
this article.
Important:
Migration to Office 2010 is currently not supported by using either the User State Migration Tool
(USMT) version 4.0, or the Microsoft Deployment Toolkit (MDT) 2010. We recommend that you
do not attempt to use either tool for your Office 2010 migration at this time. This article will be
updated when a fix is available.
In this article:
Microsoft Office 2003 settings
Microsoft Office 2007 settings
HKCU\Software\Microsoft\Office\Common\* [*]
HKCU\Software\Microsoft\Office\11.0\* [*]
HKCU\Software\Microsoft\Office\11.0\Common\Internet\* [*]
%APPDATA%\Microsoft\Office [*.acl]
%APPDATA%\Microsoft\Office\Recent [*]
%APPDATA%\Microsoft\Proof\* [*]
HKCU\Software\Microsoft\Office\Common\Smart Tag\Recognizers\{4FFB3E8B-AE75-48F2-BF13-
D0D7E93FA8F9}\* [*]
HKCU\Software\Microsoft\Office\Common\Smart Tag\Recognizers\{64AB6C69-B40E-40AF-9B7F-
F5687B48E2B6}\* [*]
HKCU\Software\Microsoft\Office\Common\Smart Tag\Recognizers\{87EF1CFE-51CA-4E6B-8C76-
E576AA926888}\* [*]
23
Common Settings <exclude>
HKCU\Software\Microsoft\Office\11.0\Common\Internet [LocationOfComponents]
HKCU\Software\Microsoft\Office\11.0\Common\Internet [UseRWHlinkNavigation]
HKCU\Software\Microsoft\Office\11.0\Common\LanguageResources [SKULanguage]
HKCU\Software\Microsoft\Office\Access\* [*]
HKCU\Software\Microsoft\Office\11.0\Access\* [*]
HKCU\Software\Microsoft\Office\11.0\CMA\* [*]
%APPDATA%\Microsoft\Office [Access11.pip]
HKCU\Software\Microsoft\Office\11.0\Access\Settings [MRU*]
HKCU\Software\Microsoft\Office\11.0\Common\LanguageResources [SKULanguage]
HKCU\Software\Microsoft\Office\11.0\Excel\* [*]
%APPDATA%\Microsoft\Excel\ [EXCEL11.xlb]
%APPDATA%\Microsoft\Office\ [EXCEL11.pip]
24
Excel 2003 <exclude>
HKCU\Software\Microsoft\FrontPage\* [*]
%APPDATA%\Microsoft\FrontPage\State [CmdUI.PRF]
%APPDATA%\Microsoft\Office [fp11.pip]
%APPDATA%\Microsoft\FrontPage\Snippets [FPSnippetsCustom.xml]
HKCU\Software\Microsoft\FrontPage [WecErrorLog]
HKCU\Software\Microsoft\Office\%OFFICEVERSION%\Common\LanguageResources [SKULanguage]
HKCU\software\Microsoft\Office\%OFFICEVERSION%\OneNote\* [*]
%APPDATA%\Microsoft\Office\ [OneNot11.pip]
%APPDATA%\Microsoft\OneNote\ [Preferences.dat]
%APPDATA%\Microsoft\OneNote\ [Toolbars.dat]
25
OneNote 2003 <exclude>
HKCU\software\Microsoft\Office\%OFFICEVERSION%\OneNote\Options\Save\
[BackupLastAutoBackupTime]
HKCU\software\Microsoft\Office\%OFFICEVERSION%\OneNote\Options\Save\ [BackupFolderPath]
HKCU\software\Microsoft\Office\%OFFICEVERSION%\OneNote\General\ [LastCurrentFolderForBoot]
HKCU\Software\Microsoft\Office\11.0\Common\LanguageResources [SKULanguage]
HKCU\Software\Microsoft\Office\Outlook\* [*]
HKCU\Software\Microsoft\Office\11.0\Outlook\* [*]
HKCU\Software\Microsoft\Office\11.0\Outlook\Journal\* [*]
%APPDATA%\Microsoft\Signatures\* [*]
%CSIDL_LOCAL_APPDATA%\Microsoft\FORMS [frmcache.dat]
%APPDATA%\Microsoft\Outlook [outcmd11.dat]
%APPDATA%\Microsoft\Outlook [outcmd.dat]
%APPDATA%\Microsoft\Outlook [views.dat]
%APPDATA%\Microsoft\Outlook [OutlPrint]
%APPDATA%\Microsoft\Office [MSOut11.pip]
%APPDATA%\Microsoft\Outlook [*.rwz]
%APPDATA%\Microsoft\Outlook [*.srs]
%APPDATA%\Microsoft\Outlook [*.NK2]
%APPDATA%\Microsoft\Outlook [*.xml]
HKCU\Software\Microsoft\Exchange\* [*]
26
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\* [*]
HKCU\Software\Microsoft\Office\11.0\Outlook [FirstRunDialog]
HKCU\Software\Microsoft\Office\11.0\PowerPoint\* [*]
HKCU\Software\Microsoft\Office\11.0\PowerPoint\RecentFolderList [Default]
HKCU\Software\Microsoft\Office\11.0\PowerPoint\RecentFolderList\* [*]
HKCU\Software\Microsoft\Office\%OFFICEVERSION%\Common\LanguageResources [SKULanguage]
%APPDATA%\Microsoft\Office [MSProj11.pip]
27
HKCU\Software\Microsoft\Office\%OFFICEVERSION%\MS Project\Recent Templates\* [*]
HKCU\Software\Microsoft\Office\11.0\Common\LanguageResources [SKULanguage]
HKCU\Software\Microsoft\Office\11.0\Publisher\* [*]
%APPDATA%\Microsoft\Office [*.acl]
%APPDATA%\Microsoft\Publisher [pubcmd.dat]
%APPDATA%\Microsoft\Office\ [*.jsp]
HKCU\software\Microsoft\Office\%OFFICEVERSION%\Visio\* [*]
CSIDL_APPDATA\Microsoft\Office\[Visio11.pip]
CSIDL_LOCAL_APPDATA\Microsoft\Visio\ [content.dat]
28
Visio 2003 <exclude>
HKCU\software\Microsoft\Office\%OFFICEVERSION%\Visio\Application\ [LastFile*]
HKCU\software\Microsoft\Office\%OFFICEVERSION%\Visio\Application\ [MyShapesPath]
HKCU\software\Microsoft\Office\%OFFICEVERSION%\Visio\Application\ [UserDictionaryPath1]
HKCU\Software\Microsoft\Office\11.0\Common\LanguageResources [SKULanguage]
HKCU\Software\Microsoft\Office\11.0\Word\* [*]
%APPDATA%\Microsoft\Templates [Normal.dot]
%APPDATA%\Microsoft\Office [Word11.pip]
%APPDATA%\Microsoft\Office [WordMa11.pip]
HKCU\Software\Microsoft\Office\11.0\Word\Options [PROGRAMDIR]
HKCU\Software\Microsoft\Office\Common\* [*]
HKCU\Software\Microsoft\Office\12.0\Common\* [*]
%APPDATA%\Microsoft\Office [*.acl]
%APPDATA%\Microsoft\Office\Recent [*]
%APPDATA%\Microsoft\Templates\* [*]
%APPDATA%\Microsoft\Proof\* [*]
29
%APPDATA%\Microsoft\UProof\* [*]
HKCU\Software\Microsoft\Office\Common\Smart Tag\Recognizers\{4FFB3E8B-AE75-48F2-BF13-
D0D7E93FA8F9}\* [*]
HKCU\Software\Microsoft\Office\Common\Smart Tag\Recognizers\{64AB6C69-B40E-40AF-9B7F-
F5687B48E2B6}\* [*]
HKCU\Software\Microsoft\Office\Common\Smart Tag\Recognizers\{87EF1CFE-51CA-4E6B-8C76-
E576AA926888}\* [*]
HKCU\Software\Microsoft\Office\12.0\Common\Internet [LocationOfComponents]
HKCU\Software\Microsoft\VBA\6.0\Common
%CSIDL_LOCAL_APPDATA%\Microsoft\Office [*.qat]
%APPDATA%\Microsoft\Office [Access11.pip]
HKCU\Software\Microsoft\Office\Access\* [*]
HKCU\Software\Microsoft\Office\12.0\Access\* [*]
HKCU\Software\Microsoft\Office\12.0\CMA\* [*]
HKCU\Software\Microsoft\Office\12.0\Access\Settings [MRU*]
30
Excel 2007 <include>
HKCU\Software\Microsoft\Office\12.0\Excel\* [*]
%APPDATA%\Microsoft\Excel\ [EXCEL11.xlb]
%APPDATA%\Microsoft\Office\ [EXCEL11.pip]
HKCU\Software\Microsoft\Office\%OFFICEVERSION%\OneNote\* [*]
%APPDATA%\Microsoft\Office\ [OneNot12.pip]
%APPDATA%\Microsoft\OneNote\%OFFICEVERSION%\ [Preferences.dat]
%APPDATA%\Microsoft\OneNote\%OFFICEVERSION%\ [Toolbars.dat]
HKCU\Software\Microsoft\Office\%OFFICEVERSION%\OneNote\General\
[LastMyDocumentsPathUsed]
HKCU\Software\Microsoft\Office\%OFFICEVERSION%\OneNote\Options\Paths\ [BackupFolderPath]
HKCU\Software\Microsoft\Office\Outlook\* [*]
HKCU\Software\Microsoft\Office\12.0\Outlook\* [*]
31
HKCU\Software\Microsoft\Office\12.0\Common\Toolbars\Settings [Microsoft Outlook]
%APPDATA%\Microsoft\Signatures\* [*]
%CSIDL_LOCAL_APPDATA%\Microsoft\FORMS [frmcache.dat]
%APPDATA%\Microsoft\Outlook [outcmd11.dat]
%APPDATA%\Microsoft\Outlook [outcmd.dat]
%APPDATA%\Microsoft\Outlook [views.dat]
%APPDATA%\Microsoft\Outlook [OutlPrint]
%APPDATA%\Microsoft\Office [MSOut11.pip]
HKCU\Software\Microsoft\Exchange\* [*]
%APPDATA%\Microsoft\Outlook [*.rwz]
%APPDATA%\Microsoft\Outlook [*.srs]
%APPDATA%\Microsoft\Outlook [*.NK2]
%APPDATA%\Microsoft\Outlook [*.xml]
HKCU\Software\Microsoft\Office\12.0\Outlook\Journal\* [*]
HKCU\Software\Microsoft\Office\12.0\Outlook [FirstRunDialog]
32
PowerPoint 2007 <include>
HKCU\Software\Microsoft\Office\12.0\PowerPoint\* [*]
HKCU\Software\Microsoft\Office\12.0\PowerPoint\RecentFolderList [Default]
%APPDATA%\Microsoft\PowerPoint [PPT11.pcb]
%APPDATA%\Microsoft\Office [PowerP11.pip]
HKCU\Software\Microsoft\Office\12.0\PowerPoint\RecentFolderList\* [*]
%APPDATA%\Microsoft\Office [MSProj12.pip]
HKCU\Software\Microsoft\Office\12.0\Publisher\* [*]
%APPDATA%\Microsoft\Office [*.acl]
33
%APPDATA%\Microsoft\Publisher [pubcmd.dat]
%APPDATA%\Microsoft\Office [Publis11.pip]
%APPDATA%\Microsoft\Office\ [*.jsp]
HKCU\software\Microsoft\Office\%OFFICEVERSION%\Visio\* [*]
%APPDATA%\Microsoft\Office\ [Visio12.pip]
%CSIDL_LOCAL_APPDATA%\Microsoft\Visio\ [content.dat]
HKCU\software\Microsoft\Office\%OFFICEVERSION%\Visio\Application\ [LastFile*]
HKCU\software\Microsoft\Office\%OFFICEVERSION%\Visio\Application\ [MyShapesPath]
HKCU\software\Microsoft\Office\%OFFICEVERSION%\Visio\Application\ [UserDictionaryPath1]
HKCU\Software\Microsoft\Office\12.0\Word\* [*]
%APPDATA%\Microsoft\Templates\* [*]
%APPDATA%\Microsoft\QuickStyles\* [*]
%APPDATA%\Microsoft\Bibliography\* [*]
%APPDATA%\Microsoft\Office [Word11.pip]
%APPDATA%\Microsoft\Office [WordMa11.pip]
34
Word 2007 <exclude>
HKCU\Software\Microsoft\Office\12.0\Word\Data [PROGRAMDIR]
HKCU\Software\Microsoft\Office\12.0\Word\Options [PROGRAMDIR]
35
Choose an option for deploying Office 2010
You can use five areas of functionality to deploy Microsoft Office 2010: network share, Group Policy
startup scripts, managed deployment, application virtualization, and presentation virtualization. You can
use any of these options or a combination of them, such as the managed deployment option to deploy
and manage virtual Office 2010 applications. We do not support Office 2010 deployment by means of
Group Policy Software Installation (GPSI). A workable alternative to GPSI is to assign computer startup
scripts. This article describes each of the deployment options.
For a visual representation of the deployment options, see Deployment Options for Microsoft Office
2010 (http://go.microsoft.com/fwlink/?LinkId=168621), which includes diagrams, descriptions,
advantages, limitations, recommendations, and tools.
Deployment options
Determine which of the following deployment options works best for your organization.
Network share
A simple way to deploy Office 2010 is to create a network installation point and copy the contents of the
Microsoft Office CD onto the network share. Make sure that the network share is accessible by the
targeted resources: users/computers.
36
Managed deployment
Administrators can use change and configuration management software, such as Microsoft System
Center Essentials and Microsoft System Center Configuration Manager, to deploy Office 2010
applications. The choice of System Center Essentials or Configuration Manager depends in part on the
size of your organization.
Applicationvirtualization
Administrators can use Microsoft Application Virtualization (App-V) as part of a deployment option to
allow users to run Office 2010 applications on their desktops. Microsoft Application Virtualization
streams applications on demand to the desktop, from which the application is run. However, the
application is not installed on the desktop.
Presentationvirtualization
Administrators can use Windows Server 2008 Terminal Services as a deployment option to allow users
to operate the Office 2010 applications from their workstations. Terminal Services is run on a shared
server and presents the application user interface on a remote system, such as a local workstation.
Microsoft Application Virtualization for Terminal Services allows for the optimization of the Office 2010
application through the sequencing process of application virtualization and then uses Terminal
Services to deliver the application as a presentation virtualization.
37
Plan desktop configurations for Office 2010
This section provides information and guidelines about items to consider before you deploy Microsoft
Office 2010.
In this section:
Article Description
Plan for Outlook 2010 Guides you through the things to consider when
you deploy Microsoft Outlook 2010.
Plan for spelling checker settings in Office 2010 Describes how to use either Group Policy or the
Office Customization Tool (OCT) to manage the
behavior of spelling checker in Office 2010.
Plan for SharePoint Workspace 2010 Describes how to plan a deployment of Microsoft
SharePoint Workspace 2010.
Plan customizations and options for Visio 2010 Describes some of the customizations and options
that are available in Microsoft Visio 2010.
Plan security for Office 2010 Describes several new security controls in Office
2010 that help you plan a robust defense against
threats while maintaining information worker
productivity.
Plan Group Policy for Office 2010 Provides information about how to use Group
Policy to configure and enforce settings for Office
2010 applications.
Plan for multilanguage deployment of Office 2010 Discusses planning considerations for deploying
Office 2010 with multiple languages.
Plan for virtualization for Office 2010 Describes what virtualization is, how you can use
virtualization in your organization, and which
method and type is best for your environment.
Plan for Remote Desktop Services (Terminal Provides information about how to plan the
Services) deployment of Office 2010 by using Remote
Desktop Services (Terminal Services).
38
Article Description
Plan for accessibility in Office 2010 Provides an overview of the Microsoft Office
Accessibility Checker, which can make Office
2010 products more accessible to users who have
disabilities.
39
Plan for OneNote 2010
This article provides information about the planning process for deploying Microsoft OneNote 2010.
In this article:
Planning overview
Evaluate your organizations requirements
Review changes in OneNote 2010
Review migration considerations
Plan OneNote upgrades
Plan for OneNote Web App
Considerations for using OneNote with SharePoint products
Planning overview
The following figure summarizes the planning steps for deploying OneNote 2010 in the enterprise.
40
Evaluate your organizations requirements
The planning process typically begins with an evaluation of your current environment to help determine
your organizations requirements. Issues to consider include the following:
Ensuring that computers meet the system requirements for Microsoft Office 2010.
Whether you are upgrading from an earlier version of the product.
Migration considerations, such as file formats and user data settings migration.
Security considerations, such as whether to prevent users from sharing documents across the
Internet.
Multilanguage requirements.
Security considerations
To help you plan for Office 2010 application security in your organization, you will find information about
security threats and the new security controls that are available in Office 2010 in these articles: Security
overview for Office 2010, Understand security threats and countermeasures for Office 2010, and Plan
security for Office 2010.
Multilanguage requirements
The Office 2010 language-neutral architecture simplifies deployment in multiple languages. An Office
2010 product, such as Microsoft Office Professional Plus 2010, consists of a language-neutral core
package plus one or more language-specific packages. For information about how to deploy Office
2010 applications in multiple languages, see Plan for multilanguage deployment of Office 2010, and
Customize language setup and settings for Office 2010 (http://technet.microsoft.com/library/1c423975-
1848-4060-999c-cafcadf3047d(Office.14).aspx).
41
Review changes in OneNote 2010
As part of planning for OneNote 2010, you should review the changes in the current release. For a
description of what is new, what is changed, and what is removed in OneNote 2010, see Changes in
OneNote 2010 (http://technet.microsoft.com/library/8f57bbaa-c01b-42f8-a6f2-
cc92e449d1c2(Office.14).aspx).
42
To change the format of a notebook, right-click the notebook on the navigation bar, and then select
Properties. In the Notebook Properties dialog, you can change the notebook format from Office
OneNote 2007 to OneNote 2010, and you can also convert it back to the Office OneNote 2007 format.
43
System requirements for Office Web Apps
The following table lists the system requirements for Office Web Apps.
Resource Description
Microsoft Office Web Apps (Beta) Download for Office Web Apps.
(http://go.microsoft.com/fwlink/?LinkId=183997)
Understanding Office Web Apps (Installed on Information to help you understand an Office Web
SharePoint 2010 Products) Apps on-premises solution and how it can benefit
(http://go.microsoft.com/fwlink/?LinkId=185473) users in your organization.
Planning Office Web Apps (Installed on Information to help you plan an Office Web Apps
SharePoint 2010 Products) on-premises solution in your organization.
(http://go.microsoft.com/fwlink/?LinkId=185475)
Deploy Office Web Apps (Installed on SharePoint Information to help you deploy Office Web Apps in
2010 Products) your organization.
(http://go.microsoft.com/fwlink/?LinkId=185483)
44
Resource Description
Manage Office Web Apps (Installed on SharePoint Information to help you manage Office Web Apps
2010 Products) in your organization.
(http://go.microsoft.com/fwlink/?LinkId=185498)
Versioning
Unlike Microsoft Word 2010 and Microsoft PowerPoint 2010, OneNote 2010 stores version information
within the OneNote file itself. For this reason, administrators should follow these recommended
practices when storing OneNote notebooks in a SharePoint Server 2010 document library:
Do not enable minor versioning. This is the default setting in SharePoint Server 2010.
If major versioning is enabled, we recommend that you set a reasonable maximum number of
versions to store. The complete version history of the file is stored in each major version that
SharePoint creates, which can result in sub-optimal storage efficiency. If you want to enable major
versions, we recommend that you select the Keep the following number of major versions
setting. This prevents an unbounded number of versions from being created because of prolonged
editing of the file, which could exceed the site storage quota. By default, major versioning is not
enabled in SharePoint Server 2010.
For more information about how to plan for version control and check-out, see Versioning, content
approval, and check-out planning (SharePoint Server 2010)
(http://go.microsoft.com/fwlink/?LinkId=186210).
45
Mixed Environment with Microsoft Office OneNote 2007
OneNote 2010 is compatible with the Office OneNote 2007 file format and supports co-authoring with
Office OneNote 2007 users. In mixed environments, notebooks must be saved in the Office OneNote
2007 file format so that Office OneNote 2007 and OneNote 2010 users can work together on the
notebook. By upgrading to the OneNote 2010 file format, however, users gain a number of key
features, including compatibility with the OneNote Web App which allows users without the full version
of OneNote installed to edit and co-author notebooks.
OneNote 2010 includes the ability to upgrade Office OneNote 2007 files to OneNote 2010 files at any
time, providing an easy upgrade path for organizations that are moving from a mixed environment to a
unified environment on Office 2010.
See Also
Changes in OneNote 2010 (http://technet.microsoft.com/library/8f57bbaa-c01b-42f8-a6f2-
cc92e449d1c2(Office.14).aspx)
Changes in Office 2010 (http://technet.microsoft.com/library/0dee24b3-09af-485b-b5ed-
d4b879dcc8f6(Office.14).aspx)
Deploy Office Web Apps (Installed on SharePoint 2010 Products)
(http://go.microsoft.com/fwlink/?LinkId=185483)
Microsoft OneNote 2010 Beta Help blog (http://go.microsoft.com/fwlink/?LinkId=167111)
46
Plan for Outlook 2010
An organization's messaging environment helps shape the Microsoft Outlook 2010 deployment. This
section provides information about planning to deploy Outlook 2010 and factors to consider when you
upgrade, install the application for the first time, plan for roaming or remote users, decide when to
install, and plan for security.
In this section:
Article Description
Planning overview for Outlook 2010 Provides an overview of the planning process and
guides you through the factors to consider when
you plan the deployment of Outlook 2010.
Determine when to install Outlook 2010 Describes the requirements, advantages, and
disadvantages of various strategies you can use in
the deployment of Outlook 2010.
Determine which features to enable or customize Provides an initial list of some of the Microsoft
in Outlook 2010 Outlook features that you might need to configure
and deploy with Microsoft Outlook 2010.
Plan an Exchange deployment in Outlook 2010 Provides information to consider when you plan a
Cached Exchange Mode deployment of Outlook
2010.
Plan to automatically configure user accounts in Describes the two discovery mechanisms to
Outlook 2010 automatically configure user accounts in Outlook
2010: Autodiscover and Common Settings
Discover.
Plan for compliance and archiving in Outlook 2010 Discusses the planning considerations to deploy
Retention Policy and Personal Archive features
with Outlook 2010 and Microsoft Exchange Server
2010.
Plan for security and protection in Outlook 2010 Describes features in Outlook 2010 that can help
keep an organizations e-mail messaging secure.
47
Planning overview for Outlook 2010
A close review of the organization's messaging requirements will help you plan the optimal Microsoft
Outlook 2010 deployment. This article guides you through the things to consider when you deploy
Outlook 2010.
In this article:
Determining an organizations needs
Choosing when and how to install Outlook
Security and privacy considerations
Upgrading from an earlier version of Outlook
Additional issues to consider when planning an upgrade
Upgrading from other mail and scheduling programs
Migrating data
If the organization uses a different mail client, you might have to migrate data from those clients to
Outlook 2010. The importers that are provided in Outlook (for example, for Eudora Light) might be
helpful. Importers cannot be configured to run automatically. You use importers to migrate data for
individual users.
48
Remote and roaming users
You can customize Outlook to optimize the experience for remote and roaming users, and to set up
Outlook for multiple users on the same computer.
You might want to configure features such as Outlook Anywhere (known as RPC over HTTP in earlier
versions of Outlook) and Cached Exchange Mode for remote users. These features enhance the user
experience when Outlook is used over slower or less reliable connections. By using Outlook Anywhere,
you can configure connections that enable users to connect more securely from the Internet to
Exchange servers in your organization without using a virtual private network (VPN) connection.
Cached Exchange Mode is an Outlook feature that was introduced with Office Outlook 2003 that
creates a local copy of users' mailboxes. Cached Exchange Mode is recommended for all
configurations, but especially benefits remote users. The feature enables users to have more reliable
access to their Outlook data, whether or not they are connected to a network.
When multiple users share the same computer, use Windows logon features on the computer's
operating system to manage user logon verification. Unless you deploy application virtualization, users
must use the same version of Outlook because only one version of Outlook can be installed on the
same computer. To learn more about how to set up multiple Outlook users on the same computer, see
Using Outlook on a computer you share with other people
(http://go.microsoft.com/fwlink/?LinkId=100528).
Multilingual requirements
Microsoft Office 2010 provides broad support to deploy in international or multilingual environments. As
with the 2007 Microsoft Office system, the Office 2010 product consists of the language-neutral core
package plus one or more language-specific packages. In addition to the proofing tools included in
each language version, you can download and deploy proofing tools for other languages to help
multilingual groups work with and edit files in many languages.
Outlook 2010 supports Unicode throughout the product to help multilingual organizations seamlessly
exchange messages and other information in a multilingual environment.
49
Choosing when and how to install Outlook
You have options for when and how you install Outlook 2010. For example, consider whether it would
be best for the organization to do the following:
Install or upgrade Outlook for different groups of users in stages, or at the same time.
Install Outlook as a stand-alone application.
Install Outlook before, during, or after Office 2010 installation.
Each organization has a different environment and might make different choices about timing Outlook
2010 upgrades. For example, you might have a messaging group that is responsible for upgrading
Outlook and a separate group that plans deployment for other Microsoft Office applications. In this
case, it might be easier to upgrade Outlook separately from the rest of Office, instead of to attempt to
coordinate deployment between the two groups.
Note that Outlook 2010 cannot coexist with previous versions of Outlook on the same computer. If you
have to use previous versions, do not install Outlook 2010 or deploy Outlook 2010 with application
virtualization. For more information, see Determine when to install Outlook 2010.
For more information about how to configure Outlook profiles, see Office Customization Tool in Office
2010 (http://technet.microsoft.com/library/8faae8a0-a12c-4f7b-839c-24a66a531bb5(Office.14).aspx).
Important
There is a known issue in which an additional Exchange account is added to the Outlook profile
when a user who already has an exchange account in the profile is upgraded from Outlook
2003 or Outlook 2007. This issue can occur while you are upgrading Outlook and applying
customizations by using a custom OCT file (.msp) or .prf file that is configured to Modify
Profile" and "Define changes to make to the existing default profile.
50
To prevent multiple Exchange accounts from being created in one profile when you upgrade
users to Outlook 2010, you must create a .prf file and set the properties BackupProfile=False
and UniqueService=Yes. For the steps to do this, see Multiple Exchange accounts created in
Outlook 2010 with existing Outlook profiles after upgrading from an earlier Office version using
a custom MSP (http://go.microsoft.com/fwlink/?LinkId=199704).
AutoArchive
Outlook mailboxes grow as users create and receive items. To keep mailboxes manageable, users
need another place to store or archive older items that are important but not frequently used. It is
typically most convenient to automatically move these older items to the archive folder and to discard
items whose content has expired and is no longer valid. Outlook 2010 AutoArchive can manage this
51
process automatically for users. However, we recommend that you use the Personal Archive feature in
Microsoft Exchange Server 2010 Messaging Records Management (MRM) because it eliminates the
need for Personal Folder files (.pst). By using Personal Archive in Exchange Server 2010, the e-mail
archive folders are stored online so that users can access the archived files by using Microsoft Outlook
Web App or from a secondary computer by using Outlook 2010. By using either of these client
applications, users can view an archive mailbox and move or copy messages between their primary
mailboxes and the archive. If you plan to deploy Outlook 2010 with Exchange Server 2010, consider
using the Exchange Server 2010 Personal Archive feature instead of Outlook 2010 AutoArchive. For
more information, see Understanding Personal Archive: Exchange 2010 Help
(http://go.microsoft.com/fwlink/?LinkId=169269).
If you choose to use the AutoArchive feature in Outlook 2010, you can configure the settings to
customize Outlook 2010 AutoArchive by using the Outlook Group Policy template (Outlk14.adm). Or
you can configure default settings by using the Office Customization Tool (OCT), in which case users
can change the settings.
Retention policies
Retention policy settings can help users follow retention policy guidelines that your organization
establishes for document retention. With Outlook 2010, you cannot deploy AutoArchive-based retention
settings through Outlook 2010 by using Group Policy. If you need to deploy retention policies, explore
the Messaging Records Management (MRM) features in Exchange Server 2010. For more information,
see Messaging Records Management: Exchange 2010 Help
(http://go.microsoft.com/fwlink/?LinkId=169263).
52
Security and privacy considerations
Outlook includes many security and privacy features.
53
For more information about how to plan for security and privacy in Outlook 2010, see Plan for security
and protection in Outlook 2010.
54
Upgrading from an earlier version of Outlook
You can install Outlook 2010 over any previous installation of Outlook. As in other Office 2010
applications, user settings stored in the registry are migrated. If a MAPI profile already exists on a
user's computer, you typically can configure a deployment to continue to use the profile. However, if
you are upgrading from an Internet Mail Only installation of Outlook 2000 or earlier, you might have to
re-create user profiles. Outlook 2010 cannot coexist with previous versions of Outlook on the same
computer. If you determine that users need a previous version, do not install Outlook 2010 or deploy
Outlook 2010 with application virtualization.
When you upgrade users from an earlier version of Outlook, you must make choices about configuring
user profiles, consider Cached Exchange Mode issues, and be aware of fax and forms changes.
For an overview of feature changes and migration considerations, see Changes in Outlook 2010
(http://technet.microsoft.com/library/97a37b3c-972b-4cea-be0b-6a5ff2a1f9bb(Office.14).aspx).
55
Should you make changes to Outlook user profiles as part of your upgrade? For example, you
might define a new Exchange server or enable new features of Outlook 2010. For more information
about customizing Outlook profiles, see Office Customization Tool in Office 2010
(http://technet.microsoft.com/library/8faae8a0-a12c-4f7b-839c-24a66a531bb5(Office.14).aspx).
How should you create and store a backup of your existing installation? Before you upgrade to any
new release, we recommend that you back up existing data. For more information about backing up
Outlook files, see Back up Outlook data with the Microsoft Outlook Personal Folders Backup tool
(http://go.microsoft.com/fwlink/?LinkId=81366).
How will users learn about the new interface and features of Office 2010? For more information,
see Office.com (http://go.microsoft.com/fwlink/?LinkId=169378).
Will any discontinued features or new or changed functionality affect when and how you upgrade?
For a list of changes from earlier versions of Outlook, see Changes in Outlook 2010
(http://technet.microsoft.com/library/97a37b3c-972b-4cea-be0b-6a5ff2a1f9bb(Office.14).aspx).
Will you have to assess and remediate Outlook add-ins in your environment?
Outlook 2010 enforces a new fast shutdown process for add-ins. The new shutdown process
prevents add-ins from causing long delays by holding on to resources after the user exits
Outlook. Although this change could adversely affect some existing add-ins, add-in vendors
and IT administrators can resolve those effects by forcing Outlook to revert to the standard add-
in shutdown process. For more information about the new shutdown process, see Shutdown
Changes for Outlook 2010 (http://go.microsoft.com/fwlink/?LinkId=203255). For more
information about add-in assessment and remediation, see Application compatibility
assessment and remediation guide for Office 2010
(http://technet.microsoft.com/library/b0d56d5f-f780-483e-8f95-dc7360a05208(Office.14).aspx).
Exchange Client Extensions (ECEs) do not load in Outlook 2010. Some third-party applications
such as archiving or security solutions use ECEs and must be updated for Outlook 2010. For
more information, see Announcing the deprecation of Exchange Client Extensions
(http://go.microsoft.com/fwlink/?LinkId=203888).
If you are installing 64-bit Outlook, 32-bit MAPI applications must be updated to 64-bit. For
more information, see 64-bit editions of Office 2010
(http://technet.microsoft.com/library/faab55b2-bb6c-4636-811e-24f6939548d1(Office.14).aspx)
and Building MAPI Applications on 32-Bit and 64-Bit Platforms
(http://go.microsoft.com/fwlink/?LinkId=203889).
56
The following table lists migration paths supported by Outlook 2010.
Outlook Express 4. x, 5. x, 6. x
Note:
You cannot import Microsoft Mail files to Outlook 2010, and you cannot share information
between Outlook 2010 and Schedule Plus.
See Also
Office Customization Tool in Office 2010 (http://technet.microsoft.com/library/8faae8a0-a12c-4f7b-839c-
24a66a531bb5(Office.14).aspx)
Changes in Outlook 2010 (http://technet.microsoft.com/library/97a37b3c-972b-4cea-be0b-
6a5ff2a1f9bb(Office.14).aspx)
Plan an Exchange deployment in Outlook 2010
57
Determine when to install Outlook 2010
You can install Microsoft Outlook 2010 before, during, or after an installation of other applications in
Microsoft Office 2010. You can also deploy Outlook 2010 to different groups of users at different times.
Note that installing Outlook 2010 without Microsoft Word 2010 limits Outlook 2010 functionality in the
following ways: 1) The Outlook 2010 e-mail editor has fewer features, and 2) Internet Fax functionality
is not available.
This article describes the requirements, advantages, and disadvantages of each installation strategy.
In this article:
Installing Outlook with Office
Installing Outlook before Office
Installing Outlook after Office
Staging an Outlook deployment
58
For details about how to install Office 2010 applications in stages, see Stage deployment of
applications in the 2007 Office system (http://go.microsoft.com/fwlink/?LinkId=162650).
59
Advantages of installing Outlook after Office
In many organizations, it makes sense to coordinate an Outlook 2010 deployment with an upgrade of
an e-mail server, instead of with an upgrade of other desktop applications. For example, if you plan to
upgrade to a new version of Exchange Server, you might plan an Outlook 2010 upgrade to follow
immediately afterward independently from an upgrade of other Office 2010 applications to take
advantage of features that work together between the e-mail server and client.
60
Disadvantages of staging a deployment
You must consider the logistics of scheduling and managing a staged deployment. An organization
might require additional resources to support users on different versions of the same product; for
example, it might need additional training for Help desk staff.
For details about how to install Office 2010 applications in stages, see Stage deployment of
applications in the 2007 Office system (http://go.microsoft.com/fwlink/?LinkId=162650).
See Also
Planning overview for Outlook 2010
Stage deployment of applications in the 2007 Office system
(http://go.microsoft.com/fwlink/?LinkId=162650)
61
Determine which features to enable or
customize in Outlook 2010
This article contains an initial list of some of the Microsoft Outlook features that you might need to
configure and deploy with Microsoft Outlook 2010, such as Contact Cards and the Outlook Social
Connector. For security and protection features, see Plan for security and protection in Outlook 2010.
You can customize the installation of Outlook 2010 by using Group Policy or the Office Customization
tool (OCT). To enforce settings, use Group Policy with the Outlook 2010 Group Policy template
(Outlk14.adm), and for some settings, such as those for Contact Cards, the Microsoft Office 2010
Group Policy template (Office14.adm).
For information about how to download the Outlook 2010 administrative template, and about other
Office 2010 Administrative Templates, see Office 2010 Administrative Template files (ADM, ADMX,
ADML) and Office Customization Tool (http://technet.microsoft.com/library/2aa26c81-d80c-4be4-
9114-8ea205ef47f2(Office.14).aspx).
For more information about Group Policy, see Group Policy overview for Office 2010 and Enforce
settings by using Group Policy in Office 2010 (http://technet.microsoft.com/library/873a5392-1b1a-
47a1-a863-1f29ef116d0e(Office.14).aspx).
To configure default settings, in which case users can change the settings, use the OCT. The OCT
settings are in corresponding locations of the Group Policy settings on the Modify user settings page
of the OCT. For more information about the OCT, see Office Customization Tool in Office 2010
(http://technet.microsoft.com/library/8faae8a0-a12c-4f7b-839c-24a66a531bb5(Office.14).aspx).
Contact Cards and Outlook Social Connector are two new features that you can configure by using
Group Policy and the OCT. The Outlook 2010 features, Quick Steps and Clean Up, cannot be
configured by using Group Policy or the OCT. Also, the MailTips feature is only administratively
configurable through Microsoft Exchange Server 2010. However, users can customize their settings for
these three features in Outlook 2010. To access user settings for Clean Up and MailTips, on the File
tab, click Options, and then click Mail. To manage Quick Steps in Outlook 2010, on the Home tab, in
the Quick Steps group, click the lower-right expand button.
For more information about how to configure MailTips in Exchange Server 2010, see Understanding
MailTips (http://go.microsoft.com/fwlink/?linkId=181931) and Managing MailTips
(http://go.microsoft.com/fwlink/?linkId=181934).
In this article:
AutoArchive
Contact Cards
Conversation view
Global Address List synchronization
Internet Calendars
62
Instant Search
Navigation Pane
Outlook Social Connector
Search Folders
SharePoint Server Colleague add-in
AutoArchive
Outlook 2010 AutoArchive helps determine how e-mail is managed in user mailboxes. You can
configure AutoArchive settings for users in your organization, determining, for example, how frequently
to run AutoArchive and whether to prompt users before they run AutoArchive.
If you plan to deploy Outlook 2010 with Exchange Server 2010, consider using the Exchange Server
2010 Personal Archive feature instead of Outlook 2010 AutoArchive. For more information, see
Understanding Personal Archive: Exchange 2010 Help (http://go.microsoft.com/fwlink/?LinkId=169269).
For planning compliance and archiving considerations, see Plan for compliance and archiving in
Outlook 2010.
By default, AutoArchive is turned on and runs automatically at scheduled intervals, removing older and
expired items from folders. Older items are those that reach the archiving age that a user specifies (the
default archiving age varies by the kind of Outlook item). Expired items are mail and meeting items
whose content is no longer valid after a certain date, such as a mail item set to expire two months ago
that still appears in a user's Inbox.
Users can specify an expiration date on items in Outlook 2010 at the time they create or send the item
or at a later date. When the item expires, it is unavailable and shows in the folder list with a strike-
through mark on the item.
When AutoArchive runs, it can delete items or move items to an archive folder, depending on the
settings that you specify.
The archive file is an Outlook data file (.pst file) that appears as Archive Folders in the Outlook 2010
folder list. The first time that AutoArchive runs, Outlook 2010 creates the archive file automatically in the
following location:
%UserProfile%\AppData\Local\Microsoft\Outlook\Archive.pst
You can lock down the settings to customize AutoArchive by using the Outlook Group Policy template
(Outlk14.adm). The settings are found under User Configuration\Administrative
Templates\Microsoft Outlook 2010\Outlook Options\Other\AutoArchive. Or, you can configure
default settings by using the Office Customization Tool (OCT), in which case users can change the
settings. The OCT settings are in corresponding locations on the Modify user settings page of the
OCT.
63
The settings that you can configure for AutoArchive are shown in the following table.
Option Description
Run AutoArchive every <x> days Specify an AutoArchive interval in number of days.
Prompt before AutoArchive runs Notify users that AutoArchive will run, rather than
running silently.
Delete expired items (e-mail folders only) Delete expired e-mail messages, instead of
moving them to an archive folder.
Archive or delete old items Move Outlook items to the archive file or delete
the items.
Show archive folder in folder list Display the archive folder in the user's Outlook
folder list.
Clean out items older than Specify how long to keep items before archiving or
deleting them.
Permanently delete old items Permanently delete items, instead of moving them
to the Deleted Items folder.
Contact Cards
In Microsoft Office 2010, Contact Cards appear when you rest the mouse pointer over a name, for
example a senders name in an e-mail message or the authors name in an Office 2010 document. If
you install Office 2010 with Office Communicator 2007 R2, Office or Communicator Server 2007 R2,
Contact Cards displays a persons availability and lets you easily start a conversation directly through
instant messaging, voice call, or video. When you expand the Contact Card, you can view the Contact,
Organization, and Member Of tabs. The Contact tab is the default view and it displays information
such as department, office location, and work telephone number. The Organization tab displays the
contacts manager and contacts that share the same manager. The Member Of tab displays the
distribution lists for which the contact is a member. In Office 2010, you can customize Contact Cards to
turn off certain features and specify where presence icons are displayed. For the Contact tab on the
Contact Card, you can replace labels and values. The specific settings that you can configure for
Contact Cards are described in the following two sections. Note that there is a known issue with the
Group Policy and OCT settings for customizing the Contact tab; however, a workaround is available.
To customize the Contact tab, you must manually deploy the appropriate registry keys. See Contact
Card Contact Tab customization workaround (http://go.microsoft.com/fwlink/?LinkId=184612).
64
Contact Card
In Group Policy, the settings in the following table are found under User Configuration\Administrative
Templates\Microsoft Office 2010\Contact Card. The OCT settings are in corresponding locations on
the Modify user settings page of the OCT.
Option Description
Display legacy GAL Enable to display the global address list (GAL) dialog box instead of the Contact
dialog Card when users double-click a contact in Outlook.
Do not display Enable to stop the Hover Menu from displaying when a user pauses on a
Hover Menu contacts presence icon or display name with the cursor.
Do not display Enable to not display the contact photograph on the Contact Card, e-mail
photograph header, reading pane, fast search results, GAL dialog box, and File tab.
Remove Member Of Enable to remove the Member Of tab on the Contact Card.
tab
Turn off click to IM Enable to remove the Instant Messaging (IM) option from the Contact Card and
option Outlook ribbon.
Turn off click to Enable to remove the telephone option from the Contact Card and Outlook
telephone ribbon.
Turn off presence Enable to turn off IM presence integration for Office 2010 applications.
integration
Contact tab
There is a known issue with the Group Policy and OCT settings for customizing the Contact tab;
however, a workaround is available. To customize the Contact tab, you must manually deploy the
appropriate registry keys. See Contact Card Contact Tab customization workaround
(http://go.microsoft.com/fwlink/?LinkId=184612).
65
The following Contact tab settings under User Configuration\Administrative Templates\Microsoft
Office 2010\Contact Card in Group Policy and in the corresponding locations on the Modify user
settings page of the OCT will be fully functional in a later release of the Administrative Templates.
To customize the Contact Card Contact tab in Outlook 2010, use the replace MAPI property settings
option. To customize the Contact Card Contact tab for other Office 2010 applications such as Microsoft
Word 2010, use the replace AD attribute settings option.
For information about Active Directory attributes, see Property Sets in Exchange 2007
(http://go.microsoft.com/fwlink/?LinkId=183812) and Attributes defined by Active Directory (Windows)
(http://go.microsoft.com/fwlink/?LinkId=183814). For information about MAPI properties, see Mail User
Properties (http://go.microsoft.com/fwlink/?LinkId=183815)
Option Description
Move Calendar Line Enable and set the line number to move the
Calendar field value to another location on the
Contact Card. This action will replace the field
value that was in that location.
Move Location Line Enable and set the line number to move the
Location field value to another location on the
Contact Card. This action will replace the field
value that was in that location.
Replace Label - Title Enable and enter a new label name for the Title
(title, department) field.
Replace Label - Office Enable and enter a new label name for the Office
(office location) field.
Replace Label - Work Enable and enter a new label name for the Work
(work phone) field.
Replace Label - Mobile Enable and enter a new label name for the Mobile
(mobile phone) field.
Replace Label - Home Enable and enter a new label name for the Home
(home phone) field.
Replace Label E-mail Enable and enter a new label name for the E-mail
(e-mail address) field.
Replace Label - Calendar Enable and enter a new label name for the
Calendar (calendar free/busy information) field.
Replace Label - Location Enable and enter a new label name for the
Location (location information) field.
66
Option Description
Replace AD attribute title, department Enable and enter the Active Directory (AD)
attribute to replace the Title field value. For
example, to display the e-mail alias, enter the AD
attribute: sAMAccountName.
If you enable this setting, also set Replace MAPI
property title, department.
Replace AD attribute office location Enable and enter the Active Directory (AD)
attribute to replace the Office field value.
If you enable this setting, also set Replace MAPI
property office location.
Replace AD attribute work phone Enable and enter the Active Directory (AD)
attribute to replace the Work field value.
If you enable this setting, also set Replace MAPI
property work phone.
Replace AD attribute mobile phone Enable and enter the Active Directory (AD)
attribute to replace the Mobile field value.
If you enable this setting, also set Replace MAPI
property mobile phone.
Replace AD attribute home phone Enable and enter the Active Directory (AD)
attribute to replace the Home field value.
If you enable this setting, also set Replace MAPI
property home phone.
Replace AD attribute e-mail address Enable and enter the Active Directory (AD)
attribute to replace the E-mail field value.
If you enable this setting, also set Replace MAPI
property e-mail address.
Replace AD attribute calendar free/busy Enable and enter the Active Directory (AD)
information attribute to replace the Calendar field value.
If you enable this setting, also set Replace MAPI
property calendar free/busy information.
Replace AD attribute location information Enable and enter the Active Directory (AD)
attribute to replace the Location field value.
If you enable this setting, also set Replace MAPI
property location information.
67
Option Description
Replace MAPI property title, department Enable and enter the MAPI property to replace the
Title field value. For example, to display the e-mail
alias, enter the MAPI property: 0x3a00001f.
If you enable this setting, also set Replace AD
attribute title, department.
Replace MAPI property office location Enable and enter the MAPI property to replace the
Office field value.
If you enable this setting, also set Replace AD
attribute office location.
Replace MAPI property work phone Enable and enter the MAPI property to replace the
Work field value.
If you enable this setting, also set Replace AD
attribute work phone.
Replace MAPI property mobile phone Enable and enter the MAPI property to replace the
Mobile field value.
If you enable this setting, also set Replace AD
attribute mobile phone.
Replace MAPI property home phone Enable and enter the MAPI property to replace the
Home field value.
If you enable this setting, also set Replace AD
attribute home phone.
Replace MAPI property e-mail address Enable and enter the MAPI property to replace the
E-mail field value.
If you enable this setting, also set Replace AD
attribute e-mail address.
Replace MAPI property calendar free/busy Enable and enter the MAPI property to replace the
information Calendar field value.
If you enable this setting, also set Replace AD
attribute calendar free/busy information.
Replace MAPI property location information Enable and enter the MAPI property to replace the
Location field value.
If you enable this setting, also set Replace AD
attribute location information.
68
Conversation view
The Conversation view provides a threaded view of e-mail messages in an Microsoft Outlook folder. To
access the Conversation view in Outlook 2010, click View, and then select the Show as
Conversations check box.
The settings that you can configure for Conversation view in Group Policy and the OCT are shown in
the following table. In Group Policy, the settings are found under User Configuration\Administrative
Templates\Microsoft Outlook 2010\Outlook Options\Preferences\E-mail Options. The OCT
settings are in corresponding locations on the Modify user settings page of the OCT.
Option Description
Configure Cross Folder Content in Conversation Enable and select the e-mail folder content to
view include in Conversation view.
On and cross-store E-mail displayed is from all
connected Outlook data files whether they are
cached on the local computer or online.
Off E-mail displayed in Conversation view is only
from the current folder (such as the Inbox).
On and current E-mail displayed in
Conversation view is only from the current Outlook
data file being viewed.
On and local E-mail displayed is only from the
current Outlook data file being viewed and any
other local Outlook data file (such as a personal
data file (.pst)).
Do not use Conversational arrangement in Views There is a known issue with the explanatory text
for this setting, which will be corrected in a later
release of the Administrative Templates.
If you do not configure this setting, the Outlook
2010 views will display Date view as the default.
Enable to turn off Conversation view to prevent
users from using Conversation View in Outlook
2010. Disable to turn on Conversation View as the
default Outlook 2010 view.
69
Global Address List synchronization
Outlook 2010 synchronizes its Contacts folder entries to contacts in the Exchange Global Address List
(GAL) when they have matching SMTP addresses. This synchronization is one-way: from the GAL to
the Outlook Contacts folder.
Discrepancies in contact phone numbers might arise when the phone entries in users
Outlook Contacts folder are created in a different format from the one that is used in the corporate
GAL. For example, a locale might require one type of phone number prefix format for calling from within
the country and another prefix format for calling from outside the country.
If a user creates his or her Outlook 2010 contacts with the prefix formats that are required to dial from
outside the country, a move correction takes place when Outlook 2010 contacts are updated by using
details from the GAL.
In a move correction, the telephone numbers that the user creates in his or her Outlook contacts are
overwritten and moved to an adjacent phone number field. For example, the telephone number in the
Business field is moved to the Business 2 field. For more information about move corrections, see
Contact corrections that Outlook makes during GAL synchronization.
After synchronization, you cannot reverse the changes in bulk. However, a user can manually update
Outlook contacts, or if there are many differences, the users Exchange mailbox can be restored. A
programmatic solution is possible, but requires complex data validation to pull the previous values from
the Notes field. These solutions quickly become unfeasible for a large enterprise.
However, if contact synchronization is a large issue in your organization, you can disable GAL
synchronization for Outlook 2010, either before you deploy Microsoft Office 2010, or when you see
potential for this situation occurring.
For the following fields, a move correction is the default correction method that is used. For all other
fields Outlook always performs a normal correction.
Business Phone Group
Business Phone
Business 2 Phone
Other Phone
70
Home Phone Group
Home Phone
Home 2 Phone
Other Phone
Mobile Phone Group
Mobile Phone
Other Phone
Business Address Group
Business Address
Other Address
Home Address Group
Home Address
Other Address
Option Description
Block Global Address Enable to block the synchronization of contacts between Outlook and the GAL.
List synchronization If you disable or do not configure this setting, GAL synchronization is allowed.
Set GAL contact Enable to control how often (in minutes) contact information is synchronized
synchronization between Outlook and connected social networks. By default, if you disable or
interval do not configure this policy, contact information is synchronized one time per
day or every 1,440 minutes.
71
You can configure GAL sync to prompt before updating, instead of updating without prompting, (which
is default behavior) by configuring the registry settings that are listed in the following table. For the
steps to deploy the registry data, see Disable global address list synchronization for Outlook 2010
(http://technet.microsoft.com/library/8709aafb-fef9-4f35-9e25-7ef42db242db(Office.14).aspx).
HKEY_CURRE Strin Software\ GalSyncExcludedL For country codes, see ISO 3166-1
NT_USER g Microsoft\Office\ ocales alpha-3
Outlook\SocialC (http://go.microsoft.com/fwlink/?LinkI
onnector d=197158).
Important:
This registry value is only
honored when the
ScheduleContactGALSync
key does not exist. The
ScheduleContactGALSync
is created if the user
manually sets GAL
synchronization options
through the user interface.
72
Internet Calendars
An Internet Calendar (iCal) is a calendar that you can publish to an Internet site, where other users can
view it or subscribe to it. You can create an iCal from your calendar, send it as an attachment in an e-
mail message, upload to Office.com, or upload it to a WebDAV server to publish it. You can also
receive an iCal file as a file attachment in an e-mail message or download an iCal file to subscribe to a
third-party calendar. For more information, see Introduction to publishing Internet Calendars
(http://go.microsoft.com/fwlink/?LinkId=193168).
With Outlook 2010, you can customize iCal subscription features. You can disable iCal subscriptions in
Outlook 2010 if, for example, you are concerned about bandwidth usage and want to delay introducing
iCal subscriptions. By default, iCal subscriptions are enabled. You can also deploy iCal subscriptions as
default subscriptions that users can change or delete. Or, you can lock down iCal subscriptions so that
users cannot make changes or remove them. However, users can add new iCal subscriptions. By
default, there are no iCal subscriptions. However, users can add and remove them.
Outlook 2010 sets the synchronization interval so that each iCal subscription is updated at the
publisher's recommended interval. Users can override the default interval unless you disallow that
option. If users set the update frequency to a short interval, it can cause performance problems.
By enabling the Override published sync interval option in Group Policy, you can enforce the
publisher's update intervals so that users cannot change the intervals. This setting is used for all iCal
subscriptions. You cannot set this option differently for different subscriptions.
The settings that you can configure for iCal in Group Policy and the OCT are shown in the following
table. In Group Policy, the settings are found under User Configuration\Administrative
Templates\Microsoft Outlook 2010\Account Settings\Internet Calendars. The OCT settings are in
corresponding locations on the Modify user settings page of the OCT.
Options Description
Default Internet Calendar subscriptions Enable and add the URLs that are to be added to
each user's profile as an Internet Calendar
subscription.
Disable roaming of Internet Calendars Enable so that Internet Calendars are available
only on the client that originally linked them.
Do not include Internet Calendar integration in Enable to prevent users from subscribing to
Outlook Internet Calendars in Outlook.
Override published sync interval Enable to prevent users from overriding the sync
interval published by Internet Calendar providers.
73
Instant Search
In Microsoft Outlook 2010, users can use the Instant Search feature to quickly locate an item, such as
an e-mail message, a task, or an appointment. Items that match the search are highlighted. Users can
filter results by typing additional letters (known as wordwheeling).
Instant Search in Outlook 2010 works by accessing indexed content. Indexing Outlook content results
in quicker search results. By default, the text of all unrestricted Outlook items including
attachments is indexed, a process that starts when Outlook 2010 runs for the first time. You can turn
off full text indexing, or you can turn off only attachments indexing. Indexing occurs in the background
and only when there is additional processing capacity available on the user's computer.
The following Windows settings determine how Outlook manages search indexing:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Search\PreventIndexingO
utlook
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Search\PreventIndexingE
mailAttachments
Encrypted items and items that are restricted by using Information Rights Management (IRM) are not
indexed.
If you install Outlook 2010 on a computer that is running Windows Vista or Windows 7, you can
configure searching indexing options for Outlook by using Group Policy or the OCT.
The settings that you can configure for Instant Search are shown in the following table. In Group Policy,
the settings are found under User Configuration\Administrative Templates\Microsoft Outlook
2010\Outlook Options\Preferences\Search Options. The OCT settings are in corresponding
locations on the Modify user settings page of the OCT.
Option Description
Change color used to highlight search matches Selects the background color that will be used for
highlighting matches in search results (default is
yellow).
Do not display hit highlights in search results Turns off search hit highlighting.
Do not include display search results as the user Do not display search results as the user types a
types search query (turn off Word Wheel functionality).
Do not include the Online Archive in All Mail item Enable to set the default action in All Mail Item
search search not to include search results from the
Online Archive.
74
Option Description
Expand scope of searches Expand the scope for Instant Search to all folders
in the current module (for example, Mail or
Calendar). By default, Instant Search in Outlook
returns results only from the selected folder.
Prevent clear signed message and attachment Do not index of the body and attachments of clear-
indexing text signed messages. The sender, subject line,
and date will continue to be indexed and
searchable.
Prevent installation prompts when Windows When Outlook starts, do not prompt users by
Desktop Search component is not present using a dialog box that asks whether users want to
download Windows Desktop Search (if it is not
already installed). Also, remove the links in
Outlook that let users download Windows Desktop
Search.
Turn off automatic search index reconciliation Turn off the automatic verification of the integrity of
the Outlook search index, which runs every 72
hours.
Navigation Pane
You can configure the modules in the Navigation Pane in Outlook 2010 (such as Calendar, Mail, and so
on) to appear in a specific order for users, or to display only certain modules.
You can use the Office Customization Tool (OCT) Add registry entries option to distribute registry
keys that specify how modules are displayed. You cannot use Group Policy to lock down Navigation
Pane options.
The following table lists the registry settings that you can configure for a custom installation.
75
Root Data type Key Value name Value data
76
Root Data type Key Value name Value data
By default, the Journal
is not shown in the
Navigation Pane. You
can choose to not
display other modules
also. For example, to
not display Contacts,
Tasks, Notes, or
Shortcuts, set this
data: 1,1,0,0,0,1,0,0.
77
Root Data Key Value name Value data
type
You can control the social network providers from which users can view activity feeds. You can prevent
activity feeds from all social network providers by enabling the Prevent social network connectivity
setting in Group Policy. Or, you can deploy specific providers by using the Specify list of social
network providers to load setting in the OCT and prevent other providers from being installed by
using the Block specific social network providers setting in Group Policy.
You can also control whether to allow the Outlook Social Connector or social network providers to
prompt users for updates or manage the updates yourself by using the Do not show social network
info-bars setting in Group Policy.
The settings that you can configure for Conversation view in Group Policy and the OCT are shown in
the following table. In Group Policy, the settings are found under User Configuration\Administrative
Templates\Microsoft Outlook 2010\Outlook Social Connector. The OCT settings are in
corresponding locations on the Modify user settings page of the OCT.
Option Description
Block Global Block synchronization between Outlook and the global address list.
Address List
synchronization
Block network Block synchronization of activity information between Outlook and social networks.
activity
synchronization
Block social Block synchronization of contacts between Outlook and social networks.
network contact
synchronization
Block specific Specify the list of social network providers to block by Program ID (ProgID). A
social network providers ProgID is registered under
providers HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\SocialConnector\
SocialNetworks.
Do not allow on- Prevent on-demand synchronization of activity information between Outlook and
demand activity social networks.
synchronization
78
Option Description
Do not show Enable to prevent displaying information-bar messages that will prompt users to
social network upgrade the Outlook Social Connector when updates are available or to install or
info-bars update social network providers.
Prevent social Enable to turn off social network connectivity in the Outlook Social Connector.
network Outlook Social Connector will still allow personal information management (PIM)
connectivity aggregation so that users can view information about a chosen contact from their
Outlook 2010 data files (for example, e-mail messages exchanged and meetings
with that contact).
Set GAL contact Control how often contact information is synchronized between Outlook and
synchronization connected social networks (in minutes). By default, if you disable or do not
interval configure this policy, contact information is synchronized one time per day or 1,440
minutes.
Specify activity Control how often activity feed information is synchronized between Outlook and
feed connected social networks (in minutes). By default, if you disable or do not
synchronization configure this policy, activity information is synchronized every 60 minutes.
interval
Specify list of Enter a list of social network providers (by ProgID) that will be loaded by the
social network Outlook Social Connector. A providers ProgID is registered under
providers to load HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\SocialConnector\
SocialNetworks.
Turn off Outlook Enable to turn off the Outlook Social Connector.
Social Connector
Search Folders
Outlook folders are where items are stored such as new e-mail messages (Inbox folder), sent e-mail
messages (Sent Items folder), or saved e-mail messages (folders that you can create). Search Folders
are virtual folders that contain views of all e-mail items that match specific search criteria. E-mail
messages are not stored in Search Folders.
Search Folders display the results of previously defined search queries of your Outlook 2010 folders.
The e-mail messages remain stored in one or more Outlook folders. Each Search Folder is a saved
search that is kept up to date. By default, Search Folders monitor all Outlook folders for new items that
match the criteria of the Search Folder. However, you can configure which folders are monitored. In
Outlook 2010, click Folder, and then click Customize This Search Folder.
79
When users create a Search Folder, they have several default Search Folder options to choose from,
such as Mail with attachments or Mail from specific people. They can also create custom Search
Folders. To create a Search Folder in Outlook 2010, click Folder in the ribbon, and then click New
Search Folder.
By default, Search Folders remain active for 1,000 days. You can configure how long Search Folders
remain active for Cached Exchange Mode accounts and for online Exchange Server accounts. You can
specify the number of days after which Search Folders become dormant that is, items listed in the
Search Folder are no longer up to date with current searches of Outlook folders. A dormant Search
Folder appears in italic in a user's navigation pane. When a user opens a dormant Search Folder, the
view is refreshed and the elapsed time count begins again.
The time period that you specify with this setting begins the last time that a user clicked the Search
Folder. You can specify a different number of days for users in Exchange Online Mode and in Cached
Exchange Mode. Separate counts are maintained for each Search Folder for each mode. If you enable
and specify zero days for the option Keep search folders in Exchange online, Search Folders in
Exchange Online Mode are always dormant. Similarly, if you specify zero days for the option Keep
search folders in offline, Search Folders in Cached Exchange Mode are always dormant.
You can also limit the number of Search Folders allowed in each user mailbox, or you can disable the
Search Folders user interface completely.
Note:
If users use Search Folders in Online Mode (using a mailbox on the Exchange Server) instead
of in Cached Exchange Mode, the number of users who can be supported by the Exchange
Server might be decreased.
The settings that you can configure for Search Folders in Group Policy and the OCT are shown in the
following table. In Group Policy, the settings are found under User Configuration\Administrative
Templates\Microsoft Outlook 2010\Search Folders. The OCT settings are in corresponding locations
on the Modify user settings page of the OCT.
Option Description
Do not create Search Folders when users start A known issue exists for this policy setting. Default
Outlook Search Folders are removed in Outlook 2010. This
policy does not affect new or existing profiles in
Outlook 2010.
Keep search folders in Exchange online Specify the number of days to keep a Search
Folder active when Outlook is running in Online
Mode.
Keep search folders offline Specify the number of days to keep a Search
Folder active Outlook is running in offline or
cached mode.
80
Option Description
Maximum Number of Online Search Folders per Specify the maximum number of Search Folders
Mailbox for Exchange. Does not affect the number of
Search Folders on a client computer.
81
The settings to disable or lock down the SharePoint Server Colleague add-in by using Group Policy are
listed in the following table and are found under the Microsoft Office 2010 settings: User
Configuration\Administrative Templates\Microsoft Office 2010\Server Settings\SharePoint
Server. Or, you can configure default settings by using the Office Customization Tool (OCT), in which
case users can change the settings. The OCT settings are in the corresponding location on the Modify
user settings page of the OCT under the Microsoft Office 2010 settings. For the steps to configure
these settings, see Configure Colleagues for My Site (http://technet.microsoft.com/library/4abf0200-
cc1d-438a-835a-e1ea3410176a.aspx#BKMK_ConfigureEMailAnalyzer).
Option Description
Enable Colleague Import Outlook Add-in to Enable this setting to turn on the SharePoint Server
work with Microsoft SharePoint Server Colleague add-in for Outlook 2010.
Disable this setting to turn off this feature. If you do not
set this option, the Colleague add-in is turned on by
default.
Maximum number of days to scan from Enable this setting to specify how many days prior to
today to determine the users colleagues for today to scan the Outlook sent items for the users
recommendation colleague recommendation list. For example, if you use
the default, which is 20 days, the SharePoint Server
Colleague add-in will scan items sent in the last 20 days.
The larger the number of days specified, the more
accurate the recommendation. The smaller the number
of days, the faster the recommendations are generated.
Maximum number of items to scan from Enable this setting to specify the maximum number of
today to determine the users colleagues for sent items to scan for the users colleague
recommendation recommendation list.
Maximum number of recipients in an Enable this setting to specify the maximum number of
Outlook item to scan to determine the users recipients in an Outlook sent item to scan for the users
colleagues for recommendation colleague recommendation list.
Maximum number of rows fetched per Enable this setting to specify the maximum number of
request while populating a lookup in the rows to retrieve per request while populating the
SharePoint list control SharePoint list control.
Minimum time before starting Colleague Enable this setting to specify the minimum idle time (in
recommendation scan milliseconds) to wait before the SharePoint Server
Colleague add-in begins to scan the Outlook Sent Items
folder.
82
Option Description
Minimum time to wait before rescanning the Enable this setting to specify the minimum time (in hours)
Outlook mailbox for new recommendations to wait before rescanning the OutlookSent Items folder
for new colleague recommendations.
See Also
Plan for security and protection in Outlook 2010
Configure user settings for Office 2010 (http://technet.microsoft.com/library/29cdde97-d1a7-4683-9c34-
bd0bd78c41cc(Office.14).aspx)
Office 2010 Administrative Template files (ADM, ADMX, ADML) and Office Customization Tool
(http://technet.microsoft.com/library/2aa26c81-d80c-4be4-9114-8ea205ef47f2(Office.14).aspx)
Office Customization Tool in Office 2010 (http://technet.microsoft.com/library/8faae8a0-a12c-4f7b-839c-
24a66a531bb5(Office.14).aspx)
Group Policy overview for Office 2010
83
Plan an Exchange deployment in Outlook 2010
Microsoft Outlook 2010 offers two basic connectivity modes when you are connected to a Microsoft
Exchange Server computer: Cached Exchange Mode or Online Mode.
This article discusses which connectivity mode might be appropriate for your environment and also
provides planning considerations and settings for Cached Exchange Mode deployments in Outlook
2010.
In this article:
Overview
Choosing between Cached Exchange Mode and Online Mode
How Cached Exchange Mode can help improve the Outlook user experience
Outlook features that can reduce the effectiveness of Cached Exchange Mode
Synchronization, disk space, and performance considerations
Managing Outlook behavior for perceived slow connections
Options for staging a Cached Exchange Mode deployment
Upgrading current Cached Exchange Mode users to Outlook 2010
Deploying Cached Exchange Mode to users who already have .ost files
Configuring Cached Exchange Mode
Additional resources
Overview
When an Outlook 2010 account is configured to use Cached Exchange Mode, Outlook 2010 works from
a local copy of a user's Microsoft Exchange mailbox stored in an offline data file (.ost file) on the user's
computer, together with the Offline Address Book (OAB). The cached mailbox and OAB are updated
periodically from the Exchange Server computer.
Cached Exchange Mode was introduced in Outlook 2003 to provide users a better online and offline
experience. Cached Exchange Mode lets users move between connected and disconnected
environments without interrupting their experience in Outlook. Also, it insulates users from network
latency and connectivity issues while they are using Outlook.
In contrast, Online Mode works directly by using information from the server. When new information is
required in Outlook, a request is made to the server and the information is displayed. Mailbox data is
only cached in memory and never written to disk.
Cached Exchange Mode or Online Mode can be selected by the user during account setup or by
changing the account settings. The mode can also be deployed by using the Office Customization Tool
(OCT) or Group Policy.
84
Important
There is a known issue in which an additional Exchange account is added to the Outlook profile
when a user who already has an exchange account in the profile is upgraded from Outlook
2003 or Outlook 2007. This issue can occur while you are upgrading Outlook and applying
customizations by using a custom OCT file (.msp) or .prf file that is configured to Modify
Profile" and "Define changes to make to the existing default profile.
To prevent multiple Exchange accounts from being created in one profile when you upgrade
users to Outlook 2010, you must create a .prf file and set the properties BackupProfile=False
and UniqueService=Yes. For the steps to do this, see Multiple Exchange accounts created in
Outlook 2010 with existing Outlook profiles after upgrading from an earlier Office version using
a custom MSP (http://go.microsoft.com/fwlink/?LinkId=199704).
85
Very large mailboxes (greater than 25 GB) on which performance considerations become an issue
in Cached Exchange Mode.
Virtualized or Remote Desktop Services (Terminal Services) environments that run Outlook 2007 or
Outlook 2003. Cached Exchange Mode is not supported when you run Outlook 2007 or
Outlook 2003 on a computer running Remote Desktop Services (Terminal Services).
Virtualized or Remote Desktop Services (Terminal Services) environments that run Outlook 2010
on which disk size or disk input/output (I/O) limitations prevent running Cached Exchange Mode at
the desired scale.
If you work with a very large mailbox, you can reduce the size of the local data file by using
synchronization filters. For more information, see Create a synchronization filter
(http://go.microsoft.com/fwlink/?LinkID=193917) and Optimizing Outlook 2007 Cache Mode
Performance for a Very Large Mailbox (http://go.microsoft.com/fwlink/?LinkID=193918).
If you work with a very large mailbox on which performance considerations become an issue in Cached
Exchange Mode, see How to troubleshoot performance issues in Outlook
(http://go.microsoft.com/fwlink/?LinkID=193920).
Special considerations
Outlook 2010 supports running in Cached Exchange Mode in a Remote Desktop Services (Terminal
Services) environment that has multiple users. When you configure a computer running Remote
Desktop Services (Terminal Services) to use Cached Exchange Mode, you must consider additional
storage space that is required and disk I/O requirements of multiple client access.
By default, new Exchange accounts that are set up on a computer running Remote Desktop Services
(Terminal Services) will use Online Mode. Upon setup, the user can decide to enable Cached
Exchange Mode or this setting can be controlled by using the Use Cached Exchange Mode for new
and existing Outlook profiles option in the Office Customization Tool or Group Policy.
In very limited bandwidth environments, Cached Exchange Mode can be configured to download only
e-mail headers and a 256-character preview of the message body. For more information, see Configure
Cached Exchange Mode in Outlook 2010 (http://technet.microsoft.com/library/c6f4cad9-c918-420e-
bab3-8b49e1885034(Office.14).aspx).
Even when it is configured in Cached Exchange Mode, Outlook 2010 must contact the server directly to
do certain operations. These operations will not function when Outlook is not connected and can take
longer to complete on high-latency connections. These operations include the following:
Working with Delegate mailbox data stores.
Working with Shared Folders that have not been made available offline. For more information, see
Configure Offline Availability for a Shared Folder(http://go.microsoft.com/fwlink/?LinkID=193926).
Retrieving Free/Busy information.
Setting, modifying, or canceling an Out of Office message.
Accessing Public Folders.
Retrieving rights to a rights-protected message.
86
Editing rules.
Retrieving MailTips.
Note:
Outlook checks the network adapter speed on the user's computer to determine a user's
connection speed, as supplied by the operating system. Reported network adapter speeds of
128 kilobytes (KB) or lower are defined as slow connections. Under some circumstances, the
network adapter speed might not accurately reflect data throughput for users. For more
information about adjusting the behavior of Outlook in these scenarios, see Managing Outlook
behavior for perceived slow connections later in this article.
Outlook can adapt to changing connection environments by offering different levels of optimization,
such as disconnecting from a corporate local area network (LAN), going offline, and then re-
establishing a connection to the server over a slower, dial-up connection. As the Exchange Server
connection type changes for example, to LAN, wireless, cellular, or offline transitions are
seamless and do not require changing settings or restarting Outlook.
For example, a user might have a portable computer at work with a network cable connection to a
corporate LAN. In this scenario, the user has access to headers and full items, including attachments.
The user also has quick access and updates to the computer that runs Exchange Server. If a user
disconnects the portable computers from the LAN, Outlook switches to Trying to connect mode. The
user can continue to work uninterruptedly with the data in Outlook. If a user has wireless access,
Outlook can re-establish a connection to the server and then switch back to Connected mode.
If the user later connects to the Exchange Server computer over a dial-up connection, Outlook
recognizes that the connection is slow and automatically optimizes for that connection by downloading
87
only headers and by not updating the OAB. In addition, Outlook 2010 and Office Outlook 2007 include
optimizations to reduce the amount of data that is sent over the connection. The user does not need to
change settings or restart Outlook in this scenario.
Outlook 2010 also includes the Need Password mode. A Need Password message is displayed when
Outlook is in a disconnected state and requires user credentials to connect; for example, when a user
clicks Cancel in a credentials authentication dialog box. When Outlook is disconnected but is not
offline, a user-initiated action (such as clicking Send/Receive or the Type Password button on the
ribbon) causes Outlook to prompt again for the password and to display a Trying to connect message
until the user can successfully authenticate and connect.
88
Custom properties on the General tab in Properties dialog box for users The Properties
dialog box appears when you double-click a user name (for example, on the To line of an e-mail
message). This dialog box can be configured to include custom properties unique to an
organization, such as a user's cost center. However, if you add properties to this dialog box, we
recommend that you not add them to the General tab. Outlook must make a remote procedure call
(RPC) to the server to retrieve custom properties. Because the General tab shows by default when
the Properties dialog box is accessed, an RPC would be performed every time that the user
accessed the Properties dialog box. As a result, a user who runs Outlook in Cached Exchange
Mode might experience noticeable delays when he or she accesses this dialog box. To help avoid
such delays, you create a new tab on the Properties dialog box for custom properties, or include
custom properties on the Phone/Notes tab.
Certain Outlook add-ins can affect Cached Exchange Mode. Some add-ins can access Outlook data by
using the object model to bypass the expected functionality of the Download only headers and On
slow connections, download only headers settings in Cached Exchange Mode. For example, full
Outlook items, not only headers, download if you use Microsoft ActiveSync technology to synchronize a
hand-held computer, even over a slow connection. In addition, the update process is slower than if you
download the items in Outlook, because one-time-only applications use a less-efficient kind of
synchronization.
89
current Outlook users with POP accounts and existing customized Send/Receive groups to Outlook
2010. In this situation, if you disable the Send/Receive option, users cannot download POP e-mail
messages or HTTP e-mail messages by using the Outlook Connector.
Note:
We recommend that users use the default Unicode OAB. The ANSI OAB files do not include
some properties that are in the Unicode OAB files. Outlook must make server calls to retrieve
required user properties that are not available in the local OAB, which can result in significant
network access time when users do not have a Full Details OAB in Unicode format.
When Cached Exchange Mode first creates a local copy of a user's mailbox, the user's current .ost file,
if one exists, is updated. If users currently have non-Unicode ANSI-formatted .ost files, we recommend
that you upgrade their .ost files to Unicode. Non-Unicode (ANSI) Outlook files have a limit of 2
gigabytes (GB) of data storage. The maximum size for Unicode .ost files is configurable, with the
default being 50 GB of data storage.
Also, make sure that users' .ost files are located in a folder that has sufficient disk space to
accommodate users' mailboxes. For example, if users' hard drives are partitioned to use a smaller drive
for system programs (the system drive is the default location for the folder that contains the .ost file),
specify a folder on another drive that has more disk space as the location of users' .ost files.
90
For more information about how to deploy .ost files in a location other than the default location, see
To configure a default .ost location by using Group Policy
(http://technet.microsoft.com/library/c6f4cad9-c918-420e-bab3-
8b49e1885034.aspx#ConfigureDefaultOST) in Configure Cached Exchange Mode in Outlook 2010
(http://technet.microsoft.com/library/c6f4cad9-c918-420e-bab3-8b49e1885034(Office.14).aspx).
To determine whether your users .ost files are in ANSI or Unicode format, see How to determine
the mode that Outlook 2007 or Outlook 2003 is using for offline folder files
(http://go.microsoft.com/fwlink/?LinkId=159924).
For information about how to force an upgrade of an existing non-Unicode (ANSI) formatted .ost file
to Unicode format, see To force upgrade of non-Unicode ANSI format .ost files to Unicode
(http://technet.microsoft.com/library/c6f4cad9-c918-420e-bab3-8b49e1885034.aspx#UpgradeANSI)
in Configure Cached Exchange Mode in Outlook 2010
(http://technet.microsoft.com/library/c6f4cad9-c918-420e-bab3-8b49e1885034(Office.14).aspx).
For more information about how to configure the Unicode .ost file size, see How to configure the
size limit for both (.pst) and (.ost) files in Outlook 2007 and in Outlook 2003
(http://go.microsoft.com/fwlink/?LinkId=159750).
91
You can configure this option (Download shared non-mail folders) in the Office Customization Tool
(OCT) when you customize your Cached Exchange Mode deployment.
You can also enable shared mail folders for users if it is necessary. However, the cautionary notes
earlier in this article regarding the sharing of non-mail folders also apply to the sharing of mail folders.
Local .ost file size increases for users who have shared folders enabled. For information about how to
enable this setting, see Configure Cached Exchange Mode in Outlook 2010
(http://technet.microsoft.com/library/c6f4cad9-c918-420e-bab3-8b49e1885034(Office.14).aspx).
For more information, see You cannot cache shared mail folders in Outlook 2007
(http://go.microsoft.com/fwlink/?linkid=159948).
Outlook continues to synchronize the Outlook data with mobile devices, and some client-side rules
might run.
92
Note:
We recommend that you do not synchronize mobile devices with the Cached Exchange
Download only headers setting enabled. When you synchronize a mobile device for
example, by using ActiveSync full items are downloaded in Outlook, and the synchronization
process is less efficient than with regular Outlook synchronization to users' computers.
The Download only headers setting for synchronization is designed for Outlook users who have dial-
up connections or cellular wireless connections, to minimize network traffic when there is a slow or
expensive connection. Under some circumstances, the network adapter speed might not accurately
reflect data throughput for users. For example, if a user's computer is connected to a local area network
(LAN) for fast access to local file servers, the network adapter speed is reported as fast because the
user is connected to a LAN. However, the user's access to other locations on an organization's
network, including the Exchange Server computer, might use a slow link, such as an ISDN connection.
For such a scenario, where users' actual data throughput is slow although their network adapters report
a fast connection, you might want to configure an option to change or lock down the behavior of
Outlook; for example, by disabling automatic switching to downloading only headers by using the Group
Policy Object Editor option, Disallow On Slow Connections Only Download Headers. Similarly,
there might be connections that Outlook has determined are slow but which provide high data
throughput to users. In this case, you might also disable automatic switching to downloading only
headers. You can configure the On slow connections, download only headers option in the OCT, or
lock down the option by using Group Policy Object Editor to set Disallow On Slow Connections Only
Download Headers. For more information about how to customize this setting, see Configure Cached
Exchange Mode in Outlook 2010 (http://technet.microsoft.com/library/c6f4cad9-c918-420e-bab3-
8b49e1885034(Office.14).aspx).
93
The following scenarios include examples of how you can deploy Cached Exchange Mode to avoid a
large initial performance impact on the Exchange Server computers and, in some cases, minimize the
time users spend waiting for the initial synchronization:
Retain Outlook .ost files when you deploy Cached Exchange Mode. Because existing .ost
files are merely updated with the latest mailbox information when Outlook with Cached Exchange
Mode starts for the first time, retaining these .ost files when you deploy Cached Exchange Mode
can help reduce the load on your organization's Exchange Server computers. Users who already
have .ost files will have less Outlook information to synchronize with the server. This scenario
works best when most users already have .ost files that have been synchronized recently with
Exchange Server. To retain .ost files while you deploy Outlook with Cached Exchange Mode, do
not specify a new Exchange Server computer when you customize Outlook profile information in
the OCT. Or, when you customize Outlook profiles in the OCT, clear the Overwrite existing
Exchange settings if an Exchange connection exists (only applies when modifying the
profile) check box. (If you specify an Exchange Server computer when you configure and deploy
Outlook with this option enabled, Outlook replaces the Exchange service provider in the MAPI
profile, which removes the profile's entry for existing .ost files.) If you are currently using non-
Unicode (ANSI) .ost files, we recommend that you upgrade users .ost files to Unicode for improved
performance and functionality. In this case, the old non-Unicode (ANSI) .ost files cannot be
retained; they would be re-created in the Unicode format.
For information about how to force an upgrade of an existing non-Unicode (ANSI) formatted .ost file
to Unicode format, see Force upgrade of non-Unicode ANSI format .ost files to Unicode in
Configure Cached Exchange Mode in Outlook 2010 (http://technet.microsoft.com/library/c6f4cad9-
c918-420e-bab3-8b49e1885034(Office.14).aspx).
Provide seed .ost files to remote users, and then deploy Cached Exchange Mode after users
have installed the .ost files that you provide. If most users in your organization do not currently
have .ost files or are not using Cached Exchange Mode, you can deploy Outlook 2010 with Cached
Exchange Mode disabled. Then, before the date on which you plan to deploy Cached Exchange
Mode, you provide initial, or seed, .ost files to each user with a snapshot of the user's mailbox; for
example, by providing or mailing to the user a CD that contains the file together with installation
instructions. You might also want to provide a recent version of your organization's Office Address
Book (OAB) with Full Details. You configure and deploy Cached Exchange Mode when users
confirm that they have installed the files.
When you update your Outlook deployment to use Cached Exchange Mode later, Exchange Server
updates users' existing .ost files and there is much less data to synchronize than there would be if a
new .ost file and OAB were created for each user. To create individual CDs for each user's .ost file
can be time-consuming. Therefore, this seed-file deployment option might be most useful for select
groups of remote users who would otherwise spend lots of time waiting for the initial mailbox and
OAB synchronization, perhaps at a high cost, depending on their remote connection scenario.
For more information about how to create initial .ost files, see Providing an initial OST file for an
Outlook Cached Exchange Mode deployment (http://go.microsoft.com/fwlink/?LinkId=74518). The
94
article describes the creation initial .ost files for Office Outlook 2003. The process works similarly
for Office Outlook 2007 and Outlook 2010.
Deploy Outlook with Cached Exchange Mode to groups of users over time. You can balance
the workload on the Exchange Server computers and the local area network by upgrading groups
of users to Cached Exchange Mode over time. You can reduce the network traffic and server-
intensive work of populating .ost files with users' mailbox items and downloading the OAB by rolling
out the new feature in stages. The way that you create and deploy Cached Exchange Mode to
groups of users depends on your organization's usual deployment methods. For example, you
might create groups of users in Microsoft Systems Management Server (SMS), to which you deploy
a SMS package that updates Outlook to use Cached Exchange Mode. You deploy SMS to each
group over a period of time. To balance the load as much as you can, choose groups of users
whose accounts are spread across groups of Exchange Server computers.
95
For more information about how to configure Cached Exchange Mode by using Group Policy, see
Configure Cached Exchange Mode in Outlook 2010 (http://technet.microsoft.com/library/c6f4cad9-
c918-420e-bab3-8b49e1885034(Office.14).aspx).
Option Description
Disallow Download Full Items Enable to turn off the Download Full Items option in
Outlook. To find this option, click the Send/Receive
tab, and then click Download Preferences.
96
Option Description
Disallow Download Headers Enable to turn off the Download Headers option in
Outlook. To find this option, click the Send/Receive
tab.
Disallow Download Headers then Full Items Enable to turn off the Download Headers then Full
Items option in Outlook. To find this option, click the
Send/Receive tab, and then click Download
Preferences.
Disallow On Slow Connections Only Download Enable to turn off the On Slow Connections
Headers Download Only Headers option in Outlook. To find
this option, click the Send/Receive tab, and then
click Download Preferences.
Use Cached Exchange Mode for new and Enable to configure new and existing Outlook
existing Outlook profile profiles to use Cached Exchange Mode. Disable to
configure new and existing Outlook profiles to use
Online Mode.
The following table shows some additional settings that you can configure for Exchange connectivity. In
Group Policy, the settings are found under User Configuration\Administrative Templates\Microsoft
Outlook 2010\Account Settings\Exchange. The OCT settings are in corresponding locations on the
Modify user settings page of the OCT.
Option Description
Automatically configure profile based on Active Enable to prevent users from changing the SMTP
Directory Primary SMTP address e-mail address used to set up a new account from
the one retrieved from Active Directory.
Configure Outlook Anywhere user interface Enable to let users view and change user interface
options (UI) options for Outlook Anywhere.
Do not allow an OST file to be created Enable to prevent offline folder use.
Restrict legacy Exchange account Enable to restrict which account is the first account
that is added to the profile.
97
Option Description
Set maximum number of Exchange accounts per Enable to set the maximum number of Exchange
profile accounts allowed per Outlook profile.
Synchronizing data in shared folders Enable to control the number of days that elapses
without a user accessing an Outlook folder before
Outlook stops synchronizing the folder with
Exchange.
Additional resources
For more information about how to plan a Cached Exchange Mode deployment, see the following
resources.
When you use Office Outlook 2003, Office Outlook 2007, or Outlook 2010 with Exchange Server-
based systems, you can use Cached Exchange Mode and other features to enhance the user
experience regarding issues such as high latency, loss of network connectivity, and limited network
bandwidth. To learn about these improvements, see Client Network Traffic with Exchange 2003
white paper (http://go.microsoft.com/fwlink/?LinkId=79063).
Outlook 2010 includes the ability to automatically configure user accounts. To learn how the
discovery mechanisms work and how to modify an XML file to configure Autodiscover for your
organization, see Plan to automatically configure user accounts in Outlook 2010.
98
Cached Exchange Mode in a Remote Desktop
Session Host environment: planning
considerations (white paper)
This white paper is an addendum to the document Remote Desktop Session Host Capacity Planning in
Windows Server 2008 R2 (http://go.microsoft.com/fwlink/?LinkId=196861). Use it while you evaluate
the deployment of Outlook 2010 in Cached Exchange Mode to your Remote Desktop Session Host
(RDSH) environment. This white paper covers the three major areas that you should consider during
your deployment planning:
Storage footprint
Performance impact
Networked storage
Download this white paper as a Microsoft Word document (.docx): Cached Exchange Mode in a
Remote Desktop Session Host environment: planning considerations
(http://go.microsoft.com/fwlink/?LinkId=200170).
99
Plan to automatically configure user accounts
in Outlook 2010
This article describes the two discovery mechanisms to automatically configure user accounts in
Microsoft Outlook 2010: Autodiscover and Common Settings Discover.
In this article:
Overview
Using Autodiscover with DNS
Autodiscover transaction summary
The Autodiscover XML schema
Common Settings Discover
Overview
As with Microsoft Office Outlook 2007, Outlook 2010 includes the ability to automatically configure user
accounts. Outlook 2010 uses one of two discovery mechanisms to automatically configure accounts:
Autodiscover and Common Settings Discover.
Autodiscover is a standards-based XML file that can be configured by an administrator for an Internet
service provider (ISP) or a corporation, or dynamically generated by a service, such as the Client
Access server role in Microsoft Exchange Server 2007 or Microsoft Exchange Server 2010. This is the
recommended mechanism for settings discovery, because it provides optimal performance. It also
minimizes the possibility of configuration error on the client computer, because the settings are defined
explicitly and deliberately by the administrator of the mail servers.
Common Settings Discover is less configurable, and less sophisticated, but configures most mail
servers around the world based on common settings. It tries encrypted connections first. If these
connections fail, it prompts the user to try connections that are not encrypted, and tries the same
servers again without encryption. Many ISPs today do not require encryption, but have it enabled so
that users can configure their accounts by using encryption.
For information about how to deploy and manage the Autodiscover service for Exchange Server 2007,
see Overview of Autodiscover Service: Exchange 2007 Help
(http://go.microsoft.com/fwlink/?linkId=183290). For Exchange Server 2010, see Understanding the
Autodiscover Service: Exchange 2010 Help (http://go.microsoft.com/fwlink/?linkId=183289).
100
find the XML file. The XML file location is based on the e-mail address that the user provides. For
example, if [email protected] is entered as the users e-mail address, Outlook 2010 looks for the
XML file in the following locations and in the following order:
1. https://contoso.com/autodiscover/autodiscover.xml
2. https://autodiscover.contoso.com/autodiscover/autodiscover.xml
If your company also has a Web site at the root domain (for example, contoso.com), the second option
(the Autodiscover host (A) resource record solution) lets you run the Web server and the Autodiscover
file or service on separate servers. For smaller companies, the additional management of having
separate DNS records can be ignored, and a single server can run both the Web site and the
Autodiscover service (for example, the option 1 listed previously).
The connection must be established by using Secure Sockets Layer (SSL), and a valid SSL certificate
must be present. SSL is required because a company or an Internet service provider (ISP) could
choose to provide only encrypted access to their mail servers. In this scenario, if Outlook 2010 first
checks non-SSL locations or allows failover to a non-SSL location, and a user types an e-mail address
and password in a vulnerable security situation such as a man-in-the-middle attack, the automatic
configuration service in Outlook 2010 could weaken security by being the weakest link in the connection
chain if a non-SSL connection is allowed. Without an encrypted connection, the automatic configuration
service could allow a non-encrypted Web site to configure mail server settings and allow authentication
with a user name and password to the non-encrypted site. Instead, SSL is required by the Autodiscover
protocol to maintain the compatibility with companies and ISPs that demand secure configuration
routines.
However, if a company or an ISP chooses to host many e-mail domains, Outlook 2010 can follow an
HTTP redirect or DNS Service (SRV) resource record (this DNS SRV record lookup functionality is
included in Office Outlook 2007 Service Pack 1 and later versions) that is not encrypted to a secure
Web site that stores the settings. For example, suppose that contoso.com is a hosted e-mail domain,
and that the hosting service runs the Autodiscover file at hoster.com. In this scenario, the autodiscover
prefix can be used by the hosting company to direct Outlook 2010 to a secure site that contains the
Autodiscover settings.
HTTP redirect: http://autodiscover.contoso.com/autodiscover/autodiscover.xml --> redirects to
https://autodiscover.hoster.com/autodiscover/autodiscover.xml
DNS SRV: _autodiscover._tcp.contoso.com --> points to
https://autodiscover.hoster.com/autodiscover/autodiscover.xml
In both examples, users will see a warning dialog box in Outlook 2010 stating that they are being
redirected to autodiscover.hoster.com for server settings. The dialog box provides the option to allow
the redirection and lets users ignore future prompts about the redirect site (in this example,
autodiscover.hoster.com).
101
where the user has entered the e-mail address e-mail@domain. If the settings are successfully
retrieved, no additional network calls are made. If the settings are not retrieved, an HTTPS POST verb
is performed to autodiscover.domain. If settings are not retrieved from this site, a final HTTP GET and
DNS SRV record lookup is performed only to the autodiscover.domain site. This HTTP GET and DNS
SRV record lookup can only redirect to a secure site. (If settings are present at the HTTP location,
Outlook 2010 will not configure them because the connection was not encrypted.)
Outlook 2010 can follow up to 10 redirects of any type. That is, you can follow an HTTPS POST
redirect, HTTP GET redirect, or use the Autodiscover redirect XML schema tags detailed later in this
article. After 10 redirections cannot obtain the settings, the settings discovery fails.
102
1. Automatically retrieve the e-mail address from the Active Directory directory service if the computer
is joined to a domain.
2. Retrieve the name of the Exchange Server computer if found, and store the name for later.
3. Look for Service Connection Point (SCP) objects or SCP pointer objects that correspond to the
users e-mail address, and find the correct Autodiscover server to connect to. Then,, connect to the
server and retrieve the settings.
4. If the previous step fails, try DNS discovery of Autodiscover XML (allowing for 10 redirects).
a. HTTPS POST: https://domain/autodiscover/autodiscover.xml
b. HTTPS POST: https://autodiscover.domain/autodiscover/autodiscover.xml
c. HTTP GET: http://autodiscover.domain/autodiscover/autodiscover.xml (only to follow redirects,
not to obtain settings)
d. DNS SRV lookup: _autodiscover._tcp.domain (only to follow the redirect to which the SRV
resource record points)
5. If the previous step fails, try local XML discovery and use the XML found on the local computer, if
applicable.
6. If the previous step fails but the name of the Exchange Server computer is found in step 2,
configure the Exchange account based on the name of the Exchange Server computer.
7. If the previous step is not applicable, try Common Settings Discover, as described in Common
Settings Discover later in this article.
<Autodiscover
xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006">
<Request>
<AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responsesc
hema/2006a</AcceptableResponseSchema>
103
-->
<EMailAddress>[email protected]</EMailAddress>
</Request>
</Autodiscover>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
This tag serves as an indication that the retrieved XML is an Autodiscovery Response
-->
<Response
xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
-->
<User>
The server may have a good formal display name. The client can decide to accept it or change
it. This will save the user time in the default case.
-->
<DisplayName>John Doe</DisplayName>
</User>
This tag specifies the type of account, such as Email vs Newsgroups, vs SIP server, etc.
-->
104
<Account>
VALUES:
email: The values under this Account tag indicate configuration settings for an email server.
nntp: The values under this Account tag indicate configuration settings for a NNTP server. (not
used by Outlook 2007)
-->
<AccountType>email | nntp</AccountType>
This value indicates if the goal of this account results is to provide the settings or redirect
to another web server that can provide results.
VALUES:
redirectUrl: If this value is specified, then the URL tag will specify the http: or https: URL
containing the Autodiscover results to be used. In order to prevent the server from being able
to send the client into an infinite loop, the client should stop redirecting after 10
redirects.
redirectAddr: If this value is specified, then the XML tag will specify the e-mail address that
Outlook should use to execute Autodiscover again. In other words, the server is telling the
client that the e-mail address the client should really be using for Autodiscover is not the
one that was posted, but the one specified in this tag.
settings: If this value is specified, then the XML will contain the settings needed to
configure the account. The settings will primarily be under the PROTOCOL tag.
-->
<!-- RedirectUrl: Required if ACTION tag has value of 'redirectUrl'. Otherwise this tag must
not exist.
The value will be a https: URL that the client should use to obtain the Autodiscover settings
or a http: URL that the client should use for further redirection.
-->
<RedirectUrl>redirect.URL</RedirectUrl>
105
<!-- RedirectAddr: Required if ACTION tag has value of 'redirectAddr'. Otherwise this tag must
not exist.
The value will be an email address that the client should use to rediscover settings using the
Autodiscover protocol.
-->
<RedirectAddr>email@address</RedirectAddr>
This is a JPG picture to brand the ISP configuration experience with. The client can choose
whether or not they download this picture to display. (not used by Outlook 2007)
-->
<Image>http://path.to.image.com/image.jpg</Image>
This is a link to the ISPs Home Page. The client can choose whether or not they expose this
link to the user. (not used by Outlook 2007)
-->
<ServiceHome>http://web.page.com</ServiceHome>
<!-- Protocol: Required if ACTION tag has value of 'settings'. Otherwise, this tag must not
exist.
The tag encloses the specifications for a single account type. The list of Protocol tags are
in order of preference of the server. The client may over ride the preference.
-->
<Protocol>
The value here specifies what kind of mail account is being configured.
POP3: The protocol to connect to this server is POP3. Only applicable for AccountType=email.
SMTP: The protocol to connect to this server is SMTP. Only applicable for AccountType=email.
IMAP: The protocol to connect to this server is IMAP. Only applicable for AccountType=email.
DAV: The protocol to connect to this server is DAV. Only applicable for AccountType=email.
WEB: Email is accessed from a web browser using an URL from the SERVER tag. Only applicable for
AccountType=email. (not used by Outlook 2007)
106
NNTP: The protocol to connect to this server is NNTP. Only applicable for AccountType=nntp.
(not used by Outlook 2007)
-->
The value here specifies the last date which these settings should be used. After that date,
the settings should be rediscovered via Autodiscover again. If no value is specified, the
default will be no expiration.
-->
<ExpirationDate>YYYYMMDD</ExpirationDate>
The value here specifies the time to live in hours that these settings are valid for. After
that time has elapsed (from the time the settings were retrieved), the settings should be
rediscovered via Autodiscovery again. A value of 0 indicates that no rediscovery will be
required. If no value is specified, the default will be a TTL of 1 hour.
-->
<TTL>168</TTL>
The value here specifies the name of the mail server corresponding to the server type specified
above.
For protocols such as POP3, SMTP, IMAP, or NNTP, this value will be either a hostname or an IP
address.
-->
The value specifies the Port number to use. If no value is specified, the default settings
will be used depending on the mail server type. This value is not used if the SERVER tag
contains an URL.
-->
107
<Port>110</Port>
This value specifies the user's login. If no value is specified, the default will be set to
the string preceding the '@' in the email address. If the Login name contains a domain, the
format should be <Username>@<Domain>. Such as JoeUser@SalesDomain.
-->
<LoginName>johndoe</LoginName>
If this value is true, then a domain is required during authentication. If the domain is not
specified in the LOGINNAME tag, or the LOGINNAME tag was not specified, the user will need to
enter the domain before authentication will succeed.
-->
<DomainRequired>on | off</DomainRequired>
This value specifies the user's domain. If no value is specified, the default authentication
will be to use the e-mail address as a UPN format <Username>@<Domain>. Such as
JoeUser@SalesDomain.
-->
<DomainName></DomainName>
-->
<SPA>on | off</SPA>
-->
<SSL>on | off</SSL>
108
<!-- AuthRequired: Optional.
-->
If specified, then the authentication information provided for the POP3 type account will also
be used for SMTP.
-->
<UsePOPAuth>on | off</UsePOPAuth>
If this value is true, then the SMTP server requires that email be downloaded before sending
email via the SMTP server. This is often required because the SMTP server verifies that the
authentication succeeded when downloading email.
-->
<SMTPLast>on | off</SMTPLast>
</Protocol>
</Account>
</Response>
</Autodiscover>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
109
<Response
xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<Account>
<AccountType>email</AccountType>
<Action>settings</Action>
<Protocol>
<Type>POP3</Type>
<Server>mail.contoso.com</Server>
<Port>995</Port>
<DomainRequired>off</DomainRequired>
<SPA>off</SPA>
<SSL>on</SSL>
<AuthRequired>on</AuthRequired>
</Protocol>
<Protocol>
<Type>SMTP</Type>
<Server>mail.contoso.com</Server>
<Port>587</Port>
<DomainRequired>off</DomainRequired>
<SPA>off</SPA>
<SSL>on</SSL>
<AuthRequired>on</AuthRequired>
<UsePOPAuth>on</UsePOPAuth>
<SMTPLast>on</SMTPLast>
</Protocol>
</Account>
</Response>
</Autodiscover>
ISP with POP3, IMAP, and SMTP services with POP3 preference for clients
The following XML file would be configured exactly as described in the previous section.
<?xml version="1.0" encoding="utf-8" ?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
110
<Response
xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<Account>
<AccountType>email</AccountType>
<Action>settings</Action>
<Protocol>
<Type>POP3</Type>
<Server>mail.contoso.com</Server>
<Port>995</Port>
<DomainRequired>off</DomainRequired>
<SPA>off</SPA>
<SSL>on</SSL>
<AuthRequired>on</AuthRequired>
</Protocol>
<Protocol>
<Type>IMAP</Type>
<Server>mail.contoso.com</Server>
<Port>993</Port>
<DomainRequired>off</DomainRequired>
<SPA>off</SPA>
<SSL>on</SSL>
<AuthRequired>on</AuthRequired>
</Protocol>
<Protocol>
<Type>SMTP</Type>
<Server>mail.contoso.com</Server>
<Port>587</Port>
<DomainRequired>off</DomainRequired>
<SPA>off</SPA>
<SSL>on</SSL>
<AuthRequired>on</AuthRequired>
<UsePOPAuth>on</UsePOPAuth>
<SMTPLast>on</SMTPLast>
111
</Protocol>
</Account>
</Response>
</Autodiscover>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
<Response
xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<Account>
<AccountType>email</AccountType>
<Action>redirectUrl</Action>
<RedirectUrl>https://autodiscover.hoster.com/autodiscover/autodiscover.xml</RedirectUrl>
</Account>
</Response>
</Autodiscover>
Users can instead be redirected by configuring an ordinary HTTP 302 redirect at the source location.
Outlook 2010 follows both 302 redirects and redirectUrl tags in an XML response.
Note that the XML file contents for all Autodiscover responses must be named Autodiscover.xml.
112
protocols should use the same server names for each protocol. Then, the user needs only to change a
selection box, switching from IMAP to POP3.
Outlook 2010 tries a variety of incoming and outgoing server settings in parallel to maximize
performance and minimize wait time for the user. The settings that Outlook 2010 attempts to configure
for users are listed in the following tables. All encrypted settings are tried first, and mutually exclusively.
Then, settings that are not encrypted are tried, if the user consents.
IMAP settings
First, encrypted settings are tried. For an IMAP server, the connection permutations are as shown in the
following table.
113
Server User name Port TLS/SSL SPA
114
Server User name Port TLS/SSL SPA
Next, permutations that are not encrypted are tried, after the user is asked to continue with connection
attempts that are not encrypted. The IMAP settings that are not encrypted that Outlook 2010 attempts
to configure are as shown in the following table.
POP3 settings
First, encrypted settings are tried. For a POP3 server, the connection permutations are as shown in the
following table.
115
Server User name Port TLS/SSL SPA
116
Server User name Port TLS/SSL SPA
117
Server User name Port TLS/SSL SPA
Next, permutations that are not encrypted are tried, after the user is asked to continue with connection
attempts that are not encrypted. The POP3 settings that are not encrypted that Outlook 2010 attempts
to configure are as shown in the following table.
118
Server User name Port TLS/SSL SPA
SMTP settings
First, encrypted settings are tried. For an SMTP server, the connection permutations are as shown in
the following table.
119
Server User name Port TLS/SSL SPA
120
Server User name Port TLS/SSL SPA
Next, permutations that are not encrypted are tried, after the user is asked to continue with connection
attempts that are not encrypted. The SMTP settings that are not encrypted that Outlook 2010 attempts
to configure are as shown in the following table.
121
Server User name Port TLS/SSL SPA
See Also
Overview of Autodiscover Service: Exchange 2007 Help (http://go.microsoft.com/fwlink/?linkId=183290)
Understanding the Autodiscover Service: Exchange 2010 Help
(http://go.microsoft.com/fwlink/?linkId=183289)
122
Plan for compliance and archiving in Outlook
2010
This article discusses the planning considerations to deploy Retention Policy and Personal Archive
features with Microsoft Outlook 2010 and Microsoft Exchange Server 2010. These features together
can provide a great way to enable users to stay in compliance with mail retention policies, and have the
space to store their business-critical information by using the Personal Archive.
Even if your organization does not strictly enforce compliance, the Personal Archive is a great solution
to migrate your organization away from personal Microsoft Outlook data files (.pst) or third-party
archiving solutions. The Personal Archive enables users to archive their e-mail messages in a managed
location for backup, data recovery, and compliance needs.
Retention Policy and Personal Archive are available only when you use Outlook 2010 as part of
Microsoft Office Professional 2010 or Microsoft Office Professional Plus 2010 with an Exchange Server
2010 account, and the Exchange administrator has enabled Retention Policy and Online Archive.
In this article:
Planning a Retention Policy deployment
Planning a Personal Archive deployment
123
Defining your Retention Policies
Deciding on which Retention Policies have to be available for your organization, departments, and
users should be a conversation that you have with your legal or compliance department. Your company
might be subject to government or additional regulation that can be enforced by using Retention
Policies. Because departments can be under different regulations, you should organize your policies
into logical, easy-to-manage groups. Once you understand the policies that your company must follow,
you can determine how to best implement those policies.
Personal Tags are the policies that you can give to users to apply to individual messages and folders
they have created. When you define the policies that users will follow, we recommend no more than 10
Personal Tags be used. More than that can overwhelm users. Furthermore, in the Assign Policy gallery
on the ribbon, Outlook will only show 10 Personal Tags at a time. If a user has to access more than 10
Personal Tags, they can select More Retention Policies in the Assign Policy gallery.
Note:
Policies on these special folders cannot be changed by the user even if there is no
Retention Policy Tag applied to the folder.
3. Personal Tag This is a type of policy that will appear in the Retention Policy user interface (UI) for
the user to apply to folders that they create and to individual e-mail messages.
124
a. Users cannot apply these policies to any of the special folders listed under Retention Policy
Tag earlier in this section.
b. Users can apply these policies to e-mail messages within special folders, but not the folder
itself.
c. Users can apply these policies to their own user-created folders.
Note:
Search folders do not support retention policies because they do not contain actual e-mail
messages.
Personal Tags
For users to set a Retention Policy on a folder or e-mail message, they must be provided with one or
more Personal Tags. By default, the Ribbon Assign Policy gallery shows the first 10 policies (Personal
Tags) in alphabetical order. This menu list shows the most recently used policies. However, as
additional policies are used, they will be displayed in alphabetical order on the ribbon. When a user
applies a policy to a folder by using the folder properties dialog box, the full list of available Personal
Tags is shown.
The Personal Tags that are created for the user should have names that clearly describe the type of
content that requires the policy. For example, if e-mail messages that mention a patent have to be
retained for 7 years, create a policy that is titled Patent Information and set it for 2,555 days. Outlook
will automatically translate the number of days into a human-readable format and append the length
after the title. So, in Outlook, the policy will appear as Patent Information (7 years).
You should also add a description of the policy so that users can get more clarification on which e-mail
messages are in scope for that Personal Tag. The description should describe in detail the type of
content that falls under that policy. For example:
Policy: Patent Information (7 years)
Description: All email messages that are related to a patent.
This is the order in which a policy takes precedence on an e-mail message:
1. Policy on the e-mail (Personal Tag)
2. Policy on the folder that contains the e-mail
3. Policy on the parent of that folder, and the parent folders above
4. Policy on the mailbox (Default Policy Tag)
For example: A user has a folder named Financial Documents with the Finance ( 3 years) Retention
Policy applied to it. One of the e-mail messages in the folder describes finance department policy and
resides in the Financial Documents folder for easy reference. The user can mark that e-mail message
with a Retention Policy of Reference ( Never) so that the e-mail messages are never deleted, even
though the folder policy is Finance ( 3 years).
125
Distribution lists
If your organization uses Distribution Lists, a Personal Tag that deletes e-mail messages after 1-4
weeks can help users manage their mailbox quota easier. Users can create an Outlook rule to
automatically apply the policy to e-mail messages or to have messages delivered to a folder that has
the policy applied.
Warning:
If you do not have a warm-up period, important e-mail messages could be deleted before the
user was able to apply a longer policy.
Similarly, during any period in which users will not be monitoring their e-mail messages, such as being
away on extended vacation or parental leave, their mailboxes should be put on Retention Hold. This is
so that their information is not accidentally deleted. When they return to work and have had enough
time to go through their e-mail messages, turn off Retention Hold.
Important
126
If you use a Default Policy Tag, or Retention Policy Tag on the users mailbox or special
folders, and the user uses cached mode to connect to Exchange, there will be an initial
degradation in performance in Outlook while their Outlook profile is updated with the policy
information. The time that is required to process the data file depends on its size and the speed
of the computer. Users should be informed of the performance impact as their mailbox is
updated.
Or, you can delete the users Outlook profile and create a new profile for that account. When
the user starts Outlook, Outlook will download the e-mail messages with the policy information
already added. Depending on the size of the accounts mailbox, this might be faster than
updating the existing account. However, after you create a new profile with that account, all
messages must be indexed again to enable searching in Outlook.
127
Users can determine which Retention Policy is being applied to a message by looking under the
CC line in the Reading Pane or at the bottom on the reading inspector.
Copy on Write
With Exchange Server 2010, you can ensure that all versions of an e-mail message are saved with the
Copy on Write feature. This feature will copy the original version of an e-mail message that was
128
modified and store it in a hidden folder named Versions. The properties on an e-mail message that can
trigger a copy can be found in Understanding Legal Hold
(http://go.microsoft.com/fwlink/?LinkId=195174). This functionality is automatically turned on by using
Litigation Hold.
129
Determining your archive policies
By default, the following archive policies are created for a user when they are given a Personal Archive:
Default Policy ( 2 years) The default archive policy applies to a users entire mailbox. It archives
all e-mail messages for which the received date is older than 2 years.
Personal Tags By default, the following Personal Tags are given to users to apply to their folders
and e-mail messages.
6 months
1 year
2 years
5 years
Never
Archive policies cannot be applied through Exchange to special folders in the users mailbox, such as
the Inbox and Sent Items folders. By default, all folders in the users mailbox will inherit the Default
Policy. But the user can change the policy on any folder or e-mail message by using Personal Tags.
130
e-mail account in Outlook. You can deploy this registry key by manually adding it to the users registry
or by using the Prevent copying or moving items between accounts setting in Group Policy.
This registry key provides more control than the two typically used registry keys DisablePST and
PSTDisableGrow in Outlook 2010. Because it prevents users from moving data out of restricted
accounts without limiting their .pst use, users are able to use personal e-mail accounts in Outlook that
might deliver e-mail messages to a .pst file. They are also able to read messages and copy messages
from their existing .pst file. The DisableCrossAccountCopy registry key is recommended to
completely replace the need for DisablePST and PSTDisableGrow for these reasons. Optionally, you
can also prevent users from copying data out of their synchronized lists in Microsoft SharePoint 2010
Products.
The DisableCrossAccountCopy registry key is located in
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\.
131
Or, you can set the DisableCrossAccountCopy in Group Policy by enabling the Prevent copying or
moving items between accounts setting under User Configuration\Administrative
Templates\Microsoft Outlook 2010\Account Settings\Exchange.
If your organization has already deployed the DisablePST or PSTDisableGrow registry keys, they will
not affect the behavior of the DisableCrossAccountCopy key. If you have users who do not use
Outlook 2010, all three keys can be deployed at the same time. However, for most organizations, the
DisablePST and PSTDisableGrow registry keys are unnecessary.
The following is the list of ways that copying or moving e-mail messages out of an account or Outlook
data file (.pst) will be restricted:
Users cannot drag-and-drop messages from a restricted account into another account or Outlook
data file (.pst).
Users cannot use the Move menu to move or copy messages from a restricted account into
another account or Outlook data file (.pst).
When using AutoArchive, all accounts that have been restricted will not have the option to archive
data.
In the Mailbox Cleanup menu of the Backstage view, the Archive option will not list restricted
accounts as an option for archiving.
Rules will not move messages out of the restricted accounts.
Users will be unable to export messages out of restricted accounts.
The Clean Up feature will not delete redundant parts of e-mail conversations in restricted accounts.
To prevent users from moving or copying messages from restricted accounts to their computers, you
can deploy the DisableCopyToFileSystem registry key.
The DisableCopyToFileSystem registry key is located in
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\.
132
Registry entry Type Value Description Deployment
2. Domain name of
e-mail account to
be restricted.
You can specify
the domain of the
accounts that
you want to
restrict. For
example,
contoso.com.
3. SharePoint This
string will restrict
dragging data
out of all
SharePoint lists
to the computer.
See Also
Place a Mailbox on Retention Hold (http://go.microsoft.com/fwlink/?LinkId=195158)
Understanding Legal Hold (http://go.microsoft.com/fwlink/?LinkId=195174)
Understanding Retention Tags and Retention Policies: Exchange 2010 Help
(http://go.microsoft.com/fwlink/?LinkId=195435)
Understanding Personal Archive: Exchange 2010 Help (http://go.microsoft.com/fwlink/?LinkId=169269)
133
Plan for security and protection in Outlook 2010
This section describes features in Microsoft Outlook 2010 that can help keep an organizations e-mail
messaging secure.
In this section:
Article Description
Choose security and protection settings for Describes how to customize many of the security-
Outlook 2010 related features in Outlook 2010, including how
the security settings are enforced, which kind of
ActiveX controls can run, custom forms security,
and programmatic security settings.
Plan attachment settings in Outlook 2010 Describes how to configure Outlook 2010
attachment security settings by using Group Policy
and the Outlook 2010 template (Outlk14.adm).
Plan for e-mail messaging cryptography in Outlook Describes how to configure security features in
2010 Outlook 2010 to help users send and receive
cryptographic e-mail messages.
Plan for limiting junk e-mail in Outlook 2010 Discusses how the Outlook 2010 Junk E-mail
Filter works, and which settings you can configure
for the Junk E-mail Filter and for automatic picture
download.
134
Choose security and protection settings for
Outlook 2010
You can customize many of the security-related features in Microsoft Outlook 2010. This includes how
the security settings are enforced, which kind of ActiveX controls can run, custom forms security, and
programmatic security settings. You can also customize Outlook 2010 security settings for attachments,
Information Rights Management, junk e-mail, and encryption, which are covered in additional articles
listed in Additional settings later in this article.
Caution:
By default, Outlook is configured to use high security-related settings. High security levels can
result in limitations to Outlook functionality, such as restrictions on e-mail message attachment
file types. Be aware that lowering any default security settings might increase the risk of virus
execution or virus propagation. Use caution, and read the documentation before you modify
these settings.
In this article:
Overview
Specify how security settings are enforced in Outlook
How administrator settings and user settings interact in Outlook 2010
Working with Outlook COM add-ins
Customize ActiveX and custom forms security in Outlook 2010
Customize programmatic settings in Outlook 2010
Additional settings
Overview
By default, Outlook is configured to use high security-related settings. High security levels can result in
limitations to Outlook functionality, such as restrictions on e-mail message attachment file types. You
might need to lower default security settings for your organization. However, be aware that lowering any
default security settings might increase the risk of virus execution or propagation.
Before you begin configuring security settings for Outlook 2010 by using Group Policy or the Outlook
Security template, you must configure the Outlook Security Mode in Group Policy. If you do not set the
Outlook Security Mode, Outlook 2010 uses the default security settings and ignores any Outlook 2010
security settings that you have made.
135
For information about how to download the Outlook 2010 adminstrative template, and about other
Office 2010 Administrative Templates, see Office 2010 Administrative Template files (ADM, ADMX,
ADML) and Office Customization Tool (http://technet.microsoft.com/library/2aa26c81-d80c-4be4-9114-
8ea205ef47f2(Office.14).aspx). For more information about Group Policy, see Group Policy overview
for Office 2010 and Enforce settings by using Group Policy in Office 2010
(http://technet.microsoft.com/library/873a5392-1b1a-47a1-a863-1f29ef116d0e(Office.14).aspx).
Use Outlook Security Group Policy Outlook uses the security settings from Group
Policy (recommended).
Use Security Form from Outlook Security Outlook uses the settings from the security form
Settings Public Folder published in the designated public folder.
Use Security Form from Outlook 10 Security Outlook uses the settings from the security form
Settings Public Folder published in the designated public folder.
136
Group Policy to enforce settings in Outlook 2010, you must manually migrate the settings that you
configured earlier to the corresponding Group Policy settings for Outlook 2010.
Customized settings configured by using Group Policy might not be active
immediately. You can configure Group Policy to refresh automatically (in the background) on
users' computers while users are logged on, at a frequency that you determine. To ensure that new
Group Policy settings are active immediately, users must log off and log back on to their computers.
Outlook checks security settings only at startup. If security settings are refreshed while
Outlook is running, the new configuration is not used until the user closes and restarts Outlook.
No customized settings are applied in Personal Information Manager (PIM)-only mode. In
PIM mode, Outlook uses the default security settings. No administrator settings are necessary or
used in this mode.
Special environments
When you use Group Policy to configure security settings for Outlook 2010, consider whether your
environment includes one or more of the scenarios shown in the following table.
Scenario Issue
Users who access their If users access mailboxes by using a hosted Exchange Server, you might
mailboxes by using a use the Outlook Security template to configure security settings or use the
hosted Exchange default Outlook security settings. In hosted environments, users access their
Server mailboxes remotely; for example, by using a virtual private network (VPN)
connection or by using Outlook Anywhere (RPC over HTTP). Because Group
Policy is deployed by using Active Directory and in this scenario, the user's
local computer is not a member of the domain, Group Policy security settings
cannot be applied.
Also, by using the Outlook Security template to configure security settings,
users automatically receive updates to security settings. Users cannot
receive updates to Group Policy security settings unless their computer is in
the Active Directory domain.
Users with Restrictions to Group Policy settings are not enforced when users log on with
administrative rights on administrative rights. Users with administrative rights can also change the
their computers Outlook security settings on their computer and can remove or alter the
restrictions that you have configured. This is true not only for Outlook security
settings, but for all Group Policy settings.
Although this can be problematic when an organization intends to have
standardized settings for all users, there are mitigating factors:
Group Policy overrides local changes at the next logon. Changes to
Outlook security settings revert to the Group Policy settings when the
user logs on.
137
Scenario Issue
Overriding a Group Policy setting affects only the local computer. Users
with administrative rights affect only security settings on their computer,
not the security settings for users on other computers.
Users without administrative rights cannot change policies. In this
scenario, Group Policy security settings are as secure as settings
configured by using the Outlook Security template.
Users who access Outlook and Outlook Web App do not use the same security model. OWA
Exchange mailboxes by has separate security settings stored on the Exchange Server computer.
using Outlook Web App
138
The OM Guard cannot be modified by using the Outlook security form or Group Policy. However, if you
use default Outlook 2010 security settings, all COM add-ins that are installed in Outlook 2010 are
trusted by default. If you customize security settings by using Group Policy, you can specify COM add-
ins that are trusted and that can run without encountering the Outlook object model blocks.
To trust a COM add-in, you include the file name for the add-in, in a Group Policy setting with a
calculated hash value for the file. Before you can specify an add-in as trusted by Outlook, you must
install a program to calculate the hash value. For information about how to do this, see Manage trusted
add-ins for Outlook 2010 (http://technet.microsoft.com/library/96604a08-00aa-48dd-81dc-
2d9379f474fe(Office.14).aspx).
If you enforce customized Outlook security settings with the Microsoft Exchange Server security form
published in an Exchange Server public folder, you can learn how to trust COM add-ins. Scroll down to
the Trusted Code tab section in the Microsoft Office 2003 Resource Kit article, Outlook Security
Template Settings (http://go.microsoft.com/fwlink/?LinkId=75744).
If the user continues to see security prompts after the add-in is included in the list of trusted add-ins,
you must work with the COM add-in developer to resolve the problem. For more information about
coding trusted add-ins, see Important Security Notes for Microsoft Outlook COM Add-in Developers
(http://go.microsoft.com/fwlink/?LinkId=74697).
139
When you enable Allow ActiveX One Off Forms setting, you have three options, which are described
in the following table.
Option Description
Allows all ActiveX Allows all ActiveX controls to run without restrictions.
Controls
Allows only Safe Allows only safe ActiveX controls to run. An ActiveX control is safe if it is signed
Controls with Authenticode and the signer is listed in the Trusted Publishers List.
Load only Outlook loads only the following controls. These are the only controls that can be
Outlook Controls used in one-off forms.
Controls from fm20.dll
Microsoft Office Outlook Rich Format Control
Microsoft Office Outlook Recipient Control
Microsoft Office Outlook View Control
If you do not configure any of these options, the default is to load only Outlook controls.
Option Description
Allow scripts in one- Run scripts in forms where the script and the layout are contained in the
off Outlook forms message. If users receive a one-off form that contains script, users are
prompted to ask whether they want to run the script.
Set Outlook object Specifies what occurs when a program attempts to run a custom action by
model Custom using the Outlook object model. A custom action can be created to reply to a
Actions execution message and circumvent the programmatic send protections previously
prompt described. Select one of the following:
Prompt user enables the user to receive a message and decide whether
to allow programmatic send access.
140
Option Description
Automatically approve always allows programmatic send access without
displaying a message.
Automatically deny always denies programmatic send access without
displaying a message.
Prompt user based on computer security enforces the default
configuration in Outlook 2010.
Note:
The Exchange Server Security template includes settings for Collaboration Data Objects
(CDO). However, using CDO with Outlook 2010 is not supported.
You can use Group Policy to configure programmatic security settings for the Outlook object model. In
Group Policy, load the Outlook 2010 template (Outlk14.adm). The Group Policy settings are located
under User Configuration\Administrative Templates\Microsoft Outlook 2010\Security\Security
Form Settings\Programmatic Security. These settings cannot be configured by using the Office
Customization Tool.
The following are descriptions of the Group Policy options for programmatic settings. You can choose
one of the following settings for each item:
Prompt user Users receive a message allowing them to choose whether to allow or deny the
operation. For some prompts, users can choose to allow or deny the operation without prompts for
up to 10 minutes.
Automatically approve Outlook automatically grants programmatic access requests from any
program. This option can create a significant vulnerability, and we do not recommend it.
Automatically deny Outlook automatically denies programmatic access requests from any
program and the user does not receive a prompt.
Prompt user based on computer security Outlook relies on the setting in the "Programmatic
Access" section of the Trust Center. This is the default behavior.
141
The settings that you can configure for programmatic security settings for the Outlook object model are
shown in the following table.
Option Description
Configure Outlook object model Specifies what happens when a program attempts to gain access to
prompt when accessing an an address book by using the Outlook object model.
address book
Configure Outlook object model Specifies what happens when a user adds a Combination or Formula
prompt when accessing the custom field to a custom form and binds it to an Address Information
Formula property of a field. By doing this, code can be used to indirectly retrieve the value
UserProperty object of the Address Information field by getting the Value property of the
field.
Configure Outlook object model Specifies what happens when a program attempts to
prompt when executing Save programmatically use the Save As command to save an item. When
As an item has been saved, a malicious program could search the file
for e-mail addresses.
Configure Outlook object model Specifies what happens when a program attempts to gain access to
prompt when reading address a recipient field, such as To, by using the Outlook object model.
information
Configure Outlook object model Specifies what happens when a program attempts to send mail
prompt when responding to programmatically by using the Respond method on task requests
meeting and task requests and meeting requests. This method is similar to the Send method on
mail messages.
Configure Outlook object model Specifies what happens when a program attempts to send mail
prompt when sending mail programmatically by using the Outlook object model.
Additional settings
The following table lists the articles that cover additional security settings not included in this article.
ActiveX controls Plan security settings for ActiveX controls for Office 2010
142
Feature Related resources
Information Rights Management Plan for Information Rights Management in Office 2010
See Also
Plan security for Office 2010
143
Plan attachment settings in Outlook 2010
In Microsoft Outlook 2010, you can specify that attachments to Outlook items (such as e-mail
messages or appointments) are restricted based on the file type of the attachment. A file type can have
either a Level 1 or Level 2 restriction. You can also configure what users can do with attachment
restrictions. For example, you could allow users to change the restrictions for a group of attachment file
types from Level 1 (user cannot view the file) to Level 2 (user can open the file after saving it to disk).
Note:
To enforce attachment settings, you must first configure the method that Outlook 2010 uses to
enforce security settings by using Group Policy. For information about how to set the Outlook
2010 method to enforce security settings, see Specify how security settings are enforced in
Outlook in Choose security and protection settings for Outlook 2010.
This article is for Outlook administrators. To learn more about why some Outlook attachments are
blocked, see Blocked attachments: The Outlook feature you love to hate
(http://go.microsoft.com/fwlink/?LinkId=81268). To learn how to share files that have restricted file
types, see Blocked attachments in Outlook (http://go.microsoft.com/fwlink/?LinkId=188575).
In this article:
Overview
Add or remove Level 1 file name extensions
Add or remove Level 2 file name extensions
Configure additional attachment file restrictions
Overview
There is restricted access to some attachments in items (such as e-mail messages or appointments) in
Outlook 2010. Files that have specific file types can be categorized as Level 1 (the user cannot view the
file) or Level 2 (the user can open the file after saving it to disk).
By default, Outlook 2010 classifies several file types as Level 1 and blocks files that have those
extensions from being received by users. Examples include .cmd, .exe, and .vbs file name extensions.
As an administrator, you can use Group Policy to manage how a file type is categorized for e-mail
attachment blocking. For example, you can change a file type categorization from Level 1 to Level 2 or
create a list of Level 2 file types. There are no Level 2 file types by default.
You can configure Outlook 2010 attachment security settings by using Group Policy and the Outlook
2010 template (Outlk14.adm). Most of the attachment security settings are the found under User
Configuration\Administrative Templates\Microsoft Outlook 2010\Security\Security Form
Settings\Attachment Security. Settings to prevent users from customizing attachment security
settings and to use Protected View for attachments received from internal senders are found under
144
User Configuration\Administrative Templates\Microsoft Outlook 2010\Security. Attachment
security settings cannot be configured by using the Office Customization Tool (OCT).
For more information about Protected View, see Plan Protected View settings for Office 2010.
For information about how to download the Outlook 2010 adminstrative template, and about other
Office 2010 Administrative Templates, see Office 2010 Administrative Template files (ADM, ADMX,
ADML) and Office Customization Tool (http://technet.microsoft.com/library/2aa26c81-d80c-4be4-9114-
8ea205ef47f2(Office.14).aspx). For more information about Group Policy, see Group Policy overview
for Office 2010 and Enforce settings by using Group Policy in Office 2010
(http://technet.microsoft.com/library/873a5392-1b1a-47a1-a863-1f29ef116d0e(Office.14).aspx).
Option Description
Add file extensions to block as Level 1 Specifies the file types (usually three letters) you
want to add to the Level 1 file list. Do not enter a
period before each file name extensions. If you
enter multiple file name extensions, separate them
with semicolons.
Remove file extensions blocked as Level 1 Specifies the file types (usually three letters) you
want to remove from the Level 1 file list. Do not
enter a period before each file type. If you enter
multiple file types, separate them with semicolons.
145
Add or remove Level 2 file name extensions
With a Level 2 file type, the user is required to save the file to the hard disk before the file is opened. A
Level 2 file cannot be opened directly from an item.
When you remove a file type from the Level 2 list, it becomes a regular file type that can be opened,
saved, and printed in Outlook 2010. There are no restrictions on the file.
The settings in the following table let you add or remove Level 2 file types from the default list. In Group
Policy, these settings are found under User Configuration\Administrative Templates\ Microsoft
Outlook 2010\Security\Security Form Settings\Attachment Security. These settings cannot be
configured by using the OCT.
Option Description
Add file extensions to block as Level 2 Specifies the file name extension (usually three
letters) you want to add to the Level 2 file list. Do
not enter a period before each file name
extension. If you enter multiple file name
extensions, separate them with semicolons.
Remove file extensions blocked as Level 2 Specifies the file name extension (usually three
letters) you want to remove from the Level 2 file
list. Do not enter a period before each file name
extension. If you enter multiple file name
extensions, separate them with semicolons.
Option Description
Display Enables users to access all attachments that have Level 1 file types by first saving the
Level 1 attachments to disk, and then opening them (as with Level 2 attachments).
attachment
s
Allow users Enables users to create a list of attachment file name extensions to demote from Level 1
to demote to Level 2. If you do not configure this Group Policy setting, the default behavior in
attachment Outlook is to ignore the users list. The registry key in which users create the list of file
146
Option Description
s to Level 2 types to demote is:
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Security\Level1Re
move. In the registry key, users specify the file name extensions (usually three letters) to
remove from the Level 1 file list, separated with semicolons.
Do not Prevents users from receiving a warning when they send an item that contains a Level 1
prompt attachment. This option affects only the warning. Once the item is sent, recipients might
about be unable to view or access the attachment, depending on their security settings. If you
Level 1 want users to be able to post items to a public folder without receiving this prompt, you
attachment must enable this setting and the Do not prompt about Level 1 attachments when
s when closing an item setting.
sending an
item
Do not Prevents users from receiving a warning when they close an e-mail message,
prompt appointment, or other item that contains a Level 1 attachment. This option affects only the
about warning. Once the item is closed, the user cannot view or gain access to the attachment.
Level 1 If you want users to be able to post items to a public folder without receiving this prompt,
attachment you must enable this setting and the Do not prompt about Level 1 attachments when
s when sending an item setting.
closing an
item
Display Displays OLE objects that have been packaged. A package is an icon that represents an
OLE embedded or linked OLE object. When you double-click the package, the program that
package was used to create the object either plays the object (for example, if the object is a sound
objects file) or opens and displays the object. Allowing Outlook to display OLE package objects
can be problematic, because the icon can be easily changed and used to disguise
malicious files.
The settings in the following table are found in Group Policy under User Configuration\Administrative
Templates\Microsoft Outlook 2010\Security. These settings cannot be configured by using the OCT.
Action Description
Prevent users from When enabled, users cannot customize the list of file types that are
customizing attachment allowed as attachments in Outlook, regardless of how you have
security settings configured other Outlook security settings.
Use Protected View for When enabled, attachments received from senders within your
attachments received from organization open in Protected View. This setting only applies to
147
Action Description
internal senders Microsoft Outlook accounts that connect to a Microsoft Exchange Server
computer.
See Also
Choose security and protection settings for Outlook 2010
Attachment file types restricted by Outlook 2010 (http://technet.microsoft.com/library/bc667b4c-1645-
42be-8dc0-af56dc11ef5b(Office.14).aspx)
Plan Protected View settings for Office 2010
148
Plan for e-mail messaging cryptography in
Outlook 2010
Microsoft Outlook 2010 supports security-related features to help users send and receive cryptographic
e-mail messages. These features include cryptographic e-mail messaging, security labels, and signed
receipts.
Note:
To obtain full security functionality in Microsoft Outlook, you must install Outlook 2010 with local
administrative rights.
In this article:
About Cryptographic messaging features in Outlook 2010
Managing cryptographic digital IDs
Security labels and signed receipts
Configuring Outlook 2010 cryptographic settings
Configuring additional cryptography settings
149
How Outlook 2010 implements cryptographic messaging
The Outlook 2010 cryptography model uses public key encryption to send and receive signed and
encrypted e-mail messages. Outlook 2010 supports S/MIME V3 security, which allows users to
exchange security-enhanced e-mail messages with other S/MIME e-mail clients over the Internet or
intranet. E-mail messages encrypted by the user's public key can be decrypted only by using the
associated private key. This means that when a user sends an encrypted e-mail message, the
recipient's certificate (public key) encrypts it. When a user reads an encrypted e-mail message, the
user's private key decrypts it.
In Outlook 2010, users are required to have a security profile to use cryptographic features. A security
profile is a group of settings that describes the certificates and algorithms used when a user sends
messages that use cryptographic features. Security profiles are configured automatically if the profile is
not already present when:
The user has certificates for cryptography on his or her computer.
The user begins to use a cryptographic feature.
You can customize these security settings for users in advance. You can use registry settings or Group
Policy settings to customize Outlook to meet your organization's cryptographic policies and to configure
(and enforce, by using Group Policy) the settings that you want in the security profiles. These settings
are described in Configuring Outlook 2010 cryptographic settings later in this article.
150
Managing cryptographic digital IDs
Outlook 2010 provides ways for users to manage their digital IDs the combination of a user's
certificate and public and private encryption key set. Digital IDs help keep users' e-mail messages
secure by letting them exchange cryptographic messages. Managing digital IDs includes the following:
Obtaining a digital ID. For more information about how users can obtain a digital ID, see the
Outlook Help topic Get a digital ID (http://go.microsoft.com/fwlink/?LinkId=185585).
Storing a digital ID, so you can move the ID to another computer or make it available to other users.
Providing a digital ID to other users.
Exporting a digital ID to a file. This is useful when the user is creating a backup or moving to a new
computer.
Importing a digital ID from a file into Outlook. A digital ID file might be a user's backup copy or might
contain a digital ID from another user.
Renewing a digital ID that has expired.
A user who performs cryptographic messaging at more than one computer must copy his or her digital
ID to each computer.
151
There are several ways to provide a digital ID to other users, including the following:
Use a certificate to digitally sign an e-mail message. A user provides his or her public key to
another user by composing an e-mail message and digitally signing the message by using a
certificate. When Outlook users receive the signed message, they right-click the user's name on the
From line, and then click Add to Contacts. The address information and the certificate are saved
in the Outlook user's contacts list.
Provide a certificate by using a directory service, such as the Microsoft Exchange Global
Address Book. Another alternative is for a user to automatically retrieve another user's certificate
from an LDAP directory on a standard LDAP server when he or she sends an encrypted e-mail
message. To gain access to a certificate in this manner, users must be enrolled in S/MIME security
with digital IDs for their e-mail accounts.
A user can also obtain certificates from the global address book.
152
Two examples of security labels include the following:
An Internal Use Only label might be implemented as a security label to apply to mail that should not
be sent or forwarded outside your company.
A label can specify that certain recipients cannot forward or print the message, if the recipient also
has the security policy installed.
Users can also send security-enhanced receipt requests with messages to verify that the recipients
recognize the user's digital signature. When the message is received and saved (even if it is not yet
read) and the signature is verified, a receipt implying that the message was read is returned to the
user's Inbox. If the user's signature is not verified, no receipt is sent. When the receipt is returned,
because the receipt is also signed, you have verification that the user received and verified the
message.
Cryptography Description
option
Always use Always use transport neutral encapsulation format (TNEF) for S/MIME messages
TNEF instead of the format specified by the user.
formatting in
153
Cryptography Description
option
S/MIME
messages
Do not check Do not verify user's e-mail address by using address of certificates that are used for
e-mail address encryption or signing.
against
address of
certificates
being used
Do not display Disable the Publish to GAL button on the E-mail Security page of the Trust Center.
'Publish to
GAL' button
Do not provide Disable the Continue button on encryption settings warning dialog boxes. Users will
Continue not be able press Continue to send the message.
option on
Encryption
warning dialog
boxes
Enable Display Outlook cryptography icons in the Outlook user interface (UI).
Cryptography
Icons
Ensure all Require all S/MIME-signed messages to have a security label. Users can attach labels
S/MIME to e-mail messages in Outlook 2010. To do this, on the Options tab, in the More
signed Options group, under Security, click the Security Settings button. In the Security
messages Properties dialog box, select Add digital signature to this message. Under
have a label Security Label for Policy, select a label.
Fortezza Enter a list of policies allowed in the policies extension of a certificate that indicate the
certificate certificate is a Fortezza certificate. List policies separated by semicolons.
policies
154
Cryptography Description
option
cannot find the
digital ID to
decode a
message
Minimum Set to the minimum key length for an encrypted e-mail message. Outlook will display a
encryption warning message if the user tries to send a message by using an encryption key that
settings is below the minimum encryption key value set. The user can still choose to ignore the
warning and send by using the encryption key originally chosen.
Required Set the name of the required certification authority (CA). When a value is set, Outlook
Certificate disallows users from signing e-mail by using a certificate from a different CA.
Authority
S/MIME Specify the behavior for handling S/MIME messages: Handle internally, Handle
interoperability externally, or Handle if possible.
with external
clients:
155
Cryptography Description
option
S/MIME Specify an option for how S/MIME receipt requests are handled:
receipt Open message if receipt can't be sent
requests
Don't open message if receipt can't be sent
behavior
Always prompt before sending receipt
Never send S/MIME receipts
Sign all e-mail Require digital signatures on all outgoing e-mail messages.
messages
URL for Provide a URL at which users can obtain an S/MIME receipt. The URL can contain
S/MIME three variables (%1, %2, and %3), that will be replaced by the user's name, e-mail
certificates address, and language, respectively.
When you specify a value for URL for S/MIME certificates, use the following
parameters to send information about the user to the enrollment Web page.
For example, to send user information to the Microsoft enrollment Web page, set the
URL for S/MIME certificates entry to the following value, including the parameters:
www.microsoft.com/ie/certpage.htm?name=%1&email=%2&helplcid=%3
156
Cryptography Description
option
For example, if the user's name is Jeff Smith, e-mail address is
[email protected], and user interface language ID is 1033, the placeholders
are resolved as follows:
www.microsoft.com/ie/certpage.htm?name=Jeff%20Smith&[email protected]&h
elplcid=1033
The settings in the following table are in Group Policy under User Configuration\Administrative
Templates\Microsoft Outlook 2010\Security\Cryptography\Signature Status dialog box. The OCT
settings are in corresponding locations on the Modify user settings page of the OCT.
Cryptography Description
option
Attachment Secure Specify a folder path for the Secure Temporary Files Folder. This overrides the
Temporary Folder default path and we do not recommend it. If you must use a specific folder for
Outlook attachments, we recommend that:
You use a local directory (for best performance).
You place the folder under the Temporary Internet Files folder (to benefit from
the enhanced security on that folder).
The folder name is unique and difficult to guess.
Missing CRLs Specify the Outlook response when a certificate revocation list (CRL) is missing:
warning (default) or display error.
Digital certificates contain an attribute that shows where the corresponding CRL
is located. CRLs contain lists of digital certificates that have been revoked by their
controlling certification authorities (CAs), typically because the certificates were
issued incorrectly or their associated private keys were compromised. If a CRL is
missing or unavailable, Outlook cannot determine whether a certificate has been
revoked. Therefore, an incorrectly issued certificate or one that has been
compromised might be used to gain access to data.
Missing root Specify the Outlook response when a root certificate is missing: neither error nor
certificates warning (default), warning or display error.
Promote Level 2 Specify the Outlook response for Level 2 errors: display error or warning (default).
errors as errors, not Potential Error Level 2 conditions include the following:
warnings Unknown Signature Algorithm
No Signing Certification Found
157
Cryptography Description
option
Bad Attribute Sets
No Issuer Certificate Found
No CRL Found
Out of Date CRL
Root Trust Problem
Out of Date CTL
Retrieving CRLs Specify how Outlook behaves when CRL lists are retrieved:
(Certificate Use system default. Outlook relies on the CRL download schedule that is
Revocation Lists) configured for the operating system.
When online always retrieve the CRL. This option is the default configuration
in Outlook.
Never retrieve the CRL.
158
See Also
Plan for security and protection in Outlook 2010
Plan security for Office 2010
Plan digital signature settings for Office 2010
Get a digital ID (http://go.microsoft.com/fwlink/?LinkId=185585)
159
Plan for limiting junk e-mail in Outlook 2010
This article discusses how the Outlook 2010 Junk E-mail Filter works, and which settings you can
configure for the Junk E-mail Filter and automatic picture download to meet the needs of your
organization.
This article is for Outlook administrators. To configure Outlook junk e-mail options on your computer,
see Junk E-mail Filter options (http://go.microsoft.com/fwlink/?LinkId=81371).
In this article:
Overview
Supported account types
Support in Exchange Server
Configuring the Junk E-mail Filter user interface
Configuring Automatic picture download
Overview
Microsoft Outlook 2010 includes features that can help users avoid receiving and reading junk e-mail
messages. These include the Junk E-mail Filter and the ability to disable automatic content download
from external servers.
Automatic picture download settings help reduce the risk of Web beacons activating in e-mail
messages by automatically blocking the download of pictures, sounds, and other content from external
servers in e-mail messages. By default, automatic content download is disabled.
Note:
Outlook 2010 automatically saves active content that you choose to download from the
Internet. Like Office Outlook 2007 and earlier versions, Outlook 2010 prompts you before it
downloads active content that can serve as a Web beacon. However, unlike Office Outlook
2007 and earlier versions, when you close the item, you are not prompted to save the changes.
Instead, the downloaded content is automatically saved.
The Junk E-mail Filter helps users avoid reading junk e-mail messages. By default, the filter is turned
on, and the protection level is set to Low, which is designed to filter the most obvious junk e-mail
messages. The filter replaces the rules for processing junk e-mail messages in previous versions of
Outlook (before Microsoft Office Outlook 2003). The filter incorporates technology built into the software
to evaluate e-mail messages to determine whether the messages are likely to be junk e-mail, in addition
to filtering lists that automatically block or accept messages to or from specific senders.
The Junk E-mail Filter contains two parts:
Three Junk e-mail Filter lists: Safe Senders, Safe Recipients, and Blocked Senders.
160
The Junk E-mail Filter that evaluates whether an unread message should be treated as junk e-mail
based on several factors that include the message content and whether the sender is included in
Junk E-mail Filter lists.
All settings for the Junk E-mail Filter are stored in each user's Outlook profile. You can override the
profile settings by using Group Policy or set default Junk E-mail Filter configurations by using the Office
Customization Tool (OCT).
The Junk E-mail Filter is provided for a subset of Outlook 2010 account types. The types are listed in
the following section, Supported account types. The filter works best when it is used with Microsoft
Exchange Server 2003 and later versions. Note that Exchange Server 2003 is the earliest version of
Exchange Server that can be used with Outlook 2010.
When Outlook users are upgraded to Outlook 2010, existing Junk E-mail Filter lists are maintained,
unless you deploy new lists to users.
161
These include the following:
Set the Junk E-mail Filter protection level.
Permanently delete suspected junk e-mail messages or move the messages to the Junk E-mail
folder.
Trust e-mail messages from users' Contacts.
The default values for the Junk E-mail Filter are designed to help provide a positive experience for
users. However, you can configure these settings to different defaults and set other options and policies
when you deploy Outlook 2010 to your organization.
Junk e-mail settings are set only one time. When the user first starts Outlook 2010, the settings are
configured in the profile that the user selects. Other profiles the user has, or may create later, do not
include the settings that you have configured. Instead, default settings are used.
Default values for the Junk E-mail Filter settings are as follows:
Junk E-mail protection level: Set to LOW
Permanently delete Junk E-mail: Set to OFF
Trust E-mail from Contacts: Set to OFF
You can use the OCT to configure these options to specify default values for users, or the options can
be enforced by Group Policy. For information about how to configure options for the Junk E-mail Filter,
see Configure junk e-mail settings in Outlook 2010 (http://technet.microsoft.com/library/d5538a83-5d2f-
4acb-b372-8741afe1f212(Office.14).aspx).
Important
You can configure the following settings for the Outlook 2010 Junk E-mail filter. In the OCT, on the
Modify user settings page, these settings are under Microsoft Outlook 2010\Outlook
Options\Preferences\Junk E-mail. In Group Policy, these settings are under User
Configuration\Administrative Templates\Microsoft Outlook 2010\Outlook
Options\Preferences\Junk E-mail.
Add e-mail recipients to users' Safe Senders Lists Automatically add all e-mail recipients to users'
Safe Senders Lists.
Hide Junk Mail UI In Group Policy, disable junk e-mail filtering and
hide related settings in Outlook.
Hide warnings about suspicious domain names in Enable to hide warnings about suspicious domain
e-mail addresses names in the e-mail addresses.
Junk Mail Import List Option in the OCT. You must enable this setting to
enable other junk e-mail settings configured in the
OCT or in Group Policy.
162
Junk e-mail option Description
Junk E-mail protection level Select the level of junk e-mail protection for users:
No Protection, Low, High, Trusted Lists Only.
Overwrite or Append Junk Mail Import List Change default from overwrite Junk Mail Import
list to append to the list.
Permanently delete Junk E-mail Permanently delete suspected junk e-mail instead
of moving it to the Junk E-mail folder.
Specify path to Blocked Senders list Specify a text file that contains a list of e-mail
addresses to append to or overwrite the Blocked
Senders list.
Specify path to Safe Recipients list Specify a text file that contains a list of e-mail
addresses to append to or overwrite the Safe
Recipients list.
Specify path to Safe Senders list Specify a text file that contains a list of e-mail
addresses to append to or overwrite the Safe
Senders list.
Trust E-mail from Contacts Trust e-mail addresses included in users' Contacts
folders.
163
change the lists during their Outlook session. When users restart Outlook, Group Policy will append the
list by default or, if you have enabled Overwrite or Append Junk Mail Import List, their changes will
be overwritten with the original list that you deployed. For information about how to create and deploy
default lists, see Configure junk e-mail settings in Outlook 2010
(http://technet.microsoft.com/library/d5538a83-5d2f-4acb-b372-8741afe1f212(Office.14).aspx).
Automatically download content for e-mail from Enable this option to automatically download
people in Safe Senders and Safe Recipients lists content when e-mail message is from someone in
the user's Safe Senders list or to someone in the
user's Safe Recipients list.
Block Trusted Zones Disable this option to include Trusted Zones in the
Safe Zones for Automatic Picture Download.
Display pictures and external content in HTML e- Enable this option to automatically display external
mail content in HTML mail.
164
Automatic picture download option Description
Do not permit download of content from safe Disable this option to automatically download
zones content for sites in Safe Zones (as defined by
Trusted Zones, Internet, and Intranet settings).
Include Internet in Safe Zones for Automatic Automatically download pictures for all Internet e-
Picture Download mail.
Include Intranet in Safe Zones for Automatic Automatically download pictures for all Intranet e-
Picture Download mail
For information about how to configure automatic picture download, see Configure junk e-mail settings
in Outlook 2010 (http://technet.microsoft.com/library/d5538a83-5d2f-4acb-b372-
8741afe1f212(Office.14).aspx).
See Also
Configure junk e-mail settings in Outlook 2010 (http://technet.microsoft.com/library/d5538a83-5d2f-
4acb-b372-8741afe1f212(Office.14).aspx)
165
Plan for spelling checker settings in Office 2010
Depending on your objectives, you can use either Group Policy or the Office Customization Tool (OCT)
to manage the behavior of spelling checker in Office 2010. To determine which of these tools to use,
you must decide whether or not you want users to be able to change your configurations:
Group Policy enables you to set policies, which are configurations that users cannot change.
The OCT enables you to set preferences, which are configurations that users can change through
the user interface (UI). Preferences are deployed during Office 2010 setup.
The Office 2010 Group Policy and OCT settings are available in the Office 2010 Administrative
Template files (ADM, ADMX, ADML) and Office Customization Tool
(http://go.microsoft.com/fwlink/?LinkID=189316) download package. The download package also
contains an Excel 2010 workbook (Office2010GroupPolicyAndOCTSettings.xls) that has more
information about the settings. It includes registry information that can be useful if you want to configure
spelling checker options by using a script.
In this article:
Office 2010 general spelling checker settings
InfoPath 2010 spelling checker settings
OneNote 2010 spelling checker settings
Outlook 2010 spelling checker settings
PowerPoint 2010 spelling checker settings
Publisher 2010 spelling checker settings
Word 2010 spelling checker settings
The sections in this article are grouped by application. Each section contains a table that lists the
setting names, descriptions, the behavior that occurs when you enable, disable, or do not configure the
setting, and the location of the setting in the Group Policy object editor and OCT.
Note
The locations in the Group Policy Object Editor apply when you invoke the Group Policy Object
Editor to configure a GPO. To configure local Group Policy, use the Local Group Policy Editor.
To configure domain-based Group Policy, use the Group Policy Management Console
(GPMC). Either tool invokes the Group Policy Object Editor when you configure a GPO. For
more information, see Enforce settings by using Group Policy in Office 2010
(http://technet.microsoft.com/library/873a5392-1b1a-47a1-a863-1f29ef116d0e(Office.14).aspx)
and Group Policy overview for Office 2010.
The locations in the OCT are available on the Modify user settings page. For more information
about the OCT, see Office Customization Tool in Office 2010.
166
For more information about the spelling checker options that users can change through the UI,
see Choose how spelling and grammar checking work
(http://go.microsoft.com/fwlink/?linkID=202126).
Name Description When When When not Group Policy OCT location
enabled disabled configure object editor
d location
167
Name Description When When When not Group Policy OCT location
enabled disabled configure object editor
d location
E. the
setting
through
the UI.
168
InfoPath 2010 spelling checker settings
The following table lists the settings that apply to InfoPath 2010.
Name Description When When When not Group Policy object OCT location
enabled disabled configure editor location
d
Disable Allows the The UI option Same as Microsoft InfoPath Not available in
command administrato administrato is if it is 2010\Disable Items the OCT.
s r to disable r can enabled. disabled, in User
UI options. disable the except Interface\Predefine
following UI users can d
option: change
Home tab | the
Spelling setting
Menu | Set through
Proofing the UI.
Language
Name Description When When When not Group Policy OCT location
enabled disabled configured object editor
location
169
Name Description When When When not Group Policy OCT location
enabled disabled configured object editor
location
options for can be can be spelling as Options\Spelling Options\Spelling
users enabled. disabled. you type
No spell option, but
checking users can
change this
Check
through the
spelling
UI.
as you
type
Hide
spelling
errors
Check
spelling
but hide
errors
Name Description When When When not Group Policy OCT location
enabled disabled configured object editor
location
170
Name Description When When When not Group Policy OCT location
enabled disabled configured object editor
location
Ignore
original
messag
e text in
software
Name Description When When When not Group Policy OCT location
enabled disabled configured object editor
location
171
Name Description When When When not Group Policy object OCT location
enabled disabled configured editor location
Name Description When When When Group Policy object OCT location
enabled disable not editor location
d configur
ed
172
Name Description When When When Group Policy object OCT location
enabled disable not editor location
d configur
ed
spelling. for change
gramm through
ar the UI.
when it
checks
spellin
g.
See Also
Group Policy overview for Office 2010
Enforce settings by using Group Policy in Office 2010 (http://technet.microsoft.com/library/873a5392-
1b1a-47a1-a863-1f29ef116d0e(Office.14).aspx)
Plan for proofing tools
173
Plan for SharePoint Workspace 2010
When you plan a Microsoft SharePoint Workspace 2010 deployment, consider your organizations
needs and objectives, especially in the context of the deployment options that are discussed here.
The following references may also be helpfu:
For information about how to deploy SharePoint Workspace 2010 after planning your objectives,
see Configure and customize SharePoint Workspace 2010
(http://technet.microsoft.com/library/5290b730-b9fd-4228-93e0-7ace1766aa85(Office.14).aspx).
For information about how to deploy SharePoint Workspace 2010 for a Microsoft Groove Server-
managed environment, see Deployment for Groove Server 2010
(http://technet.microsoft.com/library/8d7d33c2-3954-489b-ac82-49f7da119489(Office.14).aspx).
In this article:
Topology options for SharePoint Workspace 2010
Network settings for SharePoint Workspace 2010
Scalability and performance considerations
Security considerations
SharePoint Workspace user authentication
Alternate access mapping
SharePoint list and library actions and settings
Search options
SharePoint Workspace backup and recovery
174
The following table lists key decision factors:
Capability Requirement
Is SharePoint Server 2010 or SharePoint Foundation 2010 used in the organization? Yes|No
Do you have to support flexible, agile peer collaboration, where users have to connect Yes|No
from different locales and time zones?
Does the organization permit the use of peer collaboration software? Yes|No
Does team collaboration have to extend outside a private network or LAN to trusted Yes|No
partners and field sites?
Are valuable contributions expected from clients that have no access to the Yes|No
organizations SharePoint sites?
Is centralized management of peer collaboration necessary for the organizations security Yes|No
and management infrastructure?
The following table shows how various SharePoint Workspace topologies address these requirements:
Topology Capabilities
175
Topology Capabilities
Valuable contributions from clients that have
no access to the organizations SharePoint
sites.
SharePoint Workspace as a SharePoint and peer This topology supports or builds upon:
collaboration client Access to SharePoint Server 2010 or
SharePoint Foundation 2010 document
libraries and lists.
Team contributors working online and offline.
Flexible, agile peer collaboration. Groove
workspaces support multiple communication
protocols. This lets organizations control which
ports are open for peer message transport.
Team collaboration that extends outside a
private network to trusted partners and field
sites.
Valuable contributions from clients that have
no access to the organizations SharePoint
sites.
SharePoint Workspace and Groove Server as a This topology supports or builds upon:
managed collaboration system Centralized management of peer collaboration
to address the organizations security and
management requirements.
Team contributors working online and offline.
Flexible, agile peer collaboration.
Team collaboration extended outside a private
network to trusted partners and field sites.
Valuable contributions from clients that have
no access to the organizations SharePoint
sites.
Existing integration with Active Directory
system.
For more information about this deployment
topology, see Groove Server 2010
(http://technet.microsoft.com/library/fa057d58-
5620-4f1a-aef2-126cad6a8b31(Office.14).aspx).
176
The next four sections of this article describe how the listed SharePoint Workspace deployment
topologies map to collaboration needs.
Note:
The SharePoint Workspace client lets users create SharePoint workspaces and peer
workspaces. Peer workspace types can be Groove workspaces or Shared Folders, as
described in SharePoint Workspace as a SharePoint and peer collaboration client. To deploy
SharePoint Workspace exclusively as a SharePoint client, supporting SharePoint workspaces
only, you can include with your deployment a policy that prohibits peer workspace options, as
described in Configure and customize SharePoint Workspace 2010
(http://technet.microsoft.com/library/5290b730-b9fd-4228-93e0-
7ace1766aa85(Office.14).aspx).
For this configuration, a basic level of client management can be achieved by using Windows and
Active Directory tools.
SharePoint workspaces rely on SharePoint Workspace communications and dynamics technology to
support individual client-to-SharePoint connections that enable SharePoint Workspace users to work
with and synchronize SharePoint document and list content on their local computers. Figure 1 shows a
basic setup of SharePoint Workspace to Microsoft SharePoint Server 2010.
177
Figure 1.
178
Figure 2.
To sustain peer communications for Groove workspaces and Shared Folders, when a client is
connected to a wide area network (WAN), offline, or behind a firewall, SharePoint Workspace relies on
supporting Microsoft Groove Server Manager and Relay services, as shown in Figure 3. These servers,
Microsoft-hosted or installed onsite, help ensure timely communication regardless of user context or
Internet-wide environmental conditions.
Figure 3.
179
The ability to create a SharePoint workspace that establishes a connection between a SharePoint
server and a SharePoint Workspace client. This enables a single SharePoint team member or
partner to take SharePoint site content onto a local computer, as described in SharePoint
Workspace as a SharePoint client.
The ability to easily create Groove workspaces where trusted peers can collaborate safely without
the need of a VPN, as described in SharePoint Workspace 2010 overview
(http://technet.microsoft.com/library/650cb781-4dbd-45ac-b8d3-2ce9b3a16600(Office.14).aspx).
The ability to create Shared Folder workspaces where SharePoint Workspace users can
collaborate on content within designated Windows folders on workspace member desktops.
For this configuration, a basic level of client management can be achieved by using Windows and
Active Directory tools.
SharePoint Workspace communications and dynamics modules, together with TCP/IP protocols
summarized in Network settings for SharePoint Workspace 2010, support message transport and
content synchronization between individual clients and SharePoint servers, and between client peers.
Figure 4 shows a SharePoint Workspace client/server system that involves a SharePoint server,
Groove Server Relay and management services, and four SharePoint Workspace clients:
Figure 4.
180
SharePoint Workspace and Groove Server as a managed
collaboration system
When Groove workspaces and Shared Folders are used, installation of Microsoft Groove Server 2010
onsite as part of SharePoint Workspace deployment provides optimal client administration. Groove
Server provides two applications that facilitate SharePoint Workspace deployment and operation in an
enterprise: Groove Server Manager provides management, reporting, and policy distribution services,
and Groove Server Relay facilitates client communications. This system can function with or without
SharePoint Server and can be extended to partners outside corporate firewalls. For more information
about Groove Server 2010, see Groove Server 2010 (http://technet.microsoft.com/library/fa057d58-
5620-4f1a-aef2-126cad6a8b31(Office.14).aspx).
The following table shows how SharePoint Workspace topology options can serve a range of scenarios.
181
Scenario Description Chosen topology and required components
IT department: Yes SharePoint Workspace clients
Active Directory system (recommended)
Internet connectivity (recommended)
182
SharePoint Workspace client Protocols supported Description
port settings
communication between
SharePoint Workspace clients
and Groove management
servers.
183
Scalability and performance considerations
This section provides system capacity information to help you plan for optimal system performance
within the scope of expected SharePoint workspace usage in your organization. In this discussion,
performance refers to document open, save, and update times, as well as upload and download times.
The size and number of documents that are synchronized with SharePoint can vary widely, even in a
single organization. To anticipate and mitigate client performance and operational problems, try to plan
for the expected maximum use case by implementing usage guidelines to prevent overloading the
cache and related resources.
SharePoint Workspace 2010 hardware requirements are intended for most basic use cases, where the
cache may contain fewer than 500 files and file size averages no more than 300 KB. These
requirements specify client installation on a single-core processor of 256 MHz, with 256 MB of RAM
and a 1.5 GB drive. To optimize for a better user experience in a heavier use environment, the following
equipment is recommended as a minimum:
Dual core processor, 2GHz
4 GB RAM
200 GB hard disk drive
If you expect to support client document caches that hold more than 500 documents on average, and
some of them contain more than 300 KB of text, possibly with complex graphics and video clips, you
should consider the higher-level hardware requirements.
The suggested limits are the result of tests conducted on the following hardware:
Intel Xeon CPU E5410 @ 2.33GHz, 4GB RAM, Single Disk 200GB
If necessary, you can take the following step to help control SharePoint Workspace performance:
Limit file downloads to headers only by setting the following DWORD value in the Registry:
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Groove\DefaultDocumentLibraryContentD
ownloadSettingHeadersOnly
184
Warning:
Serious problems might occur if you modify the registry incorrectly. These problems could
require you to reinstall the operating system. Microsoft cannot guarantee that these
problems can be solved. Modify the registry at your own risk. Always make sure that you
back up the registry before you modify it, and that you know how to restore the registry if a
problem occurs. For more information about how to back up, restore, and modify the
registry, see the Microsoft Knowledge Base article Windows registry information for
advanced users (http://support.microsoft.com/kb/256986).
For information about baseline SharePoint Workspace hardware requirements, see System
requirements for Office 2010 (http://technet.microsoft.com/library/399026a3-007c-405a-a377-
da7b0f7bf9de(Office.14).aspx).
For information about the built-in mechanisms provided by SharePoint Server 2010 and SharePoint
Workspace 2010, see Performance monitoring and throttling.
For information about SharePoint Server system requirements, see Deployment for SharePoint Server
2010 (http://go.microsoft.com/fwlink/?LinkId=188459).
Security considerations
SharePoint Workspace client exchanges with SharePoint sites rely on synchronization protocol and
external mechanisms for security, such as those provided by VPNs or Secure Socket Layer (SSL)
technology. Therefore, we recommend SSL encryption for SharePoint connections from outside a
185
corporate domain. You can configure Group Policy settings that apply across an Active Directory
organizational unit, as described in Configure and customize SharePoint Workspace 2010
(http://technet.microsoft.com/library/5290b730-b9fd-4228-93e0-7ace1766aa85(Office.14).aspx). In
addition, you can secure the SharePoint site from unauthorized access by setting access control lists
appropriately. For guidance about how to set access control for users to synchronize with SharePoint
libraries and lists, see Security and protection for SharePoint Foundation 2010
(http://technet.microsoft.com/library/3f3744aa-6785-48c0-b16d-7bdddff577ca(Office.14).aspx) or
Security and protection for SharePoint Server 2010 (http://technet.microsoft.com/library/c12253e2-
2bc6-4e53-8fae-26829915481e(Office.14).aspx).
SharePoint Workspace uses strong cryptographic and encryption technologies to protect SharePoint
Workspace accounts, which are the secure repositories for each users cryptographic keys, identity,
contacts, messages, and unique workspace identifiers. Windows authentication and users Windows
logon credentials are used to unlock SharePoint Workspace accounts.
SharePoint Workspace 2010 does not encrypt SharePoint Workspace 2010 documents and other
binary files, including SharePoint workspace content, on disk. Therefore, consider using BitLocker Drive
Encryption to encrypt all content on client data drives. For more information see BitLocker Drive
Encryption (http://go.microsoft.com/fwlink/?LinkId=163122). You can strengthen protection by blocking
Windows Search in the SharePoint Workspace Data directory, to prevent generation of Search indexes
that are not encrypted. However, be aware that content shared with other clients that are not equally
protected will remain not encrypted and searchable.
For Groove workspaces and Shared Folders, SharePoint Workspace uses native symmetric and public
key cryptographic technologies to authenticate, encrypt, and protect transmissions between clients over
the network. Strong encryption protects the following content on-disk: Groove instant messages,
Groove invitations, Groove Discussion and Notepad entries, archived Groove workspaces, and Forms
tool templates.
186
For more information about forms-based authentication, see Configure Forms Based Authentication
(http://go.microsoft.com/fwlink/?LinkID=149721).
Note:
187
Sync to SharePoint Workspace is also available as a ribbon option from a SharePoint
document library or list.
Site Actions/Site Settings/Site Administration/Search and offline availability/Offline Client
Availability SharePoint site administrators must select this setting to enable SharePoint
Workspace clients to access the site.
Secure Socket Layer (SSL) protection SSL protection is recommended for the incoming port 80
interface that will support SharePoint communications with SharePoint Workspace clients.
Search options
SharePoint Workspace content can be searched by using Windows Search 4.0 or later versions. By
default, Windows Search crawling (index creation) is enabled for some SharePoint Workspace content.
SharePoint Workspace users can access Windows Search 4.0 by clicking Search on the Home tab of
the ribbon, unless prevented from doing this by a Windows policy. Administrators can block Windows
Search of SharePoint Workspace content and can override any user search setting by deploying an
Active Directory GPO, as described in Configure and customize SharePoint Workspace 2010
(http://technet.microsoft.com/library/5290b730-b9fd-4228-93e0-7ace1766aa85(Office.14).aspx). For
information about how to use Windows Search, see the Windows Search Administrator Guides
(http://go.microsoft.com/fwlink/?LinkID=164567).
Note:
Enable account recovery also supports account portability and the ability to use the
account on multiple computers. For organizations that must prevent users from porting their
account to another computer, Microsoft Groove Server 2010 provides a policy that restricts
managed accounts to a single computer. For information about how to deploy Groove
Server at your site, see Deployment for Groove Server 2010
(http://technet.microsoft.com/library/8d7d33c2-3954-489b-ac82-
49f7da119489(Office.14).aspx).
188
Back up SharePoint Workspace user accounts to a file in a secure location. SharePoint Workspace
supports account recovery in the event of a lost or corrupted account, by providing an option that
enables users to save their accounts to a .grv file. Encourage users to regularly save their accounts
to file in a secure location. Users can save their account by clicking the File tab on the ribbon and,
in the Manage Account drop-down menu, selecting Account Preferences. Then they select Save
Account as File on the Account tab, entering a file name and a password, for initial account
recovery, when they are prompted. Note that Enable account recovery must be selected in the
users account preferences for a reset code to be sent and the account to be recovered if the
password is forgotten. When this setting is enabled SharePoint Workspace sends a reset code to
the e-mail address that was provided in the Account Configuration Wizard when the account was
created. Users can then reset a recovered account.
To help safeguard Groove workspaces, encourage users to periodically back up each Groove
workspace by clicking the File tab on the ribbon, selecting Share, and then configuring the Workspace
as Archive option. For more information about how to back up and recover Groove workspaces, see
SharePoint Workspace product help at Microsoft products online
(http://go.microsoft.com/fwlink/?LinkId=162269).
Note:
Groove workspace data and tools reside on client computers. Therefore, if other team
members share a Groove workspace, the lost workspace can be retrieved from another client
computer.
See Also
SharePoint Workspace 2010 overview (http://technet.microsoft.com/library/650cb781-4dbd-45ac-b8d3-
2ce9b3a16600(Office.14).aspx)
Configure and customize SharePoint Workspace 2010 (http://technet.microsoft.com/library/5290b730-
b9fd-4228-93e0-7ace1766aa85(Office.14).aspx)
Deployment for Groove Server 2010 (http://technet.microsoft.com/library/8d7d33c2-3954-489b-ac82-
49f7da119489(Office.14).aspx)
Microsoft protocol documents (http://go.microsoft.com/fwlink/?LinkId=162294)
SharePoint Workspace and ODC
(http://blogs.msdn.com/b/sharepoint_workspace_development_team/archive/2010/03/12/sharepoint-
workspace-and-the-office-document-cache.aspx)
189
Plan customizations and options for Visio 2010
This article describes some of the customizations and options that are available in Microsoft Visio 2010.
In this article:
Application settings
Diagram templates
Customize Quick Shapes
Trusted documents
SharePoint and the Repository
Application settings
In Visio 2010, there are several ways to customize the application settings that you work with, from the
applications appearance and behavior, to the rules that help you manage the work that you create.
Note:
The files names must begin with an underscore.
If Visio finds a stencil that has this exact file name (which must be the same file name in all languages)
in the My Shapes folder, it will use it to populate the gallery, instead of the stencil that was included with
Visio 2010.
Warning:
The Shapes in these galleries have special behaviors that require knowledge of the Visio
ShapeSheet to replicate.
To get a basis for the customized gallery content, follow these steps:
1. Find the stencils that are included with Visio 2010, found in \Program Files\Microsoft
Office\Office14\Visio Content\1033 (for English).
2. Copy the files to your \My Shapes folder:
a. Backgrounds (US and Metric)
190
BCKGRN_U.VSS
BCKGRN_M.VSS
b. Borders & Title (US and Metric)
BORDRS_U.VSS
BORDRS_M.VSS
3. Rename and customize the files.
Custom themes
In Microsoft Office Visio 2007, the introduction of the Themes feature made it easy to apply a
professionally designed look to a diagram. In Visio 2010, the Themes feature takes advantage of the
Microsoft Office Fluent user interface (UI) and is one of the features that demonstrates the Live Preview
capability.
Visio custom themes are stored in the document, not in an external file. The way to deploy a custom
theme is to define it in a Visio document and then save it as a template (*.vst) for use in the
organization. The way that you create templates in Visio 2010 has not changed from Office Visio 2007
or earlier versions.
To create a custom theme that will be stored as a template, follow these steps:
1. Click the Design tab.
2. Click Colors.
3. Click Create New Theme Colors.
4. Select the theme name and colors, and then click OK.
5. Click Effects.
6. Click Create New Theme Effects.
7. Select the desired effects, and then click OK.
All users will have to start their new drawings from that template to use the custom theme.
191
SharePoint Workflow, and BPMN diagram templates. Custom rules and rule sets can be added to any
template.
When validation is performed, Visio checks each rule active in the document against all the targets
found in the document. For each target that does not meet the requirements specified by the rule, Visio
creates a validation issue. All issues found during validation are displayed for the user in a single list.
Validation can be initiated by the user via the command button on the ribbon when the user wants to
check their document for issues. These issues can be left unfixed or specifically ignored, which will
suppress the issue for subsequent validation runs.
To access the validation feature, follow these steps:
1. On the Process tab, select the Issues Window. This will open the Validation Window below the
drawing.
2. Then, on the Process tab, click the Check Diagram button.
When validation is triggered, there is no particular order of rules processed or shapes processed.
However, a progress bar is shown after the operation takes longer than three seconds. The operation is
stoppable, and Visio will display any issues found to this point.
If Visio finds more errors in the document than it can display in the Issues Window (currently 32767),
validation is stopped automatically. A dialog box will display the message: Diagram validation has been
stopped because there are too many issues for Visio to track.
Once validation has stopped (complete or incomplete), if issues are found, Visio opens the Issues
Window if it is currently not open and displays the issues.
Diagram templates
When you start Visio 2010, the first thing that you see is the new screen in the Microsoft Office
Backstage view, where you can choose a template for the diagram that you will create. It resembles the
Office Visio 2007 Getting Started screen. Visio 2010 documents are created in either U.S. units or
metric units. The only SKU that contains both U.S. units and metric units is U.S. English (en-us). When
you use this SKU, and create a new diagram, you can choose which units that you want to use. There
is a setting and a Group Policy that can be customized to create the default as one of those two units
when it is available and when the installation is en-us.
192
When a user customizes the stencil through the UI, Visio saves the Quick Shapes count and the master
sort order in the registry under HKCU\Software\Microsoft\Office\14.0\Visio\Quick Shapes by using
the following format:
Type: REG_BINARY
Data: The Quick Shapes count and the sequence of master IDs, represented in binary form. The
Quick Shapes count and each master ID are represented in 4 bytes
Trusted documents
Trusted documents is an improved feature in Office 2010 that interacts with document security features.
It enables active content (for example, macros and ActiveX controls) in a document, based on the trust
decision on the file, and can remember the selection every time that you open the document. Office
versions earlier than the 2007 Office system prompted you for macros and other kinds of active content
prior to opening a document every time.
In Office 2010, if you create or open a document that contains a macro, or receive a document that
uses a data connection to a trusted server, and you have enabled the content in the trust record, you
will not be prompted with a security notification for the content any more. When you use trusted
documents, the trust is recorded on a per-file basis. The trust record is added to the Current User
section of your local registry and contains the files full path and other data, such as the creation time of
the document.
Note:
Trust records are stored on a specific computer, so you will get prompted again if you open the
file on another computer.
There are two entry points to make a document trusted. To make a document trusted, follow these
steps:
1. On the Message Bar, click Enable Content.
2. Click the Message Bar for details. This will open the Backstage view.
In the Backstage view, click Enable Content. This will display two additional options:
a. Enable all content and make it a trusted document.
b. Click the Advanced Options button to enable content for one time (similar to the 2007 Office
system).
Trusting documents on a network share is riskier than trusting documents on your local hard disk drive
because other users who have access to the network locations can modify the contents of your file. For
this reason, a security warning is displayed the first time that you try to trust a document on a network
location. In the Trust Center, you can disallow documents on a network location from being trusted.
193
This causes Office to show you the security notification every time that you open a document on a
network location.
In the Trust Center, you can modify settings to allow or disallow documents on a network from being
trusted, disable the trusted documents feature, or reset all trusted documents so that they are no longer
trusted. All these settings can be configured by the administrator by using Group Policy.
See Also
Changes in Visio 2010 (http://technet.microsoft.com/library/a125e33f-d851-4aea-9672-
5aa4a6d9bc72(Office.14).aspx)
194
Plan security for Office 2010
An organization's success often depends on the productivity of its information workers and the integrity
and confidentiality of its intellectual property. Many IT departments find it difficult to satisfy these
business needs because protection often comes at the expense of productivity. This section describes
the new security controls that are available in Microsoft Office 2010 to help you plan a robust defense
against threats while maintaining information worker productivity.
In this section:
Article Description
Security overview for Office 2010 Provides an overview of new security controls in
Microsoft Office 2010 that make it easier for IT
professionals to build a robust defense against threats
while maintaining information worker productivity.
Understand security threats and Provides information to help you plan for a secure
countermeasures for Office 2010 desktop configuration for Office 2010, including which
security risks and threats are relevant to Office 2010,
and which might pose a risk to the organization's
business assets or processes.
Plan Trusted Locations settings for Office Provides information about how to use the Trusted
2010 Locations feature in Office 2010 to differentiate safe
files from potentially harmful files.
Plan Trusted Publishers settings for Office Provides information about how to use the Trusted
2010 Publishers feature in Office 2010 to designate content
publishers that you trust.
Plan security settings for add-ins for Office Describes how to control the way add-ins behave, or to
2010 prevent users from running add-ins, by modifying the
Office 2010 add-in settings.
Plan security settings for ActiveX controls for Describes how to change the way Microsoft ActiveX
Office 2010 controls behave in Office 2010 by modifying ActiveX
control settings.
Plan security settings for VBA macros for Describes how to control the way Visual Basic for
Office 2010 Applications (VBA) and VBA macros behave by
modifying Microsoft Office 2010 VBA and VBA macros
settings.
195
Article Description
Plan COM object categorization for Office Describes how to control the behavior of certain COM
2010 objects in Office 2010 by using COM object
categorization.
Plan Protected View settings for Office 2010 Provides information about how to configure Protected
View, a new security feature in Office 2010 that helps
mitigate exploits to your computer by opening files in a
restricted environment so they can be examined before
the files are opened for editing.
Plan Office File Validation settings for Office Provides information about how to configure Office File
2010 Validation, a new security feature in Office 2010 that
helps prevent file format attacks by scanning Office
binary file formats before the files are opened.
Plan password complexity settings for Office Provides information about settings to enforce strong
2010 passwords, such as password length and complexity
rules, when you use the Encrypt with Password
feature in Microsoft Excel 2010, Microsoft PowerPoint
2010, and Microsoft Word 2010.
Plan cryptography and encryption settings for Provides information about cryptography and
Office 2010 encryption in Microsoft Office 2010, and describes the
settings that you can use to encrypt data.
Plan digital signature settings for Office 2010 Provides information about how to digitally sign
documents by using Microsoft Excel 2010, Microsoft
PowerPoint 2010, and Microsoft Word 2010.
Plan privacy options for Office 2010 Describes how to configure privacy options in Office
2010 to meet an organizations security requirements.
Plan file block settings for Office 2010 Provides information about Group Policy and Office
Customization Tool (OCT) settings that you can
configure to block specific file format types for
Microsoft Excel 2010, Microsoft PowerPoint 2010, and
Microsoft Word 2010.
Plan for security and protection in Outlook Describes features in Microsoft Outlook 2010 that can
2010 help keep an organizations e-mail messaging secure.
196
Article Description
Security articles for end users (Office 2010) Lists and categorizes key Office 2010 security-related
articles, videos, and training courses that IT
administrators might want to share with end users.
197
Security overview for Office 2010
An organization's financial success often depends on the productivity of its information workers and the
integrity and confidentiality of its intellectual property. Many IT departments find it difficult to satisfy
these business needs because protection often comes at the expense of productivity. When too many
security controls are implemented, worker productivity decreases. When too few security controls are
implemented, worker productivity increases, but your attack surface also increases, forcing higher
remediation costs and a higher total cost of ownership (TCO). Fortunately, several new security
controls in Microsoft Office 2010 make it easier for IT professionals to build a robust defense against
threats while maintaining information worker productivity.
Four of the new controls help harden and reduce the attack surface and help mitigate exploits. These
new controls include the following:
Data Execution Prevention (DEP) support for Office applications A hardware and software
technology that helps harden the attack surface by helping to protect against malicious code
exploits.
Office File Validation A software component that helps reduce the attack surface by identifying files
that do not follow a valid file format definition.
Expanded file block settings Settings managed in the Trust Center and through Group Policy that
help reduce the attack surface by providing more specific control over the file types that an
application can access.
Protected View A feature that helps mitigate attacks by enabling users to preview untrusted or
potentially harmful files in a sandbox environment.
In addition to these new controls, Office 2010 provides several security improvements that further
harden the attack surface by helping to ensure the integrity and confidentiality of data. These security
enhancements include the following:
Cryptographic agility
Trusted time stamping support for digital signatures
Domain-based password complexity checking and enforcement
Encryption-strengthening enhancements
Improvements to the Encrypt with Password feature
Integrity checking of encrypted files
Office 2010 also provides several security improvements that have a direct affect on information worker
productivity. Improvements in the Message Bar user interface, Trust Center user interface settings, and
a trust model that persists users trust decisions are some examples of the new features that help make
security decisions and actions less intrusive to information workers. In addition, many of the new and
enhanced security controls can be managed through Group Policy settings. This makes it easier for you
to enforce and maintain the organizations security architecture.
198
In this article:
Layered defense is key
Helping users make better security decisions
Giving the administrator full control
Migrating security and privacy settings from Office 2003
A four-layer approach
The security architecture of Office 2010 helps you extend the defense-in-depth strategy beyond
desktop security tools by providing countermeasures for a layered defense. When implemented, these
countermeasures take effect the moment a user attempts to open a file by using an Office 2010
application, and they continue to provide multiple layers of defense until the file is open and ready for
editing. The following figure shows the four defensive layers that are built into the Office 2010 security
architecture. It also shows some countermeasures that you can implement for each layer.
199
Hardening the attack surface
This defensive layer helps harden the attack surface of Office 2010 applications by using a
countermeasure known as Data Execution Prevention (DEP). DEP helps prevent buffer overflow
exploits by identifying files that attempt to run code from a part of memory reserved only for data. By
default, DEP is enabled in Office 2010. You can manage DEP settings in the Trust Center or through
Group Policy settings.
Reducing the attack surface
This defensive layer helps reduce the attack surface of Office 2010 applications by limiting the kinds of
files that applications can open and by preventing applications from running certain kinds of code that is
embedded in files. To do this, Office applications use the following three countermeasures:
Office File Validation This software component scans files for format differences and based on
the implemented setting can prevent a file from being opened for editing if the format is not valid. A
file that contains a file format exploit against an Office 2010 application is one example of a file that
is not valid. By default, Office File Validation is enabled and is primarily managed through Group
Policy settings.
File block settings Introduced in the 2007 Microsoft Office system to help reduce the attack
surface, these settings enable you to prevent applications from opening and saving certain file
types. In addition, you can specify what will occur if you allow a file type to be opened. For
example, you can specify whether a file type is opened in Protected View and whether editing is
allowed. Several new file block settings have been added in Office 2010. You can manage file
block settings in the Trust Center and through Group Policy settings.
Office ActiveX kill bit This new Office 2010 feature enables you to prevent specific ActiveX
controls from running in Office 2010 applications without affecting how those controls run in
Microsoft Internet Explorer. By default, Office ActiveX kill bit is not configured. However, you can
configure this countermeasure by modifying the registry.
Mitigating exploits
This defensive layer helps mitigate exploits by opening potentially harmful files in an isolated sandbox
environment. This sandbox environment, known as Protected View, enables users to preview files
before they open them for editing in an application. By default, Protected View is enabled. However,
you can turn it off and manage it in the Trust Center and through Group Policy settings.
Improving the user experience
This defensive layer mitigates exploits by reducing the number of security decisions users make and by
improving the way users make security decisions. For example, documents that are considered
untrustworthy are automatically opened in Protected View without any user feedback. Users can read
and close these documents without making any security decisions, which in most cases means that
they can effectively finish their work without being confronted with security prompts. If a user wants to
edit a document that is in Protected View they can select the option to allow editing. Once editing is
allowed, the document will not be opened in Protected View again. If the document contains active
content, such as ActiveX controls and macros, a Message Bar appears that prompts the user whether
to enable the active content. Once active content is enabled, the user will not be prompted again with
200
the Message Bar for active content. You can configure Message Bar settings and Trusted Documents
settings in the Trust Center and through Group Policy settings.
Integrity countermeasures
Integrity settings help you mitigate threats to the integrity of business data and business processes.
Malicious users attack the integrity of these assets by corrupting documents, presentations, and
spreadsheets. For example, a malicious user might attack the integrity of business data or business
processes by replacing a file with a similar file that contains corrupted data or information. Two
countermeasures have been improved and enhanced digital signatures and integrity checking of
encrypted files to help you mitigate integrity threats.
Digital signature improvements
Trusted time stamping is now supported in digital signatures, which makes Office documents
compatible with the W3C XML Advanced Electronic Signatures (XAdES) standard. Trusted time
stamping helps ensure that digital signatures remain valid and legally defensible even if the certificate
that is used to sign the document expires. Trusted time stamping support is available only in Microsoft
Excel 2010, Microsoft Access 2010, Microsoft PowerPoint 2010, and Microsoft Word 2010. To take
advantage of this feature, you must use a time-stamping authority.
In addition to time stamping support, Office 2010 includes several improvements in the user interface
that make managing and implementing digital signatures easier for users. You can also configure and
manage trusted time stamping through several new Group Policy settings.
Integrity checking of encrypted files
Administrators can now decide whether to implement a hash-based message authentication code
(HMAC) when a file is encrypted, which can help determine whether someone has tampered with a file.
The HMAC is fully compliant with Windows Cryptographic API: Next Generation (CNG), enabling
administrators to configure the cryptographic provider, hash, and context that are used to generate the
HMAC. These parameters are configurable through Group Policy settings.
Confidentiality countermeasures
Confidentiality settings help you mitigate threats to information that you do not want disclosed either
publicly or privately, such as e-mail correspondence, project planning information, design specifications,
financial information, customer data, and personal and private information. Several countermeasures
have been improved and enhanced to help you mitigate confidentiality threats.
201
Cryptographic enhancements
Several Office 2010 applications are now cryptographically agile and support CNG, which means that
administrators can specify any cryptographic algorithm for encrypting and signing documents. In
addition, several Office 2010 applications now support Suite B cryptography.
Encrypt with Password improvements
The Encrypt with Password feature is now compliant with the ISO/IEC 29500 and ISO/IEC 10118-
3:2004 requirements. This feature is also interoperable between Office 2010 and the 2007 Office
system with Service Pack 2 (SP2), but only if the host operating systems support the same
cryptographic providers. In addition, Office 2010 includes several changes in the user interface that
make the Encrypt with Password feature easier for users to understand and implement.
Password complexity checking and enforcement
Passwords used by the Encrypt with Password feature can now be checked for length and complexity,
and enforced by domain-based password policies. This applies only to passwords that are created by
using the Encrypt with Password feature. You can use several new Group Policy settings to manage
password complexity checking and enforcement.
Encryption enhancements
The encryption mechanism is enhanced, which helps ensure that the encryption/decryption key is never
stored as plain text in a file. In general, these encryption enhancements are transparent to users and
administrators.
202
As shown in the previous figure, documents must pass through several defensive layers before users
are required to make a security decision. If users do not have to edit a document, they can read the
203
document in Protected View and then close it without making any security decisions. Several key
features make this efficient workflow possible.
Improved trust model When users attempt to open a file, Office 2010 evaluates the files trust state.
By default, trusted files bypass most security checks and are opened for editing without requiring any
security decisions by the user. Untrusted files must undergo the security checks that make up the
layered defense. Documents that are considered untrustworthy are automatically opened in Protected
View without any user feedback. If a user wants to edit a document that is in Protected View, the user
can select the option to allow editing. Once editing is allowed, the document will not be opened in
Protected View again. If the document contains active content, such as ActiveX controls and macros, a
Message Bar appears that prompts the user whether to enable the active content. Once active content
is enabled, the user will not be prompted again with the Message Bar for active content. In the 2007
Office system you can use the trusted locations and trusted publishers features to designate trusted
files and trusted content. In Office 2010, you can also use a new feature known as Trusted Documents.
Trusted Documents lets users designate a file as trusted after viewing the file in Protected View. When
a user designates a file as being trusted, the trust decision persists with the file so that the user does
not have to make the trust decision again the next time that they open the file.
Note:
Trusted files do not bypass antivirus checking or ActiveX kill-bit checking. If a file is trusted, it is
scanned by the local antivirus scanning program (if available) and any ActiveX controls that
have a kill-bit set are disabled.
Transparent countermeasures Several of the new countermeasures in Office 2010 are invisible to
the user and require no user interaction. For example, Office 2010 applications evaluate untrusted files
for file format differences by using a new technology known as Office File Validation. This technology
runs autonomously when a user opens an untrusted file. If no potential file format differences are
detected, users have no indication that this technology scanned the file.
Note:
In some cases, the Office File Validation feature might ask a user for permission to send file
scan information to Microsoft to help improve the features ability to detect exploits. You can
prevent these prompts from occurring by configuring Group Policy settings.
Sandbox previewing environment Untrusted files are opened in a sandbox previewing environment
known as Protected View. Users can read files in this sandbox environment, and they can copy content
to the clipboard. However, they cannot print files or edit them. In most cases, previewing a document is
sufficient for users and they can close the file without answering any security questions. For example,
even if a file contains an untrusted Visual Basic for Applications (VBA) macro, a user does not have to
enable the VBA macro to preview the content in Protected View.
In most cases, the default security configuration in Office 2010 is a suitable defense-in-depth solution,
which provides multiple layers of defense without impinging too much on user productivity. However,
some organizations might have to modify the default security configuration to meet more strict security
requirements or to reduce security and provide more flexibility to users. For example, if the organization
consists mostly of expert users who do not have to preview files in sandbox environment, you can
204
disable Protected View. We do not recommend this (and it might be very risky), but it helps reduce the
number of security decisions users make. Likewise, if the organization requires a locked-down security
environment, you can modify the security settings so that all untrusted documents must be opened in
Protected View and can never leave Protected View. This might provide more protection, but it also
hinders a users ability to edit a file. Regardless of the organizations particular security requirements,
the multilayered countermeasures in Office 2010 let you effectively balance security and productivity;
that is, you can increase or decrease the frequency and the kind of security decisions users have to
make without completely compromising the security architecture.
The following table shows the different ways that you can manage the new security controls in Office
2010. It also shows which applications support the new security features.
205
Security feature Configurable in the Configurable through Applies to which
Trust Center? Group Policy settings? applications?
206
Office 2010 from Microsoft Office 2003 or an earlier version of Office, it might be helpful to understand
when various Office 2010 security and privacy features were introduced.
The following table shows the main security and privacy features that were added or enhanced in the
2007 Office system and Office 2010.
Trust Center A central Introduced Enhance Overview of security in the 2007 Office
console in the in the 2007 d and system
user interface Office expanded (http://go.microsoft.com/fwlink/?LinkId=16036
that enables system settings 5)
users to view in Office
and configure 2010
security
settings and
privacy
options.
Message Bar A user Introduced Enhance Overview of security in the 2007 Office
interface in the 2007 d the system
element that Office message (http://go.microsoft.com/fwlink/?LinkId=16133
gives users system bar user 0)
notifications interface
and warnings in Office
when they 2010
open a
document that
contains
potentially
harmful
content.
207
Security Description Feature Feature For more information see
feature status in status in
the 2007 Office
Office 2010
system
documents.
File block A suite of Introduced Enhance Overview of security in the 2007 Office
settings security in the 2007 d and system
settings that Office expanded (http://go.microsoft.com/fwlink/?LinkId=16133
enable you to system settings 0)
prevent users in Office
from opening 2010
or saving
certain kinds of
files.
Document A privacy tool Introduced Enhance Overview of security in the 2007 Office
Inspector that can help in the 2007 d the user system
users remove Office interface (http://go.microsoft.com/fwlink/?LinkID=1613
personal system in Office 31)
information 2010
and hidden
information
from a
document.
Global and Enables you to Introduced No Overview of security in the 2007 Office
application- disable all in the 2007 significant system
specific ActiveX Office functional (http://go.microsoft.com/fwlink/?LinkId=16133
settings for controls, system changes 2)
ActiveX configure in Office
controls ActiveX control 2010
initialization,
and configure
ActiveX control
prompts.
208
Security Description Feature Feature For more information see
feature status in status in
the 2007 Office
Office 2010
system
VBA macros settings. 2010
Office File A Not Introduce Plan Office File Validation settings for Office
Validation countermeasur available in d in 2010
e that scans 2007 Office
files for format Office 2010
differences and system
prevents files application
from being s
opened for
editing if the
format is not
valid.
Office An Office Available Introduce How to stop an ActiveX control from running
209
Security Description Feature Feature For more information see
feature status in status in
the 2007 Office
Office 2010
system
ActiveX kill feature that in 2007 d in in Internet Explorer
bit administrators Office Office (http://go.microsoft.com/fwlink/?LinkId=16064
can use to system 2010 as 4)
prevent application an Office
specific s as an ActiveX
ActiveX Internet kill bit
controls from Explorer
running within ActiveX kill
Office bit
applications.
Protected An Office Not Introduce Plan Protected View settings for Office 2010
View feature that available in d in
helps mitigate 2007 Office
attacks by Office 2010
enabling users system
to preview application
untrusted or s
potentially
harmful files in
a sandbox
environment.
Trusted time Helps ensure Not Introduce Plan digital signature settings for Office 2010
stamping of that digital available in d in
digital signatures 2007 Office
signatures remain valid Office 2010
and legally system
defensible application
even if the s
210
Security Description Feature Feature For more information see
feature status in status in
the 2007 Office
Office 2010
system
certificate that
you used to
sign the
document
expires.
Integrity Enables you to Not Introduce Plan cryptography and encryption settings for
checking of implement a available in d in Office 2010
encrypted hash-based 2007 Office
files message Office 2010
authentication system
code (HMAC) application
when a file is s
encrypted.
Password Enables you to Not Introduce Plan password complexity settings for Office
complexity check and available in d in 2010
checking and enforce 2007 Office
enforcement passwords for Office 2010
length and system
complexity by application
using domain- s
based
password
policies.
Cryptographi Enables you to Not Introduce Plan cryptography and encryption settings for
c agility specify available in d in Office 2010
cryptographic 2007 Office
settings for Office 2010
encrypting system
documents. application
s
211
Understand security threats and
countermeasures for Office 2010
A secure desktop configuration is an important part of any organization's defense-in-depth strategy. But
before you can plan for a secure desktop configuration that includes Microsoft Office 2010, you must
understand which security risks and threats are relevant to Office 2010, and then determine which of
those security risks and threats pose a risk to the organization's business assets or business
processes. You also have to determine which privacy risks and threats pose a risk to users' personal
and private information.
In this article:
Information security risks
Threats to desktop productivity applications
Default countermeasures in Office 2010
212
If Office 2010 is part of an organizations environment, the defense-in-depth strategy must also include
the mitigation mechanisms that are provided with Office 2010. These mitigation mechanisms include
many technologies, settings, and features. By using these mechanisms, you can help mitigate threats
to Office 2010 applications and help protect the intellectual property, business resources, and business
processes that are at the heart of the business.
By default, the Office 2010 security model helps an organization mitigate all three kinds of risk.
However, every organization has different infrastructure capabilities, different productivity demands,
and different desktop security requirements. To determine exactly how the organization can mitigate
these business risks, you have to evaluate the threats and threat agents that exploit these risks.
Most organizations face some potential risk from five kinds of security threats. However, most
organizations deal with unique combinations of threat agents and potential security attacks or exploits.
213
threats pose a potential risk to any size organization, especially organizations that let users do the
following:
Run ActiveX controls, add-ins, or VBA macros.
Open e-mail attachments.
Share documents across a public network, such as the Internet.
Open documents from sources outside the organization, such as clients, vendors, or partners.
214
External content threats
External content threats include any threat agent that links a document to another document, a
database, or a Web site across an intranet or a public network, such as the Internet. External content
threats are exploited through the following threat agents:
Hyperlinks An attacker typically exploits this threat agent by creating hyperlinks to documents
that are not trusted or Web sites that contain malicious code or content.
Data connections An attacker typically exploits this threat agent by creating data connections to
data sources or databases, and then by using such connections to maliciously manipulate or
extract data.
Web beacons A typical scenario for exploiting this threat agent is for an attacker to embed an
invisible link to a remote image in an e-mail message. When a user opens the message, the link
becomes active and downloads the remote image. In the process, user information can be sent to
the remote computer, such as the user's e-mail address and the IP address of their computer.
Packager objects An attacker can exploit this threat agent by having an embedded object run
malicious code.
External threats pose a risk if the organization:
Gives users unrestricted access to public networks, such as the Internet.
Does not prevent users from receiving e-mail messages that contain embedded images and HTML.
Does not prevent users from using data connections in spreadsheets or other documents.
Browser threats
These threats can exist when an application or a document programmatically uses the functionality of a
Web browser, such as Microsoft Internet Explorer. Browser threats pose a risk to applications and
documents because any threats that exist for the browser also exist for the application or document that
hosts the browser. Browser threats include many threat agents, and can be exploited through various
security attacks. Examples of these threat agents include ActiveX control installation, file downloads,
MIME sniffing, zone elevation, and add-on installation.
Browser threats pose a risk if your organization:
Allows users to run ActiveX controls, add-ins, or macros that use browser functionality.
Develops and distributes Office solutions that use browser functionality.
215
Information disclosure
Malicious programmers and users can exploit security vulnerabilities through various security attacks.
Until a security bulletin or a service pack is released to respond to the security vulnerability, the
vulnerability can pose a potential threat to your organization.
216
ActiveX controls, all ActiveX controls (those marked UFI and SFI) are loaded in safe mode with
persistent values.
If an ActiveX control marked UFI or SFI is contained in a document that also contains a VBA
project, users are notified in the Message Bar that ActiveX controls are disabled. However, users
can click the Message Bar to enable ActiveX controls. If a user enables ActiveX controls, all
ActiveX controls (those marked SFI and UFI) are loaded in safe mode with persistent values.
Important:
If a kill bit is set in the registry for an ActiveX control, the control is not loaded and cannot be
loaded in any circumstance. The Message Bar does not appear and users are not notified
about the presence of the ActiveX control.
To change the default behavior of ActiveX controls, see Plan security settings for ActiveX controls for
Office 2010.
Add-in settings
You can use add-in settings to disable add-ins, require add-ins be signed by a trusted publisher, and
disable notifications for add-ins. By default, installed and registered add-ins can run without requiring
user intervention or warning. To change this default behavior, see Plan security settings for add-ins for
Office 2010.
217
File Block settings
You can use File Block settings to prevent specific file types from being opened or saved. You can also
use these settings to prevent or force certain file types from opening in Protected View. By default,
Excel 2010, PowerPoint 2010, and Word 2010 force several kinds of files to open only in Protected
View. Users cannot open these file types for editing.
Privacy options
You can use privacy options to prevent the Welcome to Microsoft Office 2010 dialog box from
appearing the first time that a user starts Office 2010. This dialog box lets users enroll in various
Internet-based services that help protect and improve Office 2010 applications. You can also use
privacy options to enable the Internet-based services that appear in the Welcome to Microsoft Office
2010 dialog box. By default, the Welcome to Microsoft Office 2010 dialog box appears when a user
starts Office 2010 for the first time, and users can enable the recommended Internet-based services,
enable a subset of these services, or make no configuration changes. If a user makes no configuration
changes, the following default settings take effect:
Office 2010 applications do not connect to Office.com for updated Help content.
Office 2010 applications do not download small programs that help diagnose problems and error
message information is not sent to Microsoft.
Users are not enrolled in the Customer Experience Improvement Program.
When users implement a search query from the Help system, information about which Office 2010
applications are installed is not sent to Microsoft to improve Office.com search results.
218
To change this default behavior, or to suppress the Welcome to Microsoft Office 2010 dialog box,
see Plan privacy options for Office 2010.
Note:
You can also use File Block settings to prevent or force specific file types from opening in
Protected View.
219
VBA macro settings
You can use VBA macro settings to change the way VBA macros behave, disable VBA, and change the
way VBA macros behave in applications that are started programmatically. By default, VBA is enabled
and trusted VBA macros are allowed to run without notification. Trusted VBA macros include VBA
macros that are signed by a trusted publisher, stored in a trusted document, or stored in a document
that is in a trusted location. Untrusted VBA macros are disabled, but a notification in the Message Bar
lets users enable untrusted VBA macros. In addition, VBA macros are allowed to run in applications
that are started programmatically.
To change this default behavior, see Plan security settings for VBA macros for Office 2010.
See Also
Security overview for Office 2010
220
Plan Trusted Locations settings for Office 2010
If you want to differentiate safe files from potentially harmful files, you can use the Trusted Locations
feature in Microsoft Office 2010. The Trusted Locations feature lets you designate trusted file sources
on the hard disks of users' computers or on a network share. When a folder is designated as a trusted
file source, any file that is saved in the folder is assumed to be a trusted file. When a trusted file is
opened, all content in the file is enabled and active, and users are not notified about any potential risks
that might be contained in the file, such as unsigned add-ins and Microsoft Visual Basic for Applications
(VBA) macros, links to content on the Internet, or database connections.
In this article:
About planning Trusted Locations settings
Implement Trusted Locations
Disable Trusted Locations
221
Access 2010 trusted locations
The following table lists the default trusted locations for Access 2010.
222
Word 2010 trusted locations
The following table lists the default trusted locations for Word 2010.
Note:
For information about how to configure security settings in the Office Customization Tool (OCT)
and the Office 2010 Administrative Templates, see Configure security for Office 2010
(http://technet.microsoft.com/library/14675abe-a72c-4d01-aa41-ebd35ffc9165(Office.14).aspx).
223
Determine the folders to designate as trusted locations
Use the following guidelines to help determine the folders that you want to designate as trusted
locations:
You can specify trusted locations on a per-application basis or globally.
One or more applications can share a trusted location.
To prevent malicious users from adding files to a trusted location or from modifying files that are
saved in a trusted location, you must apply operating system security settings to any folder that you
designate as a trusted location.
By default, only trusted locations that are on users' hard disks are allowed. To enable trusted
locations on network shares, you must enable the Allow Trusted Locations not on the computer
setting.
We do not recommend that you specify root folders, such as drive C, or the whole Documents or
My Documents folder as trusted locations. Instead, create a subfolder within those folders and
specify only that folder as a trusted location.
In addition, you must use the guidelines in the following sections if you want to:
Use environment variables to specify trusted locations.
Specify Web folders (that is, http://paths) as trusted locations.
224
specify a trusted location.
2. Change the Path value type.
Applications in the Office 2010 cannot recognize environment variables that are stored as
String Value (REG_SZ) value types. For applications to recognize environment variables, you
must change the value type of the Path entry so that it is an Expandable String Value
(REG_EXPAND_SZ) value type. To do this, follow these steps:
a. Write down or copy the value of the Path entry. This should be a relative path that contains
one or more environment variables.
b. Delete the Path entry.
c. Create a newPathentry of type Expandable String Value (REG_EXPAND_SZ).
d. Modify the new Path entry so that it has the same value that you wrote down or copied in
the first step.
Be sure to make this change for each Path entry that uses environment variables to specify a
trusted location.
Note:
Sites that are created with Windows SharePoint Services and Microsoft SharePoint Server can
be designated as trusted locations.
225
If a folder is shared, configure sharing permissions so that only authorized users have access to the
shared folder. Be sure to use the principle of least privilege and grant permissions that are
appropriate to a user. That is, grant Read permission to those users who do not have to modify
trusted files, and grant Full Control permission to those users who have to modify trusted files.
Apply folder security permissions so that only authorized users can read or modify the files in
trusted locations. Make sure to use the principle of least privilege and to grant permissions that are
appropriate to a user. That is, grant Full Control permissions to only those users who have to
modify files; and grant more-restrictive permissions to those users who need only to read files.
226
designates a network share as a trusted location through Group Policy or by using the OCT, and
this setting is disabled, the trusted location is disabled. Applications treat such locations like any
other untrusted locations, which means that users see Message Bar warnings about content such
as ActiveX controls and VBA macros when they open files, and they have to choose whether to
enable controls and macros or leave them disabled.
Guidelines: Organizations that have a highly restrictive security environment typically disable this
setting.
Note:
You can also use the Remove all Trusted Locations written by the OCT during installation
setting to delete all trusted locations that have been created by configuring the OCT.
Note:
For the latest information about policy settings, refer to the Microsoft Excel 2010 workbook
Office2010GroupPolicyAndOCTSettings_Reference.xls, which is available in the Files in this
Download section on the Office 2010 Administrative Template files (ADM, ADMX, ADML) and
Office Customization Tool (http://go.microsoft.com/fwlink/?LinkID=189316&clcid=0x409)
download page.
227
See Also
Security overview for Office 2010
Configure security for Office 2010 (http://technet.microsoft.com/library/14675abe-a72c-4d01-aa41-
ebd35ffc9165(Office.14).aspx)
228
Plan Trusted Publishers settings for Office 2010
If an organization uses published content, such as Microsoft ActiveX controls, add-ins, and Visual Basic
for Applications (VBA) macros, you can use the Trusted Publishers list to designate content publishers
that you trust. A publisher is any developer, software company, or organization that has created and
distributed a digitally signed ActiveX control, add-in, or VBA macro. A trusted publisher is any publisher
that has been added to the Trusted Publishers list. When a user opens a file, and the file contains
active content that is created by a trusted publisher, the trusted publishers content is enabled and
users are not notified about any potential risks that might be contained in the file.
In this article:
About planning Trusted Publishers settings
Obtain certificates from known publishers
Determine which certificates must be added to the Trusted Publishers list
Related Trusted Publishers settings
229
Important:
This procedure assumes the computer runs the Windows Vista operating system.
Important:
The following procedure assumes Word 2010 is running, but you can perform the same
procedure on other Office 2010 applications.
To identify published content and add the content publisher to the Trusted Publishers list
1. On a test computer or a client computer that is running the standard configuration for the
organization (including any add-ins that users need), enable the Require Application Add-Ins to
be signed by Trusted Publisher setting in the Trust Center by doing the following:
Click the File tab, click Options, click Trust Center, click Trust Center Settings, click
Add-ins, click Require Application Add-ins to be signed by Trusted Publisher, and
then click OK.
2. Exit and restart Word. If add-ins are installed, the Message Bar displays the following message:
Security Warning Some active content has been disabled. Click here for more details..
3. On the Message Bar, click Some active content has been disabled. Click here for more
230
details..
4. Click the File tab and in the Backspace View, click Enable Content, and then click Advanced
Options.
5. In the Security Alerts Multiple Issues dialog box, install each certificate to the Trusted
Publishers list by following these steps for each add-in that shows a valid digital signature:
a. Click Show Signature Details.
b. In the Digital Signature Details window, click View Certificate.
c. In the Certificate window, click Install Certificate.
d. In the Certificate Import Wizard, click Next, click Place all certificates in the following
store, click Browse, click Trusted Publishers, click OK, click Next, and then click Finish.
6. Prepare the certificate files for distribution:
a. Click the File tab, click Options, click Trust Center, click Trust Center Settings, and then
click Trusted Publishers.
b. For each certificate, select the certificate, click View, and then follow these steps:
a. In the Certificate window, on the Details tab, click Copy to File.
b. In the Certificate Export Wizard, click Next, and then click Next again to accept the default
file format, enter a file name, select a location to store the file, and then click Finish.
Note:
For the latest information about policy settings, refer to the Microsoft Excel 2010 workbook
Office2010GroupPolicyAndOCTSettings_Reference.xls, which is available in the Files in this
Download section on the Office 2010 Administrative Template files (ADM, ADMX, ADML) and
Office Customization Tool (http://go.microsoft.com/fwlink/?LinkID=189316&clcid=0x409)
download page.
231
See Also
Security overview for Office 2010
Configure security for Office 2010 (http://technet.microsoft.com/library/14675abe-a72c-4d01-aa41-
ebd35ffc9165(Office.14).aspx)
232
Plan security settings for add-ins for Office
2010
If you want to control the way add-ins behave, or prevent users from running add-ins, you can modify
Microsoft Office 2010 add-in settings.
In this article:
About planning add-in settings
Disable add-ins on a per-application basis
Require that application add-ins are signed by trusted publisher
Disable notifications for unsigned add-ins
233
Disable add-ins on a per-application basis
Office 2010 provides a setting that enables you to disable add-ins. Use the following guidelines to
determine whether to use this setting.
Setting name: Disable all application add-ins
Description: This setting disables all add-ins. By default, all installed and registered add-ins can run.
Impact: If you enable this setting, add-ins are disabled and users are not notified that add-ins are
disabled. Enabling this setting could cause significant disruptions for users who work with add-ins.
If users have business-critical add-ins installed, you might be unable to enable this setting.
Guidelines: Most organizations use the default configuration for this setting and do not change this
setting.
234
Impact: If you enable this setting, users will not see a warning in the Message Bar when an unsigned
add-in attempts to run and users will be unable to enable the unsigned add-in. Enabling this setting
could cause disruptions for users who rely on add-ins that are not signed by trusted publishers.
These users will either have to obtain signed versions of such add-ins or stop using them.
Guidelines: Organizations that have a highly restrictive security environment typically enable this
setting if they require all add-ins be signed by a trusted publisher.
Note:
For the latest information about policy settings, refer to the Microsoft Excel 2010 workbook
Office2010GroupPolicyAndOCTSettings_Reference.xls, which is available in the Files in this
Download section on the Office 2010 Administrative Template files (ADM, ADMX, ADML) and
Office Customization Tool (http://go.microsoft.com/fwlink/?LinkID=189316&clcid=0x409)
download page.
See Also
Security overview for Office 2010
235
Plan security settings for ActiveX controls for
Office 2010
You can change the way Microsoft ActiveX controls behave in Microsoft Office 2010 by modifying
ActiveX control settings.
In this article:
About planning settings for ActiveX controls
Disable ActiveX controls
Change the way ActiveX controls are initialized
Related ActiveX control settings
236
If an ActiveX control marked UFI or SFI is contained in a document that also contains a VBA
project, users are notified in the Message Bar that ActiveX controls are disabled. However, users
can click the Message Bar to enable ActiveX controls. If a user enables ActiveX controls, all
ActiveX controls (those marked SFI and UFI) are loaded in safe mode with persistent values.
Important:
If a kill bit is set in the registry for an ActiveX control, the control is not loaded and cannot be
loaded in any circumstance. In addition, the Message Bar does not appear and users are not
notified about the presence of the ActiveX control.
Note:
If you enable this setting, ActiveX controls are disabled in files that are saved in trusted
locations.
You can also use the Office COM kill bit, which was introduced in Office 2010, to prevent specific COM
objects, including ActiveX controls, from running within Office 2010 applications. This capability was
available in the 2007 Office system. However, it was dependent on the Internet Explorer ActiveX kill bit
setting. Now, with Office 2010, you can independently control through the registry which COM objects
will not be able to run by using Office 2010. If, for example, the kill bit is set for the same ActiveX control
in both locations, Office and Internet Explorer, and there is a conflict between the two settings, the
237
Office COM kill bit has precedence. A common scenario where you would see the Office COM kill bit
set is when you apply an update that is included in a Microsoft Security Bulletin to address a specific
Office 2010 security issue.
Warning:
We do not recommend unkilling (undoing the kill action on) a COM object. If you do this, you
might create security vulnerabilities. The kill bit is typically set for a reason that might be critical,
and because of this, extreme care must be used when you unkill an ActiveX control.
It is possible to add an AlternateCLSID (also known as a Phoenix bit) when you need to correlate the
CLSID of a new ActiveX control, which was modified to mitigate the security threat, to the CLSID of the
ActiveX control to which the Office COM kill bit was applied. Office 2010 supports using the
AlternateCLSID only with ActiveX control COM objects. For more information about kill bit behavior,
including AlternateCLSID, see How to stop an ActiveX control from running in Internet Explorer
(http://go.microsoft.com/fwlink/?LinkId=183124).
Because the following procedure is highly technical, do not continue unless you are very comfortable
with the procedure.
Important:
This section, method, or task contains steps that tell you how to modify the registry. However,
serious problems might occur if you modify the registry incorrectly. Therefore, make sure that
you follow these steps carefully. For added protection, back up the registry before you modify it.
Then, you can restore the registry if a problem occurs.
The location for setting the Office COM kill bit in the registry is
HKLM/Software/Microsoft/Office/Common/COM Compatibility/{CLSID}, where CLSID is the class
identifier of the COM object. To enable the Office COM kill bit, you need to add the registry key,
including the CLSID of the ActiveX control, and add the value of 0x00000400 to the Compatibility Flags
REG_DWORD.
Note:
The behavior of the kill bit (both Internet Explorer and Office COM) can be affected by enabling
COM categorization in Office 2010. For more information, see Plan COM object categorization
for Office 2010.
Controls you may want to consider putting onto the Office deny list:
Microsoft HTA Document 6.0 - 3050F5C8-98B5-11CF-BB82-00AA00BDCE0B
htmlfile - 25336920-03F9-11CF-8FD0-00AA00686F13
htmlfile_FullWindowEmbed - 25336921-03F9-11CF-8FD0-00AA00686F13
mhtmlfile - 3050F3D9-98B5-11CF-BB82-00AA00BDCE0B
Web Browswer Control - 8856F961-340A-11D0-A96B-00C04FD705A2
DHTMLEdit - 2D360200-FFF5-11d1-8d03-00a0c959bc0a
238
Change the way ActiveX controls are initialized
Office 2010 provides a setting that enables you to control the way ActiveX controls are initialized based
on SFI, UFI, and safe mode parameters. SFI, UFI, and safe mode are parameters that developers can
configure when they create ActiveX controls. ActiveX controls that are marked SFI use safe data
sources to initialize. A safe data source is one that is trusted, known, and does not cause a security
breach. Controls that are not marked SFI are considered UFI.
Safe mode is another security mechanism that developers can use to help ensure the safety of ActiveX
controls. When a developer creates an ActiveX control that implements safe mode, the control can be
initialized in two ways: in safe mode and in unsafe mode. When an ActiveX control is initialized in safe
mode, certain restrictions that limit functionality are imposed on the control. Conversely, when an
ActiveX control is initialized in unsafe mode, there are no restrictions on its functionality. For example,
an ActiveX control that reads and writes files might only be able to read files if it is initialized in safe
mode, and it might be able to read and write files when it is initialized in unsafe mode. Only ActiveX
controls that are SFI can be initialized in safe mode. ActiveX controls that are UFI are always initialized
in unsafe mode.
If the default initialization for ActiveX controls is insufficient for your organization but you do not want to
disable ActiveX controls, use the following guidelines to determine how you can change the way
ActiveX controls are initialized.
Setting name: ActiveX control initialization
Description: This setting specifies how ActiveX controls are initialized for all Office 2010 applications.
This is a global setting and cannot be configured on a per-application basis. You can select one of
six possible initialization security levels for this setting:
Security level 1 Regardless of how the control is marked, load it and use persistent values (if
any). This setting prevents users from being prompted.
Security level 2 If the control is marked SFI, load the control in safe mode and use persistent
values (if any). If the control is not marked SFI, load in unsafe mode with persistent values (if
any), or use the default (first-time initialization) settings. This level resembles the default
configuration, but unlike the default configuration this setting prevents users from being notified.
Security level 3 If the control is marked SFI, load the control in unsafe mode and use
persistent values (if any). If the control is not marked SFI, prompt the user and advise them that
it is marked unsafe. If the user decides No at the prompt, do not load the control. Otherwise,
load it with default (first-time initialization) settings.
Security level 4 If the control is marked SFI, load the control in safe mode and use persistent
values (if any). If the control is not marked SFI, prompt the user and advise them that it is
marked unsafe. If the user decides No at the prompt, do not load the control. Otherwise, load it
with default (first-time initialization) settings.
Security level 5 If the control is marked SFI, load the control in unsafe mode and use
persistent values (if any). If the control is not marked SFI, prompt the user and advise them that
239
it is marked unsafe. If the user decides No at the prompt, do not load the control. Otherwise,
load it with persistent values.
Security level 6 If the control is marked SFI, load the control in safe mode and use persistent
values (if any). If the control is not marked SFI, prompt the user and advise them that it is
marked unsafe. If the user decides No at the prompt, do not load the control. Otherwise, load it
with persistent values.
Impact: If a control is not marked SFI, the control could adversely affect a computer or it could mean
that the developers did not test the control in all situations and cannot know for sure whether it
might be compromised in the future. In addition, some ActiveX controls do not respect the safe
mode registry setting, and therefore might load persistent data even though you configure this
setting so that ActiveX controls initialize in safe mode. Enabling this setting and selecting security
level 2, 4, or 6 only increases security for ActiveX controls that are accurately marked as SFI. In
situations that involve malicious or poorly designed code, an ActiveX control might be inaccurately
marked as SFI.
Guidelines: Most organizations enable this setting and select security level 2, which uses the same
initialization criteria as the default configuration but does not notify users in the Message Bar.
Organizations that have a highly restrictive security environment typically disable this setting, which
is the default configuration.
Note:
For the latest information about policy settings, refer to the Microsoft Excel 2010 workbook
Office2010GroupPolicyAndOCTSettings_Reference.xls, which is available in the Files in this
Download section on the Office 2010 Administrative Template files (ADM, ADMX, ADML) and
Office Customization Tool (http://go.microsoft.com/fwlink/?LinkID=189316&clcid=0x409)
download page.
See Also
Security overview for Office 2010
Configure security for Office 2010 (http://technet.microsoft.com/library/14675abe-a72c-4d01-aa41-
ebd35ffc9165(Office.14).aspx)
240
Plan security settings for VBA macros for Office
2010
If you want to control the way Visual Basic for Applications (VBA) and VBA macros behave, you can
modify Microsoft Office 2010 VBA and VBA macros settings for the following applications: Microsoft
Access 2010, Microsoft Excel 2010, Microsoft PowerPoint 2010, Microsoft Publisher 2010, Microsoft
Visio 2010, and Microsoft Word 2010.
In this article:
About planning VBA and VBA macro settings
Change the security warning settings for VBA macros
Disable VBA
Change how VBA macros behave in applications that are started programmatically
Change how encrypted VBA macros are scanned for viruses
Related VBA macro settings
241
The developer who signed the macro is a trusted publisher.
Note:
The default security setting for macros is different in Microsoft Outlook 2010. For more
information, see the Outlook 2010 security documentation.
VBA macros that are not trusted are not allowed to run until a user clicks the Message Bar and selects
to enable the VBA macro.
Important:
If Disable all except digitally signed macros is selected, users cannot open unsigned
Access 2010 databases.
If you select Disable all without notification, documents and templates that contain unsigned and
signed macros lose all functionality supplied by those macros. This is true even if a macro is signed
and the publisher is listed in the Trusted Publisher list.
242
Guidelines: Organizations that have a highly restrictive security environment typically enable this
setting and select the Disable all except digitally signed macros option. Organizations that do
not let users run macros typically enable this setting and select Disable all without notification.
Disable VBA
Office 2010 provides a setting that enables you to disable VBA. By default, VBA is enabled. Use the
following guidelines to determine how to configure this setting if you want to disable VBA.
Setting name: Disable VBA for Office applications
Description: This setting disables VBA in Excel 2010, Microsoft Outlook 2010, PowerPoint 2010,
Publisher 2010, Microsoft SharePoint Designer 2010, and Word 2010, and prevents any VBA code
from running in these applications. You cannot configure this setting on a per-application basis. It is
a global setting. Enabling this setting does not install or remove any VBA-related code from a users
computer.
Impact: If you enable this setting, VBA code does not run. If your organization has business-critical
requirements for using documents that have VBA code, do not enable this setting.
Guidelines: Organizations that have a highly restrictive security environment typically enable this
setting.
243
Use application macro security level Macro functionality is determined according to how you
configure the VBA macro warning settings setting for each application.
Impact: If you enable this setting and select the Disable macros by default option, macros will not run
in applications that are programmatically started. This can be a problem if an application is started
programmatically and then opens a document or a template that contains macros. In this case, the
functionality that is provided by the macros is not available. The same situation might occur if you
select the Use application macro security level option and you disable macros using the VBA
macro warning settings setting.
Guidelines: Most organizations enable this setting and select the Use application macro security
level option. However, organizations that have a highly restrictive security environment typically
enable this setting and select the Disable macros by default option.
244
true if the client computer does not have an antivirus program installed and you enable this setting
and select the Scan if antivirus software available option.
Guidelines: Most organizations use the default configuration for this setting and do not change this
setting.
Note:
For the latest information about policy settings, refer to theMicrosoft Excel 2010 workbook
Office2010GroupPolicyAndOCTSettings_Reference.xls, which is available in the Files in this
Download section on the Office 2010 Administrative Template files (ADM, ADMX, ADML) and
Office Customization Tool (http://go.microsoft.com/fwlink/?LinkID=189316&clcid=0x409)
download page.
See Also
Security overview for Office 2010
245
Plan COM object categorization for Office 2010
You can control the behavior of certain COM objects in Microsoft Office 2010 by using COM object
categorization. COM objects can include ActiveX, Object Linking and Embedding (OLE), Excel
RealTimeData (RTD) servers, and Office Web Components (OWC) data source providers. For
example, you can create a security allow list, which will only allow the specified COM objects to load or
you could choose to override the Internet Explorer kill bit.
In this article:
About COM object categorization
Configure Group Policy security settings for COM object categorization
Add COM object categorization in registry
246
Check OLE objects and Check ActiveX objects have additional options when you select Enabled.
These options are listed in the following table.
Option Description
Override IE kill bit list (default behavior) Office uses the category list to override Internet
Explorer kill bit checks.
Strict allow list Office loads only Active X objects that are
categorized correctly.
The Override IE kill bit list option lets you specifically list which OLE or ActiveX controls will be
allowed to load within Office 2010 as long as they are categorized correctly, even if they are on the
Internet Explorer kill bit list. Use this control when you want to allow a COM object that is designated as
unsafe to load in Internet Explorer. However, you know that the COM object is safe to load in Microsoft
Office. Office also checks whether the Office COM kill bit is enabled. For more information about the
Office COM kill bit, see Plan security settings for ActiveX controls for Office 2010. If the Office COM kill
bit is enabled and there is no alternate CLSID, also known as a Phoenix bit, the COM object will not
load. For more information about kill bit behavior, see How to stop an ActiveX control from running in
Internet Explorer (http://go.microsoft.com/fwlink/?LinkId=183124).
Use the Strict allow list option when you want to create a security allow list to only allow the specified
controls to load and to disallow all other OLE or ActiveX objects, not on the list, from loading.
If you enable any of the COM object categorization settings within Group Policy, the next step is to add
the COM object categorization in the registry.
247
Except when the Group Policy setting is either configured to disabled or enabled | Do not check, you
need to add a correct CATID for the designated COM objects. In the registry, you add a key (if it does
not already exist) named Implemented Categories to the CLSID of the COM object. Then, you add a
subkey that contains the CATID to the Implemented Categories key.
For example, if you create an allow list and allow only the OLE object, Microsoft Graph Chart, to be
used in Office, you would first look up the CLSID for that COM object in the following location in the
registry:
HKEY_CLASSES_ROOT\CLSID
The CLSID for the Microsoft Graph Chart is {00020803-0000-0000-C000-000000000046}. The next
step is to either verify that either the key, Implemented Categories, already exists or create one if it
does not. The path in this example will be:
HKEY_CLASSES_ROOT\CLSID\{00020803-0000-0000-C000-000000000046}\Implemented
Categories
Finally, you would add a new subkey for the CATID that corresponds to the Check OLE object Group
Policy setting to the Implemented Categories key. The final path and values for this example will be:
HKEY_CLASSES_ROOT\CLSID\{00020803-0000-0000-C000-000000000046}\Implemented
Categories\{F3E0281E-C257-444E-87E7-F3DC29B62BBD}
Note:
For the latest information about policy settings, refer to the Microsoft Excel 2010 workbook
Office2010GroupPolicyAndOCTSettings_Reference.xls, which is available in the Files in this
Download section on the Office 2010 Administrative Template files (ADM, ADMX, ADML) and
Office Customization Tool (http://go.microsoft.com/fwlink/?LinkID=189316&clcid=0x409)
download page.
248
Plan Protected View settings for Office 2010
If you want to change how the sandbox preview feature in Microsoft Office 2010 behaves, you can
configure Protected View settings. Protected View is a new security feature in Office 2010 that helps
mitigate exploits to your computer by opening files in a restricted environment so they can be examined
before they are opened for editing in Microsoft Excel 2010, Microsoft PowerPoint 2010, or Microsoft
Word 2010.
In this article:
About planning Protected View settings
Prevent files from opening in Protected View
Force files to open in Protected View
Add files to the list of unsafe files
249
AES zone information determines that a file is not safe Attachment Execution Services (AES)
adds zone information to files that are downloaded by Microsoft Outlook or Microsoft Internet
Explorer. If a files zone information indicates that the file originated from an untrusted Web site or
the Internet, the downloaded file opens in Protected View.
A user opens a file in Protected View Users can open files in Protected View by selecting Open
in Protected View in the Open dialog box, or by holding down the SHIFT key, right-clicking a file,
and then selecting Open in Protected View.
A file is opened from an unsafe location By default, unsafe locations include the users
Temporary Internet Files folder and the downloaded program files folder. However, you can use
Group Policy settings to designate other unsafe locations.
In some cases, Protected View is bypassed even if one or more of the previously listed conditions are
met. Specifically, files do not open in Protected View if any one of the following is true:
A file is opened from a trusted location.
A file is considered a trusted document.
Note:
For detailed information about the settings that are discussed in this article, see Security
policies and settings in Office 2010. For information about how to configure security settings in
the Office Customization Tool (OCT) and the Office 2010 Administrative Templates, see
Configure security for Office 2010.
250
Do not open files from the Internet zone in Protected View This setting forces files to bypass
Protected View if the AES zone information indicates that the file was downloaded from the Internet
zone. This setting applies to files that are downloaded by using Internet Explorer, Outlook Express,
and Outlook.
Do not open files in unsafe locations in Protected View This setting forces files to bypass
Protected View if the files are opened from an unsafe location. You can add folders to the unsafe
locations list by using the Specify list of unsafe locations setting, which is discussed later in this
article.
Turn off Protected View for attachments opened in Outlook This setting forces Excel 2010.
PowerPoint 2010, and Word 2010 files that are opened as Outlook 2010 attachments to bypass
Protected View.
These settings do not apply if File Block settings force the file to open in Protected View. Also, these
settings do not apply if a file fails Office File Validation. You can configure each of these settings on a
per-application basis for Excel 2010, PowerPoint 2010, and Word 2010.
251
Block completely Files that fail Office File Validation cannot be opened in Protected View or
opened for editing.
Open in Protected View and disallow editing Files that fail Office File Validation are opened in
Protected View but users cannot edit the files.
Open in Protected View and allow editing Files that fail Office File Validation are opened in
Protected View and users are allowed to edit the files. This is the default.
By selecting the second option, you can restrict Protected View behavior for files that fail Office File
Validation. You can configure this Office File Validation setting only on a per-application basis for Excel
2010, PowerPoint 2010, and Word 2010. For more information about Office File Validation settings, see
Plan Office File Validation settings for Office 2010.
Note:
For the latest information about policy settings, refer to the Microsoft Excel 2010 workbook
Office2010GroupPolicyAndOCTSettings_Reference.xls, which is available in the Files in this
Download section on the Office 2010 Administrative Template files (ADM, ADMX, ADML) and
Office Customization Tool (http://go.microsoft.com/fwlink/?LinkID=189316&clcid=0x409)
download page.
See Also
Security overview for Office 2010
Understand security threats and countermeasures for Office 2010
Plan Office File Validation settings for Office 2010
252
Plan Office File Validation settings for Office
2010
If you want to change how Microsoft Office 2010 validates files that are stored in Microsoft Office binary
file formats, you can configure Office File Validation settings. Office File Validation is a new security
feature in Office 2010 that helps prevent file format attacks by scanning Office binary file formats before
they are opened in Microsoft Excel 2010, Microsoft PowerPoint 2010, or Microsoft Word 2010.
In this article:
About planning Office File Validation settings
Turn off Office File Validation
Change document behavior when validation fails
Turn off Office File Validation reporting
253
Word 97-2003 Template files. These files have a .dot extension.
Office 2010 provides several settings that let you change how the Office File Validation feature
behaves. You can use these settings to do the following:
Disable Office File Validation.
Specify document behavior when a file fails validation.
Prevent Office 2010 from sending Office File Validation information to Microsoft.
Note:
For detailed information about the settings that are discussed in this article, see Security
policies and settings in Office 2010. For information about how to configure security settings in
the Office Customization Tool (OCT) and the Office 2010 Administrative Templates, see
Configure security for Office 2010.
By default, Office File Validation is enabled in Excel 2010, PowerPoint 2010, and Word 2010. Any files
that fail validation are opened in Protected View and users can choose to enable editing for files that fail
validation but are opened in Protected View. Also, users are prompted to send Office File Validation
information to Microsoft. Information is collected only for files that fail validation.
We recommend that you do not change the default settings for Office File Validation. However, some
organizations might have to configure Office File Validation settings to suit special security
requirements. Specifically, organizations that have the following security requirements might have to
change the default settings for the Office File Validation feature:
Organizations that restrict access to the Internet. Office File Validation prompts users to send
validation error information to Microsoft approximately every two weeks. This could violate an
organizations Internet access policies. In this case, you might need to prevent Office File Validation
from sending the information to Microsoft. For more information, see Turn off Office File Validation
reporting later in this article.
Organizations that have highly restrictive security environments. You can configure Office File
Validation so that files that fail validation cannot be opened or can only be opened in Protected
View. This is a more restrictive than the default settings for Office File Validation and might be
suitable to organizations that have a locked-down security environment. For more information about
how to change document behavior, see Change document behavior when validation fails later in
this article.
Organizations that do not want their files sent to Microsoft. If users allow it, Office File Validation
sends a copy of all files that fail validation to Microsoft. You can configure Office File Validation so
that users are not prompted to send validation information to Microsoft.
254
example, if you enable the Turn off file validation setting for Excel 2010, Office File Validation does
not scan or validate Excel 97-2003 Workbook files, Excel 97-2003 Template files, or Microsoft Excel
5.0/95 files. If a user opens one of those file types, and the file contains a file format attack, the attack
will not be detected or prevented unless some other security control detects and prevents such an
attack.
We recommend that you do not turn off Office File Validation. Office File Validation is a key part of the
layered defense strategy in Office 2010 and should be enabled on all computers throughout an
organization. If you want to prevent files from being validated by the Office File Validation feature, we
recommend that you use the Trusted Locations feature. Files that are opened from trusted locations
skip Office File Validation checks. You can also use the Trusted Documents feature to prevent a file
from being validated by Office File Validation. Files that are considered to be trusted documents do not
undergo Office File Validation checks.
255
Turn off Office File Validation reporting
You can use the Turn off error reporting for files that fail file validation setting to suppress the
dialog box that prompts users to send information to Microsoft. This setting also prevents validation
information from being sent to Microsoft.
Every time that a file fails validation, Office 2010 collects information about why the file failed validation.
Approximately two weeks after a file fails validation, Office 2010 prompts users to send Office File
Validation information to Microsoft. The validation information includes such things as the file types, file
sizes, how long it took to open the files, and how long it took to validate the files. Copies of the files that
failed validation are also sent to Microsoft. Users see the list of files when they are prompted to send
validation information to Microsoft. Users can decline to send validation information to Microsoft, which
means no information about failed validations is sent to Microsoft and no files are sent to Microsoft. If
an organization restricts Internet access, has restrictive Internet access policies, or does not want files
sent to Microsoft, you might have to enable the Turn off error reporting for files that fail file
validation setting.
Important:
The Office File Validation feature can occasionally indicate that a file failed validation when in
fact the file is valid. The validation reporting feature helps Microsoft improve the Office File
Validation feature and minimize the occurrence of false positive results.
Note:
For the latest information about policy settings, refer to the Microsoft Excel 2010 workbook
Office2010GroupPolicyAndOCTSettings_Reference.xls, which is available in the Files in this
Download section on the Office 2010 Administrative Template files (ADM, ADMX, ADML) and
Office Customization Tool (http://go.microsoft.com/fwlink/?LinkID=189316&clcid=0x409)
download page.
See Also
Security overview for Office 2010
Configure security for Office 2010 (http://technet.microsoft.com/library/14675abe-a72c-4d01-aa41-
ebd35ffc9165(Office.14).aspx)
256
Plan password complexity settings for Office
2010
Microsoft Office 2010 provides settings to allow you to enforce strong passwords, such as password
length and complexity rules, when you use the Encrypt with Password feature in Microsoft Excel
2010, Microsoft PowerPoint 2010, and Microsoft Word 2010. By using these settings, you can have
Office 2010 applications enforce local password requirements or the domain-based requirements that
are specified in the Password Policy settings in Group Policy.
In this article:
About planning password length and complexity settings
Determine the password rules level
Related password length and complexity settings
Caution:
When you establish password policies, you need to balance the need for strong security with
the need to make the password policy easy for users to implement. If a password is forgotten or
an employee leaves an organization without providing the passwords used to save and encrypt
the data, the data is inaccessible until the correct password is available to decrypt the data.
257
enforce strong passwords for domain log on and authentication, we recommend that you configure the
password length and complexity settings for Office 2010 the same as they are configured for the
Password Policy Group Policy object for the domain.
The password settings included with Office 2010 are listed as follows:
Set minimum password length
Set password rules level
Set password rules domain time-out
You can configure the Office 2010 password settings by using the Office Customization Tool (OCT) or
the Office 2010 Administrative Templates for local or domain-based group policies. For information
about how to configure security settings in the OCT and the Office 2010 Administrative Templates, see
Configure security for Office 2010.
The password settings available for the Password Policy Group Policy object on the domain are listed
as follows:
Enforce password history
Maximum password age
Minimum password age
Minimum password length
Password must meet complexity requirements
Store passwords using reversible encryption
You can use the Group Policy Object Editor to configure the domain-based Password Policy settings
(GPO | Computer Configuration | Policies | Windows Settings | Security Settings | Account
Policies | Password Policy). For more information, see Group Policy Object Editor Technical
Reference (http://go.microsoft.com/fwlink/?LinkId=188682).
The Set password rules level setting in Office 2010 determines the password complexity
requirements and whether the Password Policy Group Policy object for the domain will be used.
To enforce password length and complexity for the Encrypt with Password feature, you must do the
following:
Determine the minimum password length that you want to enforce locally.
Determine the password rules level.
Determine the password time-out value for domain-based password enforcement. (This is an
optional task. You might need to configure this value if there is a custom password filter installed on
your domain controller and the default time to wait when contacting a domain controller of 4
seconds is insufficient.)
258
Determine minimum password length requirement
To enforce password length and complexity, you must first determine the minimum password length
that you want to enforce locally. The Set minimum password length setting lets you do this. When
you enable this setting, you can specify a password length between 0 and 255. However, specifying a
minimum password length does not enforce password length. To enforce password length or
complexity, you must change the Set password rules level setting, which is discussed in the following
section.
Caution:
When you establish password policies, you need to balance the need for strong security with
the need to make the password policy easy for users to implement. If a password is forgotten or
an employee leaves an organization without providing the passwords used to save and encrypt
the data, the data is inaccessible until the correct password is available to decrypt the data.
259
If you want to enforce password length and password complexity by using domain-based settings, you
must configure Password Policy settings in Group Policy. Domain-based enforcement has several
advantages over local enforcement. Some of the advantages include the following:
Password length and complexity requirements are the same for log on and authentication as they
are for the Encrypt with Password feature.
Password length and complexity requirements are enforced the same way throughout the
organization.
Password length and complexity requirements can be enforced differently according to
organizational units, sites, and domains.
To learn more about enforcing password length and complexity by using domain-based Group Policy,
see Enforcing strong password usage throughout your organization
(http://go.microsoft.com/fwlink/?LinkId=166262).
Note:
The domain time-out value has no effect unless you enable the Set minimum password
length setting, enable the Set password rules level setting, and then select the Local length,
local complexity, and domain policy checks option.
Note:
For the latest information about policy settings, refer to the Microsoft Excel 2010 workbook
Office2010GroupPolicyAndOCTSettings_Reference.xls, which is available in the Files in this
Download section on the Office 2010 Administrative Template files (ADM, ADMX, ADML) and
Office Customization Tool (http://go.microsoft.com/fwlink/?LinkID=189316&clcid=0x409)
download page.
260
See Also
Security overview for Office 2010
Configure security for Office 2010 (http://technet.microsoft.com/library/14675abe-a72c-4d01-aa41-
ebd35ffc9165(Office.14).aspx)
261
Plan cryptography and encryption settings for
Office 2010
Microsoft Office 2010 contains settings that let you control the way that data is encrypted when you use
Microsoft Access 2010, Microsoft Excel 2010, Microsoft OneNote 2010, Microsoft PowerPoint 2010,
Microsoft Project 2010, and Microsoft Word 2010. This article discusses cryptography and encryption in
Office 2010, describes the settings that you can use to encrypt data, and provides information about
compatibility with previous versions of Microsoft Office. For information about Microsoft Outlook 2010,
see Plan for e-mail messaging cryptography in Outlook 2010.
As you plan your encryption settings, consider the following guidelines:
We recommend that you do not change the default encryption settings unless your organization's
security model requires encryption settings that differ from the default settings.
We recommend that you enforce password length and complexity to help ensure that strong
passwords are used when you encrypt data. For more information, see Plan password complexity
settings for Office 2010.
We recommend that you do not use RC4 encryption. For more information, see Compatibility with
previous versions of Office later in this article.
There is not an administrative setting that lets you force users to encrypt documents. However,
there is an administrative setting that lets you remove the ability to add passwords to documents
and, therefore, disallow the encryption of documents. For more information, see Cryptography and
encryption settings later in this article.
Saving documents in trusted locations does not affect encryption settings. If a document is
encrypted and it is saved in a trusted location, a user must provide a password to open the
document.
In this article:
About cryptography and encryption in Office 2010
Cryptography and encryption settings
Compatibility with previous versions of Office
262
CNG allows for more agile encryption, where different encryption and hashing algorithms supported on
the host computer can be specified to be used during the document encryption process. CNG also
allows for better extensibility encryption, where third-party encryption modules can be used.
When Office uses CryptoAPI, the encryption algorithms depend on those that are availablein a CSP
(Crypto Service Provider), which is part of the Windows operating system. The following registry key
contains a list of CSPs that are installed on a computer:
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Cryptography/Defaults/Provider
The following CNG encryption algorithms, or any other CNG cipher extension installed on the system,
can be used with Office 2010 or the 2007 Office system SP2:
AES, DES, DESX, 3DES, 3DES_112, and RC2
The following CNG hashing algorithms, or any other CNG cipher extension that is installed on the
system, can be used with Office 2010 or the 2007 Office system SP2:
MD2, MD4, MD5, RIPEMD-128, RIPEMD-160, SHA-1, SHA256, SHA384, and SHA512
Although there are Office 2010 settings to change how encryption is performed, when you encrypt
Open XML Format files (.docx, .xslx, .pptx, and so on) the default values AES (Advanced Encryption
Standard), 128-bit key length, SHA1, and CBC (cipher block chaining) provide strong encryption and
should be fine for most organizations. AES encryption is the strongest industry-standard algorithm that
is available and was selected by the National Security Agency (NSA) to be used as the standard for the
United States Government. AES encryption is supported on Windows XP SP2, Windows Vista,
Windows 7, Windows Server 2003, and Windows Server 2008.
Setting Description
Encryption This setting lets you specify an encryption type for Open XML files from the available
type for cryptographic service providers (CSP). This setting is required when you use a
password- custom COM encryption add-in. For more information, see the 2007 Office System
protected Encryption Developers Guide, which is available as part of the SharePoint Server
Office Open 2007 SDK (http://go.microsoft.com/fwlink/?LinkID=107614&clcid=0x409). This setting
XML files is also required if you use the 2007 Office system SP1 or use a version of the
Compatibility Pack that is older than the Microsoft Office Compatibility Pack for Word,
Excel, and PowerPoint File Formats
(http://go.microsoft.com/fwlink/?LinkID=78517&clcid=0x409) and you want to change
the encryption algorithm to something other than the default.
263
Setting Description
Encryption This setting lets you specify an encryption type for Office 972003 (binary) files from
type for the available cryptographic service providers (CSP). The only supported encryption
password- algorithm when you use this setting is RC4, which, as previously mentioned, we do
protected not recommend.
Office 97-2003
files
In Office 2010, if you must change the Encryption type for password-protected Office Open XML
files setting, you first must enable the Specify encryption compatibility setting and select the Use
legacy format option. The Specify encryption compatibility setting is available for Access 2010,
Excel 2010, PowerPoint 2010, and Word 2010. The following table lists the settings that are available to
change the encryption algorithms when you use Office 2010. These settings apply to Access 2010,
Excel 2010, OneNote 2010, PowerPoint 2010, Project 2010, and Word 2010.
Note:
All of the following settings, except for the Set parameters for CNG context and Specify CNG
random number generator algorithm settings, are applicable even when you use a
supported operating system for Office 2010, such as Windows XP SP3, which does not include
support for CNG. In this case, Office 2010 uses CryptoAPI instead of CNG. These settings
apply only when you use Office 2010 for encryption of Open XML files.
Setting Description
Set CNG cipher This setting lets you configure the CNG cipher algorithm that is used. The default is
algorithm AES.
Configure CNG This setting lets you configure the cipher chaining mode that is used. The default is
cipher chaining Cipher Block Chaining (CBC).
mode
Set CNG cipher This setting lets you configure the number of bits to use when you create the cipher
key length key. The default is 128 bits.
Specify This setting lets you specify the compatibility format. The default is Use next
encryption generation format.
compatibility
Set parameters This setting lets you specify the encryption parameters that should be used for the
for CNG CNG context. To use this setting, a CNG context first has to be created by using
context CryptoAPI: Next Generation (CNG). For more information, see CNG Cryptographic
Configuration Functions
(http://go.microsoft.com/fwlink/?LinkID=192996&clcid=0x409).
264
Setting Description
Specify CNG This setting lets you specify the hash algorithm that is used. The default is SHA1.
hash algorithm
Set CNG This setting lets you specify the number of times to spin (rehash) the password
password spin verifier. The default is 100000.
count
Specify CNG This setting lets you configure the CNG random number generator to use. The
random number default is RNG (Random Number Generator).
generator
algorithm
Specify CNG This setting lets you specify the number of bytes of salt that should be used. The
salt length default is 16.
In addition to the CNG settings that were listed in the previous table, the CNG setting that is listed in the
following table can be configured for Excel 2010, PowerPoint 2010, and Word 2010.
Setting Description
Use new key on password change This setting lets you specify if a new encryption
key should be used when the password is
changed. The default is not to use a new key on
password changes.
You can use the setting that is listed in the following table to remove the ability to add passwords to
documents and, therefore, disallow encryption of documents.
Setting Description
Disable password to open UI This setting controls whether Office 2010 users
can add passwords to documents. By default
users can add passwords.
Note:
For information about how to configure security settings in the Office Customization Tool (OCT)
and the Office 2010 Administrative Templates, see Configure security for Office 2010
(http://technet.microsoft.com/library/14675abe-a72c-4d01-aa41-ebd35ffc9165(Office.14).aspx).
265
Compatibility with previous versions of Office
If you have to encrypt Office documents, we recommend that you save the documents as Open XML
Format files (.docx, .xlsx, .pptx, and so on) instead of Office 972003 format (.doc, .xls, .ppt, and so
on). The encryption that is used for binary documents (.doc, .xls, .ppt) uses RC4. It is not
recommended, as discussed in Security Considerations sections 4.3.2 and 4.3.3 of the Office
Document Cryptography Structure Specification (http://go.microsoft.com/fwlink/?LinkId=192287).
Documents that are saved in the older Office binary formats can only be encrypted by using RC4 to
maintain compatibility with older versions of Microsoft Office. AES, the default and recommended
encryption algorithm, is used to encrypt Open XML Format files.
Office 2010 and the 2007 Office system let you save documents as Open XML Format files. In addition,
if you have Microsoft Office XP or Office 2003, you can use the Compatibility Pack to save documents
as Open XML Format files.
Documents that are saved as Open XML Format files and encrypted by using Office 2010 can only be
read by Office 2010, Office 2007 SP2, and Office 2003 with the Office 2007 SP2 compatibility pack. To
ensure compatibility with all previous versions of Office, you can create a registry key (if it does not
already exist) under HKCU\Software\Microsoft\Office\14.0\<application>\Security\Crypto\ called
CompatMode and disable it by setting it to 0. The values that you can enter for <application> represent
the specific Office application that you are configuring this registry key for. For example, you can enter
Access, Excel, PowerPoint, or Word. It is important to realize that, when you set CompatMode to
0, Office 2010 uses an Office 2007 compatible encryption format, instead of the enhanced security that
is provided by default when you use Office 2010 to encrypt Open XML Format files. If you have to
configure this setting for compatibility reasons, we recommend that you also use a third-party
encryption module that allows for enhanced security, such as AES encryption.
If your organization uses the Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint File
Formats to encrypt Open XML Format files, you should review the following information:
By default, the Compatibility Pack uses the following settings to encrypt Open XML Format files:
Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype),AES 128,128 (on
the Windows XP Professional operating system).
Microsoft Enhanced RSA and AES Cryptographic Provider,AES 128,128 (on Windows
Server 2003 and Windows Vista operating systems).
Users are not notified that the Compatibility Pack uses these encryption settings.
The graphical user interface on earlier versions of Office might display incorrect encryption settings
for Open XML Format files if the Compatibility Pack is installed.
Users cannot use the graphical user interface in earlier versions of Office to change the encryption
settings for Open XML Format files.
266
Note:
For the latest information about policy settings, refer to the Microsoft Excel 2010 workbook
Office2010GroupPolicyAndOCTSettings_Reference.xls, which is available in the Files in this
Download section on the Office 2010 Administrative Template files (ADM, ADMX, ADML) and
Office Customization Tool (http://go.microsoft.com/fwlink/?LinkID=189316&clcid=0x409)
download page.
See Also
Security overview for Office 2010
Configure security for Office 2010 (http://technet.microsoft.com/library/14675abe-a72c-4d01-aa41-
ebd35ffc9165(Office.14).aspx)
Office Document Cryptography Structure Specification (http://go.microsoft.com/fwlink/?LinkId=192287)
267
Plan digital signature settings for Office 2010
You can digitally sign documents by using Microsoft Excel 2010, Microsoft PowerPoint 2010, and
Microsoft Word 2010. You can also add a signature line or signature stamp by using Excel 2010,
Microsoft InfoPath 2010, and Word 2010. Microsoft Office 2010 includes support for XAdES (XML
Advanced Electronic Signatures), which is a set of extensions to the XML-DSig standard. This was first
supported in the 2007 Microsoft Office system.
In this article:
What is a digital signature?
Digital certificate: Self-signed or issued by CAs
Using digital signatures
268
Requirements for digital signatures
To establish these conditions, the content creator must digitally sign the content by creating a signature
that satisfies the following criteria:
The digital signature is valid. A CA that is trusted by the operating system must sign the digital
certificate on which the digital signature is based.
The certificate that is associated with the digital signature is not expired or contains a time stamp
indicating the certificate was valid at the time of signing.
The certificate that is associated with the digital signature is not revoked.
The signing person or organization (known as the publisher) is trusted by the recipient.
Word 2010, Excel 2010, and PowerPoint 2010 detect these criteria for you and warn you if there seems
to be a problem with the digital signature. Information about problematic certificates can easily be
viewed in a certificate task pane that appears in the Office 2010 application. Office 2010 applications let
you add multiple digital signatures to the same document.
Compatibility issues
Office 2010, just as the 2007 Office system, uses the XML-DSig format for digital signatures. In
addition, Office 2010 has added support for XAdES (XML Advanced Electronic Signatures). XAdES is a
set of tiered extensions to XML-DSig, the levels of which build upon the previous to provide more
reliable digital signatures.
269
For more information about the levels of XAdES that are supported in Office 2010, see Using digital
signatures later in this article. For more information about the details of XAdES, see the specification for
XML Advanced Electronic Signatures (XAdES) (http://go.microsoft.com/fwlink/?LinkId=186631).
It is important to be aware that digital signatures created in Office 2010 are incompatible with versions
of Microsoft Office earlier than the 2007 Office system. For example, if a document is signed by using
an application in Office 2010 or in the 2007 Office system and opened by using an application in
Microsoft Office 2003 that has the Office Compatibility Pack installed, the user will be informed that the
document was signed by a newer version of Microsoft Office and the digital signature will be lost.
The following figure shows a warning that the digital signature is removed when the document is
opened in an earlier version of Office.
Also, if XAdES is used for the digital signature in Office 2010, the digital signature would not be
compatible with the 2007 Office system unless you configure the Group Policy setting, Do not include
XAdES reference object in the manifest, and set it to Disabled. For more information about the
digital signature Group Policy settings, see Configure digital signatures later in this article.
If you need digital signatures created in Office 2010 to be compatible with Office 2003 and earlier
versions, you can configure the Group Policy setting, Legacy format signatures, and set it to
Enabled. This Group Policy setting is located under User Configuration\Administrative
Templates\(ADM\ADMX)\Microsoft Office 2010\Signing. After this setting is set to Enabled, the Office
2010 applications use the Office 2003 binary format to apply digital signatures to Office 972003 binary
documents created in Office 2010.
270
For larger organizations, two primary methods for obtaining digital certificates are available: certificates
that are created by using a corporate PKI and commercial certificates. Organizations that want to share
signed documents only among other employees in the organization might prefer a corporate PKI to
reduce costs. Organizations that want to share signed documents with people outside of their
organization might prefer to use commercial certificates.
Commercial certificates
Commercial certificates are purchased from a company whose line of business is to sell digital
certificates. The main advantage of using commercial certificates is that the commercial certificate
vendors root CA certificate is automatically installed on Windows operating systems, which enables
these computers to automatically trust these CAs. Unlike the corporate PKI solution, commercial
certificates enable you to share your signed documents with users who do not belong to your
organization.
There are three kinds of commercial certificates:
Class 1 Class 1 certificates are issued to people who have valid e-mail addresses. Class 1
certificates are appropriate for digital signatures, encryption, and electronic access control for non-
commercial transactions where proof of identity is not required.
Class 2 Class 2 certificates are issued to people and devices. Class 2 individual certificates are
appropriate for digital signatures, encryption, and electronic access control in transactions where
proof of identity based on information in the validating database is sufficient. Class 2 device
certificates are appropriate for device authentication; message, software, and content integrity; and
confidentiality encryption.
Class 3 Class 3 certificates are issued to people, organizations, servers, devices, and
administrators for CAs and root authorities (RAs). Class 3 individual certificates are appropriate for
digital signatures, encryption, and access control in transactions where proof of identity must be
assured. Class 3 server certificates are appropriate for server authentication; message, software,
and content integrity; and confidentiality encryption.
For more information about commercial certificates, see Digital ID Office Marketplace
(http://go.microsoft.com/fwlink/?LinkId=119114).
271
Using digital signatures
You can digitally sign documents by using Microsoft Excel 2010, Microsoft PowerPoint 2010, and
Microsoft Word 2010. You can also add a signature line or signature stamp using Excel 2010, Microsoft
InfoPath 2010, and Word 2010. Digitally signing a document that has a digital certificate but does not
have a signature line or stamp is known as creating an invisible digital signature. Both methods, visible
and invisible digital signatures, use a digital certificate for signing the document. The difference is the
graphical representation within the document when a visible digital signature line is used. For more
information about how to add a digital signature, see Add or remove a digital signature in Office files
(http://go.microsoft.com/fwlink/?LinkId=187659).
By default, Office 2010 creates XAdES-EPES digital signatures, whether a self-signed certificate or a
certificate signed by a CA is used during the creation of the digital signature.
The XAdES digital signature levels, based on the XML-DSig digital signature standard, available in
Office 2010 are listed in the following table. Each of the levels builds upon the previous level and
contains all the capabilities of the previous levels. For example, XAdES-X also contains all of the
capabilities of XAdES-EPES, XAdES-T, and XAdES-C, in addition to the new functionality introduced
with XAdES-X.
XAdES-X-L (Extended Long Term) Stores the actual certificate and certificate
revocation information together with the signature.
This allows for certificate validation even if the
certificate servers are no longer available.
272
Time stamp digital signatures
The ability with Office 2010 to add a time stamp to a digital signature allows for helping to extend the
lifespan of a digital signature. For example, if a revoked certificate has previously been used for the
creation of the digital signature, which contains a time stamp from a trusted time stamp server, the
digital signature could still be considered valid if the time stamp occurred before the revocation of the
certificate. To use the time stamp functionality with digital signatures, you must complete the following:
Set up a time stamp server that is compliant with RFC 3161
Use the Group Policy setting, Specify server name, to enter the location of the time stamp server
on the network.
You can also configure additional time stamp parameters by configuring one or more of the following
Group Policy settings:
Configure time stamping hashing algorithm
Set timestamp server timeout
If you do not configure and enable Configure time stamping hashing algorithm, the default value of
SHA1 will be used. If you do not configure and enable Set timestamp server timeout, the default time
that Office 2010 will wait for the time stamp server to respond to a request is 5 seconds.
Setting Description
Require OCSP at signature generation time This policy setting lets you determine whether
Office 2010 requires OCSP (Online Certificate
Status Protocol) revocation data for all digital
certificates in a chain when digital signatures are
generated.
Specify minimum XAdES level for digital This policy setting lets you specify a minimum
signature generation XAdES level that Office 2010 applications must
reach in order to create an XAdES digital
signature. If unable to reach the minimum XAdES
level, the Office application does not create the
signature.
Check the XAdES portions of a digital This policy setting lets you specify whether Office
signature 2010 checks the XAdES portions of a digital
signature, if present, when validating a digital
signature for a document.
273
Setting Description
Do not allow expired certificates when This policy setting lets you configure whether
validating signatures Office 2010 applications accept expired digital
certificates when verifying digital signatures.
Do not include XAdES reference object in the This policy setting lets you determine whether an
manifest XAdES reference object should appear in the
manifest. You must configure this setting to
Disabled if you want the 2007 Office system to be
able to read Office 2010 signatures that contain
XAdES content; otherwise, the 2007 Office system
will consider signatures that contain XAdES
content invalid.
Select digital signature hashing algorithm This policy setting lets you configure the hashing
algorithm that Office 2010 applications use to
confirm digital signatures.
Set signature verification level This policy setting lets you set the verification level
that is used by Office 2010 applications when
validating a digital signature.
Requested XAdES level for signature This policy setting lets you specify a requested or
generation desired XAdES level in creating a digital signature.
Additional digital signature related Group Policy settings are listed as follows:
Key Usage Filtering
Set default image directory
EKU filtering
Legacy format signatures
Suppress Office Signing Providers
Suppress external signature services menu item
For more information about each Group Policy setting, see the help files that are contained with the
Administrative Template files for Office 2010. For more information about the Administrative Template
files, see Group Policy overview for Office 2010.
Note:
For the latest information about policy settings, refer to the Microsoft Excel 2010 workbook
Office2010GroupPolicyAndOCTSettings_Reference.xls, which is available in the Files in this
Download section on the Office 2010 Administrative Template files (ADM, ADMX, ADML) and
Office Customization Tool (http://go.microsoft.com/fwlink/?LinkID=189316&clcid=0x409)
download page.
274
Plan privacy options for Office 2010
If you want to suppress the Welcome to Microsoft Office 2010 dialog box that appears the first time
that a user starts Microsoft Office 2010, you can configure privacy options. The Welcome to Microsoft
Office 2010 dialog box, also known as the Opt-in wizard or the Recommended Settings dialog box,
lets users enable or disable several Internet-based services that help protect and improve Office 2010
applications.
In this article:
About planning privacy options
Suppress the Welcome to Microsoft Office 2010 dialog box
Configure privacy options
Related privacy options
If users select Use Recommended Settings, the following security settings and privacy options are
enabled:
Recommended and important updates are automatically installed for the Windows Vista and newer
operating systems and Office 2010 applications. Users are notified about new optional software.
For Windows XP, high priority updates are installed.
275
Applications are able to connect to Office.com for updated Help content and can receive targeted
Help content for Office 2010 applications that are installed.
Applications are able to periodically download small files that help determine system problems and
prompt users to send error reports to Microsoft.
Users are signed up for the Customer Experience Improvement Program.
If users select Install Updates Only, recommended and important updates are automatically installed
for the Windows Vista operating systems and newer Windows operating systems and Office 2010
applications. Users are notified about new optional software. For Windows XP, only high priority
updates are installed. However, privacy options are not changed in Office 2010 applications, which
means that the default privacy options take effect. If users select Dont Make Changes, automatic
updating is not changed in the Windows Security Center and privacy options are not changed in Office
2010, which means that the default privacy options take effect.
The default privacy options for Office 2010 applications are as follows:
Office 2010 applications do not connect to Office.com for updated Help content and office
applications are not detected on your computer to give users improved search results.
Office 2010 applications do not download small programs that help diagnose problems and error
message information is not sent to Microsoft.
Users are not enrolled in the Customer Experience Improvement Program.
Because the Welcome to Microsoft Office 2010 dialog box lets users enable or disable several
Internet-based services, you might want to prevent the dialog box from appearing and configure these
services individually. If you suppress the dialog box, we recommend that you enable all of the Internet-
based services, which you can do by configuring privacy options.
Note:
For information about how to configure security settings in the Office Customization Tool (OCT)
and the Office 2010 Administrative Templates, see Configure security for Office 2010
(http://technet.microsoft.com/library/14675abe-a72c-4d01-aa41-ebd35ffc9165(Office.14).aspx).
276
computer to security threats. Therefore, if you enable this setting we recommend that you also enable
all of the privacy options that are discussed in Configure privacy options.
Most organizations enable this setting, including organizations that have a highly restrictive security
environment or a security environment that restricts Internet access.
277
Guidelines: Most organizations enable this setting, which is the recommended configuration.
Organizations that have a highly restrictive security environment, or a security environment that
restricts Internet access, typically disable this setting.
Setting name: Enable Customer Experience Improvement Program. This Group Policy setting is
located under User Configuration\Administrative Templates\(ADM\ADMX)\Microsoft Office
2010\Privacy\Trust Center.
Description: This setting controls whether users participate in the CEIP to help improve Office 2010.
When users participate in the CEIP, Office 2010 applications automatically send information to
Microsoft about how the applications are used. This information is combined with other CEIP data
to help Microsoft solve problems and improve the products and features customers use most often.
Participating in the CEIP does not collect users names, addresses, or any other identifying
information except the IP address of the computer that is used to send the data.
Impact: If you enable this setting, users participate in the CEIP.
Guidelines: Most organizations enable this setting, which is the recommended configuration.
Organizations that have a highly restrictive security environment, or a security environment that
restricts Internet access, typically do not enable this setting.
Note:
For the latest information about policy settings, refer to the Microsoft Excel 2010 workbook
Office2010GroupPolicyAndOCTSettings_Reference.xls, which is available in the Files in this
Download section on the Office 2010 Administrative Template files (ADM, ADMX, ADML) and
Office Customization Tool (http://go.microsoft.com/fwlink/?LinkID=189316&clcid=0x409)
download page.
278
See Also
Security overview for Office 2010
Configure security for Office 2010 (http://technet.microsoft.com/library/14675abe-a72c-4d01-aa41-
ebd35ffc9165(Office.14).aspx)
279
Plan file block settings for Office 2010
This article provides information about Group Policy and Office Customization Tool (OCT) settings that
you can configure to block specific file format types for Microsoft Excel 2010, Microsoft PowerPoint
2010, and Microsoft Word 2010 users.
In this article:
Blocking file format types by using Group Policy or the OCT
Group Policy and OCT settings
280
Disabling notifications in the Message Bar does not affect block file format settings. The block file
format warning dialog box appears before any notification appears in the Message Bar.
Note:
The locations in the Group Policy Object Editor presented in this article apply when you
invoke the Group Policy Object Editor to edit a GPO. To edit local Group Policy, use the
Local Group Policy Editor. To edit domain-based Group Policy, use the Group Policy
Management Console (GPMC). Either tool invokes the Group Policy Object Editor when
you edit a GPO. For more information, see Enforce settings by using Group Policy in Office
2010 (http://technet.microsoft.com/library/873a5392-1b1a-47a1-a863-
1f29ef116d0e(Office.14).aspx) and Group Policy overview for Office 2010.
For the OCT, the policy settings are available on the Modify user settings page.
Once in Group Policy and the OCT, the specific path of the folder that contains the file block settings for
Excel 2010, PowerPoint 2010, and Word 2010 are parallel:
Excel 2010 file block settings:
Microsoft Excel 2010\Excel Options\Security\Trust Center\File Block Settings
PowerPoint 2010 file block settings:
Microsoft PowerPoint 2010\PowerPoint Options\Security\Trust Center\File Block
Settings
Word 2010 file block settings:
Microsoft Word 2010\Word Options\Security\Trust Center\File Block Settings
Note:
By default, users can set default file block settings in the Trust Center user interface (UI) for
Excel 2010, PowerPoint 2010, and Word 2010 (on the File tab, click Options, click Trust
Center, click Trust Center Settings, and then click File Block Settings). You can disable the
file block options in Trust Center options by configuring the settings through Group Policy. If
you configure the settings through the OCT, users will still have the option of specifying file type
behavior through the Trust Center UI. For more information, see What is File Block?
(http://go.microsoft.com/fwlink/?LinkId=195498).
281
About the Set default file block behavior setting
The Set default file block behavior setting specifies how blocked files open (for example: does not
open, opens in protected view, or opens in protected view but can be edited). If you enable this setting,
the default file block behavior you specify applies to any file format that users block in the Trust Center
UI. It also applies to a specific file format only if you both enable its file format setting (for more
information about individual file format settings, see the tables in this article) and select the Open/Save
blocked, use open policy option. Otherwise, if you configure an individual file format setting, it
overrides the Set default file block behavior setting configuration for that file type.
Note:
The options under Open behavior for selected types in the Trust Center UI, under File
Block, map directly to the options in the Set default file block behavior setting. You can
disable these UI options for users by enabling the Set default file block behavior setting in
Group Policy.
Setting name File format extension If you enable this setting, you can If you disable
select one of the following or do not
options: configure this
setting
Set default file block Blocked file formats Blocked files are not opened. Blocked files
behavior set by users in the Blocked files open in are not opened
Trust Center UI Protected View and cannot (users cannot
Individual file types, if be edited. open blocked
you enable its setting files).
Blocked files open in
and select Open/Save Protected View and can be
blocked, use open edited.
policy
Note:
Individual file type
settings override
this setting.
Excel 2007 and later *.xlsx Do not block: The file type is File format
workbooks and *.xltx not blocked. type is not
templates Save blocked: Saving of the blocked.
282
Setting name File format extension If you enable this setting, you can If you disable
select one of the following or do not
options: configure this
setting
file type is blocked.
Open/Save blocked, use
open policy: Both opening
and saving of the file type is
blocked. The file opens
based on the configuration of
the Set default file block
behavior setting.
Block: Both opening and
saving of the file type is
blocked, and the file does not
open.
Open in Protected View: Both
opening and saving of the file
type is blocked, and the
option to edit the file type is
disabled.
Allow editing and open in
Protected View: Both opening
and saving of the file type is
blocked, and the option to
edit is enabled.
Excel 2007 and later *.xlsm Do not block: The file type is File format
macro-enabled *.xltm not blocked. type is not
workbooks and Save blocked: Saving of the blocked.
templates file type is blocked.
Open/Save blocked, use
open policy: Both opening
and saving of the file type is
blocked. The file opens
based on the configuration of
the Set default file block
behavior setting.
Block: Both opening and
saving of the file type is
283
Setting name File format extension If you enable this setting, you can If you disable
select one of the following or do not
options: configure this
setting
blocked, and the file does not
open.
Open in Protected View: Both
opening and saving of the file
type is blocked, and the
option to edit the file type is
disabled.
Allow editing and open in
Protected View: Both opening
and saving of the file type is
blocked, and the option to
edit is enabled.
Excel 2007 and later *.xlam Do not block: The file type is File format
add-in files not blocked. type is not
Save blocked: Saving of the blocked.
file type is blocked.
Open/Save blocked, use
open policy: Both opening
and saving of the file type is
blocked. The file opens
based on the configuration of
the Set default file block
behavior setting.
Excel 2007 and later *.xlsb Do not block: The file type is File format
binary workbooks not blocked. type is not
Save blocked: Saving of the blocked.
file type is blocked.
Open/Save blocked, use
open policy: Both opening
and saving of the file type is
blocked. The file opens
based on the configuration of
the Set default file block
behavior setting.
Block: Both opening and
284
Setting name File format extension If you enable this setting, you can If you disable
select one of the following or do not
options: configure this
setting
saving of the file type is
blocked, and the file does not
open.
Open in Protected View: Both
opening and saving of the file
type is blocked, and the
option to edit the file type is
disabled.
Allow editing and open in
Protected View: Both opening
and saving of the file type is
blocked, and the option to
edit is enabled.
285
Setting name File format extension If you enable this setting, you can If you disable
select one of the following or do not
options: configure this
setting
and saving of the file type is
blocked, and the option to
edit is enabled.
Excel 972003 add- *.xls Do not block: The file type is File format
in files *.xla not blocked. type is not
Save blocked: Saving of the blocked.
*.xlt
file type is blocked.
*.xlm
Open/Save blocked, use
*.xlw
open policy: Both opening
*.xlb
and saving of the file type is
blocked. The file opens
based on the configuration of
the Set default file block
behavior setting.
Excel 972003 *.xls Do not block: The file type is File format
workbooks and *.xla not blocked. type is not
templates Save blocked: Saving of the blocked.
*.xlt
file type is blocked.
*.xlm
Open/Save blocked, use
*.xlw
open policy: Both opening
*.xlb
and saving of the file type is
blocked. The file opens
based on the configuration of
the Set default file block
behavior setting.
Block: Both opening and
saving of the file type is
blocked, and the file does not
open.
Open in Protected View: Both
opening and saving of the file
type is blocked, and the
option to edit the file type is
disabled.
Allow editing and open in
286
Setting name File format extension If you enable this setting, you can If you disable
select one of the following or do not
options: configure this
setting
Protected View: Both opening
and saving of the file type is
blocked, and the option to
edit is enabled.
Excel 9597 *.xls Do not block: The file type is File format
workbooks and *.xla not blocked. type is not
templates Open/Save blocked, use blocked.
*.xlt
open policy: Both opening
*.xlm
and saving of the file type is
*.xlw
blocked. The file opens
*.xlb based on the configuration of
the Set default file block
behavior setting.
Block: Both opening and
saving of the file type is
blocked, and the file does not
open.
Open in Protected View: Both
opening and saving of the file
type is blocked, and the
option to edit the file type is
disabled.
Allow editing and open in
Protected View: Both opening
and saving of the file type is
blocked, and the option to
edit is enabled.
Excel 95 workbooks *.xls Do not block: The file type is File format
*.xla not blocked. type is not
Save blocked: Saving of the blocked.
*.xlt
file type is blocked.
*.xlm
Open/Save blocked, use
*.xlw
open policy: Both opening
*.xlb and saving of the file type is
blocked. The file opens
287
Setting name File format extension If you enable this setting, you can If you disable
select one of the following or do not
options: configure this
setting
based on the configuration of
the Set default file block
behavior setting.
Block: Both opening and
saving of the file type is
blocked, and the file does not
open.
Open in Protected View: Both
opening and saving of the file
type is blocked, and the
option to edit the file type is
disabled.
Allow editing and open in
Protected View: Both opening
and saving of the file type is
blocked, and the option to
edit is enabled.
Excel 4 workbooks *.xls Do not block: The file type is File format
*.xla not blocked. type is not
Open/Save blocked, use blocked.
*.xlt
open policy: Both opening
*.xlm
and saving of the file type is
*.xlw
blocked. The file opens
*.xlb based on the configuration of
the Set default file block
behavior setting.
Block: Both opening and
saving of the file type is
blocked, and the file does not
open.
Open in Protected View: Both
opening and saving of the file
type is blocked, and the
option to edit the file type is
disabled.
288
Setting name File format extension If you enable this setting, you can If you disable
select one of the following or do not
options: configure this
setting
Allow editing and open in
Protected View: Both opening
and saving of the file type is
blocked, and the option to
edit is enabled.
Excel 4 worksheets *.xls Do not block: The file type is File format
*.xla not blocked. type is not
Open/Save blocked, use blocked.
*.xlt
open policy: Both opening
*.xlm
and saving of the file type is
*.xlw
blocked. The file opens
*.xlb based on the configuration of
the Set default file block
behavior setting.
Block: Both opening and
saving of the file type is
blocked, and the file does not
open.
Open in Protected View: Both
opening and saving of the file
type is blocked, and the
option to edit the file type is
disabled.
Allow editing and open in
Protected View: Both opening
and saving of the file type is
blocked, and the option to
edit is enabled.
Excel 3 worksheets *.xls Do not block: The file type is File format
*.xla not blocked. type is not
Open/Save blocked, use blocked.
*.xlt
open policy: Both opening
*.xlm
and saving of the file type is
*.xlw blocked. The file opens
*.xlb based on the configuration of
289
Setting name File format extension If you enable this setting, you can If you disable
select one of the following or do not
options: configure this
setting
the Set default file block
behavior setting.
Block: Both opening and
saving of the file type is
blocked, and the file does not
open.
Open in Protected View: Both
opening and saving of the file
type is blocked, and the
option to edit the file type is
disabled.
Allow editing and open in
Protected View: Both opening
and saving of the file type is
blocked, and the option to
edit is enabled.
Excel 2 worksheets *.xls Do not block: The file type is File format
*.xla not blocked. type is not
Open/Save blocked, use blocked.
*.xlt
open policy: Both opening
*.xlm
and saving of the file type is
*.xlw
blocked. The file opens
*.xlb based on the configuration of
the Set default file block
behavior setting.
Block: Both opening and
saving of the file type is
blocked, and the file does not
open.
Open in Protected View: Both
opening and saving of the file
type is blocked, and the
option to edit the file type is
disabled.
Allow editing and open in
290
Setting name File format extension If you enable this setting, you can If you disable
select one of the following or do not
options: configure this
setting
Protected View: Both opening
and saving of the file type is
blocked, and the option to
edit is enabled.
Excel 4 macrosheets *.xls Do not block: The file type is File format
and add-in files *.xla not blocked. type is not
Open/Save blocked, use blocked.
*.xlt
open policy: Both opening
*.xlm
and saving of the file type is
*.xlw
blocked. The file opens
*.xlb based on the configuration of
the Set default file block
behavior setting.
Block: Both opening and
saving of the file type is
blocked, and the file does not
open.
Open in Protected View: Both
opening and saving of the file
type is blocked, and the
option to edit the file type is
disabled.
Allow editing and open in
Protected View: Both opening
and saving of the file type is
blocked, and the option to
edit is enabled.
Excel 3 macrosheets *.xls Do not block: The file type is File format
and add-in files *.xla not blocked. type is not
Open/Save blocked, use blocked.
*.xlt
open policy: Both opening
*.xlm
and saving of the file type is
*.xlw
blocked. The file opens
*.xlb based on the configuration of
the Set default file block
291
Setting name File format extension If you enable this setting, you can If you disable
select one of the following or do not
options: configure this
setting
behavior setting.
Block: Both opening and
saving of the file type is
blocked, and the file does not
open.
Open in Protected View: Both
opening and saving of the file
type is blocked, and the
option to edit the file type is
disabled.
Allow editing and open in
Protected View: Both opening
and saving of the file type is
blocked, and the option to
edit is enabled.
Excel 2 macrosheets *.xls Do not block: The file type is File format
and add-in files *.xla not blocked. type is not
Open/Save blocked, use blocked.
*.xlt
open policy: Both opening
*.xlm
and saving of the file type is
*.xlw blocked. The file opens
*.xlb based on the configuration of
the Set default file block
behavior setting.
Block: Both opening and
saving of the file type is
blocked, and the file does not
open.
Open in Protected View: Both
opening and saving of the file
type is blocked, and the
option to edit the file type is
disabled.
Allow editing and open in
Protected View: Both opening
292
Setting name File format extension If you enable this setting, you can If you disable
select one of the following or do not
options: configure this
setting
and saving of the file type is
blocked, and the option to
edit is enabled.
Web pages and *.mht Do not block: The file type is File format
Excel 2003 XML *.mhtml not blocked. type is not
spreadsheets Save blocked: Saving of the blocked.
*.htm
file type is blocked.
*.html
Open/Save blocked, use
*.xml
open policy: Both opening
*.xlmss
and saving of the file type is
blocked. The file opens
based on the configuration of
the Set default file block
behavior setting.
Block: Both opening and
saving of the file type is
blocked, and the file does not
open.
Open in Protected View: Both
opening and saving of the file
type is blocked, and the
option to edit the file type is
disabled.
Allow editing and open in
Protected View: Both opening
and saving of the file type is
blocked, and the option to
edit is enabled.
XML files *.xml Do not block: The file type is File format
not blocked. type is not
Save blocked: Saving of the blocked.
file type is blocked.
Open/Save blocked, use
open policy: Both opening
and saving of the file type is
293
Setting name File format extension If you enable this setting, you can If you disable
select one of the following or do not
options: configure this
setting
blocked. The file opens
based on the configuration of
the Set default file block
behavior setting.
Text files *.txt Do not block: The file type is File format
*.csv not blocked. type is not
Save blocked: Saving of the blocked.
*.prn
file type is blocked.
Open/Save blocked, use
open policy: Both opening
and saving of the file type is
blocked. The file opens
based on the configuration of
the Set default file block
behavior setting.
Excel add-in files *.xll (.dll) Do not block: The file type is File format
not blocked. type is not
Open/Save blocked, use blocked.
open policy: Both opening
and saving of the file type is
blocked. The file opens
based on the configuration of
the Set default file block
behavior setting.
dBase III / IV files *.dbf Do not block: The file type is File format
not blocked. type is not
Open/Save blocked, use blocked.
open policy: Both opening
and saving of the file type is
blocked. The file opens
based on the configuration of
the Set default file block
behavior setting.
294
Setting name File format extension If you enable this setting, you can If you disable
select one of the following or do not
options: configure this
setting
Microsoft Office *.iqy Do not block: The file type is File format
query files *.dqy not blocked. type is not
Save blocked: Saving of the blocked.
*.oqy
file type is blocked.
*.rqy
Open/Save blocked, use
open policy: Both opening
and saving of the file type is
blocked. The file opens
based on the configuration of
the Set default file block
behavior setting.
Block: Both opening and
saving of the file type is
blocked, and the file does not
open.
Open in Protected View: Both
opening and saving of the file
type is blocked, and the
option to edit the file type is
disabled.
Allow editing and open in
Protected View: Both opening
and saving of the file type is
blocked, and the option to
edit is enabled.
Microsoft Office data *.odc Do not block: The file type is File format
connection files not blocked. type is not
Open/Save blocked, use blocked.
open policy: Both opening
and saving of the file type is
blocked. The file opens
based on the configuration of
the Set default file block
behavior setting.
Other data source *.udl Do not block: The file type is File format
295
Setting name File format extension If you enable this setting, you can If you disable
select one of the following or do not
options: configure this
setting
files *.dsn not blocked. type is not
*.mdb Open/Save blocked, use blocked.
Offline cube files *.cub Do not block: The file type is File format
not blocked. type is not
Open/Save blocked, use blocked.
open policy: Both opening
and saving of the file type is
blocked. The file opens
based on the configuration of
the Set default file block
behavior setting.
Dif and Sylk files *.dif Do not block: The file type is File format
*.slk not blocked. type is not
Save blocked: Saving of the blocked.
file type is blocked.
Open/Save blocked, use
open policy: Both opening
and saving of the file type is
blocked. The file opens
based on the configuration of
the Set default file block
behavior setting.
Legacy converters All file formats that are Do not block: The file type is File format
for Excel opened through a not blocked. type is not
converter Open/Save blocked, use blocked.
open policy: Both opening
and saving of the file type is
blocked. The file opens
based on the configuration of
296
Setting name File format extension If you enable this setting, you can If you disable
select one of the following or do not
options: configure this
setting
the Set default file block
behavior setting.
Block: Both opening and
saving of the file type is
blocked, and the file does not
open.
Open in Protected View: Both
opening and saving of the file
type is blocked, and the
option to edit the file type is
disabled.
Allow editing and open in
Protected View: Both opening
and saving of the file type is
blocked, and the option to
edit is enabled.
Microsoft Office All file formats that are Do not block: The file type is File format
Open XML opened through an not blocked. type is not
converters for Excel OOXML converter Save blocked: Saving of the blocked.
file type is blocked.
Open/Save blocked, use
open policy: Both opening
and saving of the file type is
blocked. The file opens
based on the configuration of
the Set default file block
behavior setting.
Block: Both opening and
saving of the file type is
blocked, and the file does not
open.
Open in Protected View: Both
opening and saving of the file
type is blocked, and the
option to edit the file type is
297
Setting name File format extension If you enable this setting, you can If you disable
select one of the following or do not
options: configure this
setting
disabled.
Allow editing and open in
Protected View: Both opening
and saving of the file type is
blocked, and the option to
edit is enabled.
Setting name File format extension If you enable this setting, you can If you disable
select one of the following options or do not
configure this
setting
Set default file block Blocked file formats Blocked files are not opened. Blocked files
behavior set by users in the Blocked files open in are not opened
Trust Center UI Protected View and cannot (users cannot
Individual file types, be edited. open blocked
if you enable its files).
Blocked files open in
setting and select Protected View and can be
Open/Save edited.
blocked, use open
policy
Note: individual file type
settings override this
setting.
PowerPoint 2007 and *.pptx Do not block: The file type is File format
later presentations, *.pptm not blocked. type is not
shows, templates, Save blocked: Saving of the blocked.
*.potx
themes, and add-ins file type is blocked.
*.ppsx
Open/Save blocked, use
298
Setting name File format extension If you enable this setting, you can If you disable
select one of the following options or do not
configure this
setting
*.ppam open policy: Both opening
*.thmx and saving of the file type is
blocked. The file opens
*.xml
based on the configuration of
the Set default file block
behavior setting.
Block: Both opening and
saving of the file type is
blocked, and the file does not
open.
Open in Protected View:
Both opening and saving of
the file type is blocked, and
the option to edit the file type
is disabled.
Allow editing and open in
Protected View: Both
opening and saving of the file
type is blocked, and the
option to edit is enabled.
299
Setting name File format extension If you enable this setting, you can If you disable
select one of the following options or do not
configure this
setting
Open in Protected View:
Both opening and saving of
the file type is blocked, and
the option to edit the file type
is disabled.
Allow editing and open in
Protected View: Both
opening and saving of the file
type is blocked, and the
option to edit is enabled.
PowerPoint 972003 *.ppt Do not block: The file type is File format
presentations, shows, *.pot not blocked. type is not
templates and add-in Save blocked: Saving of the blocked.
*.pps
files file type is blocked.
*.ppa
Open/Save blocked, use
open policy: Both opening
and saving of the file type is
blocked. The file opens
based on the configuration of
the Set default file block
behavior setting.
Block: Both opening and
saving of the file type is
blocked, and the file does not
open.
Open in Protected View:
Both opening and saving of
the file type is blocked, and
the option to edit the file type
is disabled.
Allow editing and open in
Protected View: Both
opening and saving of the file
type is blocked, and the
option to edit is enabled.
300
Setting name File format extension If you enable this setting, you can If you disable
select one of the following options or do not
configure this
setting
Web pages *.mht Do not block: The file type is File format
*.mhtml not blocked. type is not
Save blocked: Saving of the blocked.
*.htm
file type is blocked.
*.html
Open/Save blocked, use
open policy: Both opening
and saving of the file type is
blocked. The file opens
based on the configuration of
the Set default file block
behavior setting.
Block: Both opening and
saving of the file type is
blocked, and the file does not
open.
Open in Protected View:
Both opening and saving of
the file type is blocked, and
the option to edit the file type
is disabled.
Allow editing and open in
Protected View: Both
opening and saving of the file
type is blocked, and the
option to edit is enabled.
Outline files *.rtf Do not block: The file type is File format
*.txt not blocked. type is not
Save blocked: Saving of the blocked.
*.doc
file type is blocked.
*.wpd
Open/Save blocked, use
*.docx
open policy: Both opening
*.docm
and saving of the file type is
*.wps blocked. The file opens
based on the configuration of
the Set default file block
301
Setting name File format extension If you enable this setting, you can If you disable
select one of the following options or do not
configure this
setting
behavior setting.
Legacy converters for Presentation files Do not block: The file type is File format
PowerPoint older than not blocked. type is not
PowerPoint 97 Save blocked: Saving of the blocked.
file type is blocked.
Open/Save blocked, use
open policy: Both opening
and saving of the file type is
blocked. The file opens
based on the configuration of
the Set default file block
behavior setting.
Block: Both opening and
saving of the file type is
blocked, and the file does not
open.
Open in Protected View:
Both opening and saving of
the file type is blocked, and
the option to edit the file type
is disabled.
Allow editing and open in
Protected View: Both
opening and saving of the file
type is blocked, and the
option to edit is enabled.
Graphic Filters *.jpg Do not block: The file type is File format
*.png not blocked. type is not
Save blocked: Saving of the blocked.
*.tif
file type is blocked.
*.bmp
*.wmf
*.emf
Microsoft Office Open All file formats that Do not block: The file type is File format
XML converters for are opened through not blocked. type is not
302
Setting name File format extension If you enable this setting, you can If you disable
select one of the following options or do not
configure this
setting
PowerPoint an OOXML Save blocked: Saving of the blocked.
converter file type is blocked.
Open/Save blocked, use
open policy: Both opening
and saving of the file type is
blocked. The file opens
based on the configuration of
the Set default file block
behavior setting.
Block: Both opening and
saving of the file type is
blocked, and the file does not
open.
Open in Protected View:
Both opening and saving of
the file type is blocked, and
the option to edit the file type
is disabled.
Allow editing and open in
Protected View: Both
opening and saving of the file
type is blocked, and the
option to edit is enabled.
Setting name File format extension If you enable this setting, you can If you disable or
select one of the following options do not
configure this
setting
Set default file block Blocked file formats Blocked files are not opened. Blocked files
behavior set by users in the Blocked files open in are not opened
(users cannot
303
Setting name File format extension If you enable this setting, you can If you disable or
select one of the following options do not
configure this
setting
Trust Center UI Protected View and cannot be open blocked
Individual file types, if edited. files).
you enable its setting Blocked files open in
and select Open/Save Protected View and can be
blocked, use open edited.
policy
Note:
Individual file type
settings override
this setting.
Word 2007 and *.docx Do not block: The file type is File format type
later documents *.dotx not blocked. is not blocked.
and templates Save blocked: Saving of the
*.docm
file type is blocked.
*.dotm
Open/Save blocked, use open
*.xml (Word Flat Open
policy: Both opening and
XML)
saving of the file type is
blocked. The file opens based
on the configuration of the Set
default file block behavior
setting.
Block: Both opening and
saving of the file type is
blocked, and the file does not
open.
Open in Protected View: Both
opening and saving of the file
type is blocked, and the
option to edit the file type is
disabled.
Allow editing and open in
Protected View: Both opening
and saving of the file type is
blocked, and the option to edit
is enabled.
304
Setting name File format extension If you enable this setting, you can If you disable or
select one of the following options do not
configure this
setting
OpenDocument text *.odt Do not block: The file type is File format type
files not blocked. is not blocked.
Save blocked: Saving of the
file type is blocked.
Open/Save blocked, use open
policy: Both opening and
saving of the file type is
blocked. The file opens based
on the configuration of the Set
default file block behavior
setting.
Block: Both opening and
saving of the file type is
blocked, and the file does not
open.
Open in Protected View: Both
opening and saving of the file
type is blocked, and the
option to edit the file type is
disabled.
Allow editing and open in
Protected View: Both opening
and saving of the file type is
blocked, and the option to edit
is enabled.
Word 2007 and *.doc Do not block: The file type is File format type
later binary *.dot not blocked. is not blocked.
documents and Save blocked: Saving of the
templates file type is blocked.
Open/Save blocked, use open
policy: Both opening and
saving of the file type is
blocked. The file opens based
on the configuration of the Set
default file block behavior
305
Setting name File format extension If you enable this setting, you can If you disable or
select one of the following options do not
configure this
setting
setting.
Block: Both opening and
saving of the file type is
blocked, and the file does not
open.
Open in Protected View: Both
opening and saving of the file
type is blocked, and the
option to edit the file type is
disabled.
Allow editing and open in
Protected View: Both opening
and saving of the file type is
blocked, and the option to edit
is enabled.
Word 2003 binary *.doc Do not block: The file type is File format type
documents and *.dot not blocked. is not blocked.
templates Open/Save blocked, use open
policy: Both opening and
saving of the file type is
blocked. The file opens based
on the configuration of the Set
default file block behavior
setting.
Block: Both opening and
saving of the file type is
blocked, and the file does not
open.
Open in Protected View: Both
opening and saving of the file
type is blocked, and the
option to edit the file type is
disabled.
Allow editing and open in
Protected View: Both opening
306
Setting name File format extension If you enable this setting, you can If you disable or
select one of the following options do not
configure this
setting
and saving of the file type is
blocked, and the option to edit
is enabled.
Word 2003 and *.xml Do not block: The file type is File format type
plain XML not blocked. is not blocked.
documents Save blocked: Saving of the
file type is blocked.
Open/Save blocked, use open
policy: Both opening and
saving of the file type is
blocked. The file opens based
on the configuration of the Set
default file block behavior
setting.
Block: Both opening and
saving of the file type is
blocked, and the file does not
open.
Open in Protected View: Both
opening and saving of the file
type is blocked, and the
option to edit the file type is
disabled.
Allow editing and open in
Protected View: Both opening
and saving of the file type is
blocked, and the option to edit
is enabled.
Word XP binary *.doc Do not block: The file type is File format type
documents and *.dot not blocked. is not blocked.
templates Open/Save blocked, use open
policy: Both opening and
saving of the file type is
blocked. The file opens based
on the configuration of the Set
307
Setting name File format extension If you enable this setting, you can If you disable or
select one of the following options do not
configure this
setting
default file block behavior
setting.
Block: Both opening and
saving of the file type is
blocked, and the file does not
open.
Open in Protected View: Both
opening and saving of the file
type is blocked, and the
option to edit the file type is
disabled.
Allow editing and open in
Protected View: Both opening
and saving of the file type is
blocked, and the option to edit
is enabled.
Word 200 binary *.doc Do not block: The file type is File format type
documents and *.dot not blocked. is not blocked.
templates Open/Save blocked, use open
policy: Both opening and
saving of the file type is
blocked. The file opens based
on the configuration of the Set
default file block behavior
setting.
Block: Both opening and
saving of the file type is
blocked, and the file does not
open.
Open in Protected View: Both
opening and saving of the file
type is blocked, and the
option to edit the file type is
disabled.
Allow editing and open in
308
Setting name File format extension If you enable this setting, you can If you disable or
select one of the following options do not
configure this
setting
Protected View: Both opening
and saving of the file type is
blocked, and the option to edit
is enabled.
Word 97 binary *.doc Do not block: The file type is File format type
documents and *.dot not blocked. is not blocked.
templates Open/Save blocked, use open
policy: Both opening and
saving of the file type is
blocked. The file opens based
on the configuration of the Set
default file block behavior
setting.
Block: Both opening and
saving of the file type is
blocked, and the file does not
open.
Open in Protected View: Both
opening and saving of the file
type is blocked, and the
option to edit the file type is
disabled.
Allow editing and open in
Protected View: Both opening
and saving of the file type is
blocked, and the option to edit
is enabled.
Word 95 binary *.doc Do not block: The file type is File format type
documents and *.dot not blocked. is not blocked.
templates Open/Save blocked, use open
policy: Both opening and
saving of the file type is
blocked. The file opens based
on the configuration of the Set
default file block behavior
309
Setting name File format extension If you enable this setting, you can If you disable or
select one of the following options do not
configure this
setting
setting.
Block: Both opening and
saving of the file type is
blocked, and the file does not
open.
Open in Protected View: Both
opening and saving of the file
type is blocked, and the
option to edit the file type is
disabled.
Allow editing and open in
Protected View: Both opening
and saving of the file type is
blocked, and the option to edit
is enabled.
Word 6.0 binary *.doc Do not block: The file type is File format type
documents and *.dot not blocked. is not blocked.
templates Open/Save blocked, use open
policy: Both opening and
saving of the file type is
blocked. The file opens based
on the configuration of the Set
default file block behavior
setting.
Block: Both opening and
saving of the file type is
blocked, and the file does not
open.
Open in Protected View: Both
opening and saving of the file
type is blocked, and the
option to edit the file type is
disabled.
Allow editing and open in
Protected View: Both opening
310
Setting name File format extension If you enable this setting, you can If you disable or
select one of the following options do not
configure this
setting
and saving of the file type is
blocked, and the option to edit
is enabled.
Word 2.0 and *.doc Do not block: The file type is File format type
earlier binary *.dot not blocked. is not blocked.
documents and Open/Save blocked, use open
templates policy: Both opening and
saving of the file type is
blocked. The file opens based
on the configuration of the Set
default file block behavior
setting.
Block: Both opening and
saving of the file type is
blocked, and the file does not
open.
Open in Protected View: Both
opening and saving of the file
type is blocked, and the
option to edit the file type is
disabled.
Allow editing and open in
Protected View: Both opening
and saving of the file type is
blocked, and the option to edit
is enabled.
Web pages *.htm Do not block: The file type is File format type
*.html not blocked. is not blocked.
311
Setting name File format extension If you enable this setting, you can If you disable or
select one of the following options do not
configure this
setting
default file block behavior
setting.
Block: Both opening and
saving of the file type is
blocked, and the file does not
open.
Open in Protected View: Both
opening and saving of the file
type is blocked, and the
option to edit the file type is
disabled.
Allow editing and open in
Protected View: Both opening
and saving of the file type is
blocked, and the option to edit
is enabled.
RTF files *.rtf Do not block: The file type is File format type
not blocked. is not blocked.
Save blocked: Saving of the
file type is blocked.
Open/Save blocked, use open
policy: Both opening and
saving of the file type is
blocked. The file opens based
on the configuration of the Set
default file block behavior
setting.
Block: Both opening and
saving of the file type is
blocked, and the file does not
open.
Open in Protected View: Both
opening and saving of the file
type is blocked, and the
option to edit the file type is
312
Setting name File format extension If you enable this setting, you can If you disable or
select one of the following options do not
configure this
setting
disabled.
Allow editing and open in
Protected View: Both opening
and saving of the file type is
blocked, and the option to edit
is enabled.
Plain text files *.txt Do not block: The file type is File format type
not blocked. is not blocked.
Save blocked: Saving of the
file type is blocked.
Open/Save blocked, use open
policy: Both opening and
saving of the file type is
blocked. The file opens based
on the configuration of the Set
default file block behavior
setting.
Legacy converters All file formats that are Do not block: The file type is File format type
for Word opened through a not blocked. is not blocked.
converter Save blocked: Saving of the
file type is blocked.
Open/Save blocked, use open
policy: Both opening and
saving of the file type is
blocked. The file opens based
on the configuration of the Set
default file block behavior
setting.
Block: Both opening and
saving of the file type is
blocked, and the file does not
open.
Open in Protected View: Both
opening and saving of the file
type is blocked, and the
313
Setting name File format extension If you enable this setting, you can If you disable or
select one of the following options do not
configure this
setting
option to edit the file type is
disabled.
Allow editing and open in
Protected View: Both opening
and saving of the file type is
blocked, and the option to edit
is enabled.
Office Open XML All file formats that are Do not block: The file type is File format type
converters for Word opened through an not blocked. is not blocked.
OOXML converter Save blocked: Saving of the
file type is blocked.
Open/Save blocked, use open
policy: Both opening and
saving of the file type is
blocked. The file opens based
on the configuration of the Set
default file block behavior
setting.
Block: Both opening and
saving of the file type is
blocked, and the file does not
open.
Open in Protected View: Both
opening and saving of the file
type is blocked, and the
option to edit the file type is
disabled.
Allow editing and open in
Protected View: Both opening
and saving of the file type is
blocked, and the option to edit
is enabled.
314
See Also
Plan security for Office 2010
Group Policy overview for Office 2010
Enforce settings by using Group Policy in Office 2010
Office Customization Tool in Office 2010
315
Plan for Information Rights Management in
Office 2010
In many businesses, sensitive information such as employee medical and financial records, payroll
information, and private personal data is protected only by limiting access to the networks or computers
where the information is stored. Information Rights Management (IRM) technology in Microsoft Office
2010 helps organizations and information workers control sensitive information electronically by
enabling users to specify permissions for accessing and using documents and messages.
This article contains a summary of IRM technology and how it works in Office applications, together
with links to more information about how to set up and install the required servers and software to
implement IRM in Office 2010.
In this article:
IRM overview
How IRM works in Office 2010
Setting up IRM for Office 2010
Configuring IRM settings for Office 2010
Configuring IRM settings for Outlook 2010
IRM overview
Information Rights Management (IRM) is a persistent file-level technology from Microsoft that uses
permissions and authorization to help prevent sensitive information from being printed, forwarded, or
copied by unauthorized people. Once permission for a document or message is restricted by using this
technology, the usage restrictions travel with the document or e-mail message as part of the contents of
the file.
Note
The ability to create content or e-mail messages that have restricted permission by using IRM
is available in Microsoft Office Professional Plus 2010, and in the stand-alone versions of
Microsoft Excel 2010, Microsoft Outlook 2010, Microsoft PowerPoint 2010, Microsoft InfoPath
2010, and Microsoft Word 2010. IRM content that is created in Office 2010 can be viewed in
Microsoft Office 2003, the 2007 Microsoft Office system, or Office 2010.
For more information about IRM and Active Directory Rights Management Services (AD RMS)
features that are supported in Office 2010, Office 2007, and Office 2003, see AD RMS and
Microsoft Office Deployment Considerations (http://go.microsoft.com/fwlink/?LinkId=153314).
316
IRM support in Office 2010 helps organizations and knowledge workers address two fundamental
needs:
Restricted permission for sensitive information IRM helps prevent sensitive information from
unauthorized access and reuse. Organizations rely on firewalls, logon security-related measures,
and other network technologies to help protect sensitive intellectual property. A basic limitation of
using these technologies is that legitimate users who have access to the information can share it
with unauthorized people. This could lead to a potential breach of security policies.
Information privacy, control, and integrity Information workers often work with confidential or
sensitive information. By using IRM, employees do not have to depend on the discretion of other
people to ensure that sensitive materials remain inside the company. IRM eliminates users' ability
to forward, copy, or print confidential information by helping to disable those functions in documents
and messages that use restricted permission.
For information technology (IT) managers, IRM helps enable the enforcement of existing corporate
policies about document confidentiality, workflow, and e-mail retention. For CEOs and security officers,
IRM reduces the risk of having key company information fall into the hands of the wrong people,
whether by accident, thoughtlessness, or through malicious intent.
317
functionality is already available. The Active Directory Rights Management Services client software is
included with these operating systems.
In Office 2010, organizations can create the permissions policies that appear in Office applications. For
example, you might define a permission policy named Company Confidential, which specifies that
documents or e-mail messages that use the policy can only be opened by users inside the company
domain. There is no limit to the number of permission policies that can be created.
Note:
Windows SharePoint Services 3.0 supports using IRM on documents that are stored in
document libraries. By using IRM in Windows SharePoint Services, you can control which
actions users can take on documents when they open them from libraries in Windows
SharePoint Services 3.0. This differs from IRM applied to documents stored on client
computers, where the owner of a document can choose which rights to assign to each user of
the document. For more information about how to use IRM with document libraries, see Plan
document libraries (Windows SharePoint Services)
(http://go.microsoft.com/fwlink/?LinkId=183051).
With AD RMS on Windows Server 2008, users can share rights-protected documents between
companies that have a federated trust relationship. For more information, see Active Directory Rights
Management Services Overview (http://go.microsoft.com/fwlink/?LinkId=183052) and Federating AD
RMS (http://go.microsoft.com/fwlink/?LinkId=183053).
Also with AD RMS, Microsoft Exchange Server 2010 offers new IRM-protected e-mail functionality
including AD RMS protection for Unified Messaging voice mail messages and Microsoft Outlook
protection rules that can automatically apply IRM-protection to messages in Outlook 2010 before they
leave the Microsoft Outlook client. For more information, see Whats New in Exchange 2010
(http://go.microsoft.com/fwlink/?LinkId=183062) and Understanding Information Rights Management:
Exchange 2010 Help (http://go.microsoft.com/fwlink/?LinkId=183063).
For more information about how to install and configure RMS servers, see Windows Server 2003 Rights
Management Services (RMS) (http://go.microsoft.com/fwlink/?LinkId=73121) and Windows Server 2008
Active Directory Rights Management Services (http://go.microsoft.com/fwlink/?LinkId=180006).
318
Setting up IRM for Office 2010
Applying IRM permissions to documents or e-mail messages requires the following:
Access to RMS for Windows Server 2003 or AD RMS for Windows Server 2008 to authenticate
permissions. Or, authentication can be managed by using the Windows Live ID service on the
Internet.
Rights Management (RM) client software. RM client software is included in Windows Vista and later
versions or available as an add-in for Windows XP and Windows Server 2003.
Microsoft Office 2003, 2007 Microsoft Office system, or Office 2010. Only specific versions of Office
enable users to create IRM permissions.
319
For information about how to create, configure, and post custom permissions policy templates, see
Windows Server 2003 Rights Management Services (RMS)
(http://go.microsoft.com/fwlink/?LinkId=73121) and Windows Server 2008 AD RMS Rights Policy
Templates Deployment Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=183068). For
Exchange Server 2010 Outlook protection rules, see Understanding Outlook Protection Rules:
Exchange 2010 Help (http://go.microsoft.com/fwlink/?LinkId=183067). The rights that you can include in
permissions policy templates for Office 2010 are listed in the following sections.
Permissions rights
Each IRM permissions right listed in the following table can be enforced by Office 2010 applications
configured on a network that includes a server that runs RMS or AD RMS.
Full Gives the user every right listed in this table, and the right to change permissions that are
Control associated with content. Expiration does not apply to users who have Full Control.
View Allows the user to open IRM content. This corresponds to Read Access in the Office 2010
user interface.
Extract Allows the user to make a copy of any part of a file and paste that part of the file into the
work area of another application.
Export Allows the user to save content in another file format by using the Save As command.
Depending on the application that uses the file format that you select, the content might be
saved without protection.
Allow Allows the user to run macros against the contents of a file.
Macros
Forward Allows an e-mail recipient to forward an IRM e-mail message and to add or remove
recipients from the To: and Cc: lines.
Reply All Allows e-mail recipients to reply to all users on the To: and Cc: lines of an IRM e-mail
message.
View Gives the user permission to view the rights associated with a file. Office ignores this right.
Rights
320
Predefined groups of permissions
Office 2010 provides the following predefined groups of rights that users can choose from when they
create IRM content. The options are available in the Permission dialog box for Word 2010, Excel 2010,
and PowerPoint 2010. In the Office application, click the File tab, click Info, click the Protect
Document button, select Restriction Permission by People, click Restrict Access, and then click
Restrict permission to this document to enable the permission options listed in the following table.
In Outlook 2010, users can select the following predefined group of rights when they create an e-mail
item. The option is accessed from the e-mail by clicking the File tab, Info, and then Set Permissions.
Advanced permissions
Other IRM permissions can be specified in the advanced Permission dialog box in Word 2010, Excel
2010, and PowerPoint 2010. In the initial Permission dialog box, click More Options. For example,
users can specify an expiration date, let other users to print or copy content, and so on.
By default, Outlook enables messages to be viewed by a browser that supports Rights Management.
321
Configuring IRM settings for Office 2010
You can lock down many settings to customize IRM by using the Office Group Policy template
(Office14.adm). You can also use the Office Customization Tool (OCT) to configure default settings,
which enables users to configure the settings. In addition, there are IRM configuration options that can
only be configured by using registry key settings.
The OCT settings are in corresponding locations on the Modify user settings page of the OCT.
Active Directory time-out for querying one entry for Specify the time-out value for querying an Active
group expansion Directory entry when expanding a group.
Additional permissions request URL Specify the location where a user can obtain more
information about how to access the IRM content.
Allow users with earlier versions of Office to read Enable users without Office 2010 to view rights-
with browsers managed content by using the Rights
Management Add-in for Windows Internet
Explorer.
Always expand groups in Office when restriction Group name is automatically expanded to display
permission for documents all the members of the group when users apply
permissions to a document by selecting a group
name in the Permission dialog box.
Always required users to connect to verify Users opening a rights-managed Office document
permission must connect to the Internet or local area network
to confirm by RMS or Windows Live ID that they
have a valid IRM license.
Disable Microsoft Passport service for content with If enabled, users cannot open content created by
restricted permission a Windows Live ID authenticated account.
Never allow users to specify groups when Return an error when users select a group in the
restricting permission for documents Permission dialog box: ''You cannot publish
content to Distribution Lists. You may only specify
e-mail addresses for individual users.''
322
IRM option Description
Prevent users from changing permission on rights If enabled, users can consume content that
managed content already includes IRM permissions, but cannot
apply IRM permissions to new content nor
configure the rights on a document.
Specify Permission Policy Path Display in the Permission dialog box permission
policy templates found in the folder that is
specified.
Turn off Information Rights Management user Disable all Rights Management-related options
interface within the user interface of all Office applications.
URL for location of document templates displayed Provide the path of a folder that contains
when applications do not recognize rights- customized plain-text wrapper templates to be
managed documents used by previous versions of Office that do not
support rights-managed content.
For more information about how to customize these settings, see Configure Information Rights
Management in Office 2010 (http://technet.microsoft.com/library/27c84179-87fd-483e-a34d-
806c4646ce9d(Office.14).aspx).
RequestPermission DWORD 1 = The box is This registry key toggles the default value of
checked. the Users can request additional
0 = The box is permissions from check box.
cleared.
323
Registry entry Type Value Description
DRMEncryptPro DWORD 1 = The file metadata is Specify whether to encrypt all metadata
perty encrypted. stored inside a rights-managed file.
0 = The metadata is stored in
plaintext. The default value is
0.
324
For Open XML Formats (for example, docx, xlsx, pptx, and so on), users can decide to encrypt the
Microsoft Office metadata stored inside a rights-managed file. Users can encrypt all Office metadata.
This includes hyperlink references, or leave content as not encrypted so other applications can access
the data.
Users can choose to encrypt the metadata by setting a registry key. You can set a default option for
users by deploying the registry setting. There is no option for encrypting some of the metadata: all
metadata is encrypted or none is encrypted.
In addition, the DRMEncryptProperty registry setting does not determine whether non-Office client
metadata storage such as the storage that is created in Microsoft SharePoint 2010 Products is
encrypted.
This encryption choice does not apply to Microsoft Office 2003 or other previous file formats. Office
2010 handles earlier formats in the same manner as 2007 Office system and Microsoft Office 2003.
Note:
To disable IRM in Outlook, you must disable IRM for all Office applications. There is no
separate option to disable IRM only in Outlook.
325
Location IRM option Description
For more information about how to customize these settings, see Configure Information Rights
Management in Office 2010 (http://technet.microsoft.com/library/27c84179-87fd-483e-a34d-
806c4646ce9d(Office.14).aspx).
326
See Also
Configure Information Rights Management in Office 2010
(http://technet.microsoft.com/library/27c84179-87fd-483e-a34d-806c4646ce9d(Office.14).aspx)
Windows Server 2003 Rights Management Services (RMS)
(http://go.microsoft.com/fwlink/?LinkId=73121)
Windows Server 2008 Active Directory Rights Management Services
(http://go.microsoft.com/fwlink/?LinkId=180006)
Understanding Information Rights Management: Exchange 2010 Help
(http://go.microsoft.com/fwlink/?LinkId=183062)
Plan document libraries (Windows SharePoint Services)
(http://go.microsoft.com/fwlink/?LinkId=183051)
327
Security articles for end users (Office 2010)
IT pros can share the Microsoft Office 2010 security resources that are listed in this article with end
users in their organizations. These resources include articles, videos, and training courses that are
designed to assist end users who use Product Short Name 2010 applications. The resources are listed
in a series of tables that are organized into the following categories:
Overview
New Security Features
Outlook/Access/Excel/PowerPoint/Visio/Word
Access only
To see a list of all security and privacy related articles for a specific program, such as Word,
PowerPoint, or another Office program, go to the Office.com
(http://go.microsoft.com/fwlink/?LinkId=205394) website, select the support tab, select All Support,
select the application you want, and then select Security and privacy.
Overview
Resource Description
Office 2010 Security: Protecting your files Self-paced training that assists the user in
(http://go.microsoft.com/fwlink/?LinkId=202501) becoming familiar with the security features that
help protect files in Microsoft Excel 2010,
Microsoft PowerPoint 2010, and Microsoft Word
2010.
View my options and settings in the Trust Center Discusses the Trust Center, where you can find
(http://go.microsoft.com/fwlink/?LinkId=202800) security and privacy settings for Office 2010
programs.
328
Resource Feature
Office 2010 Security video: file validation Office File Validation, a new security feature in
(http://go.microsoft.com/fwlink/?LinkId=202789) Office 2010 that helps protect your computer by
scanning and validating Office binary file formats
before they are opened.
Outlook
Resource Description
How Outlook helps protect you from viruses, Describes how Outlook 2010 helps protect your
spam, and phishing computer from viruses, spam, and phishing.
(http://go.microsoft.com/fwlink/?LinkId=202522)
Introduction to IRM for e-mail messages Explains what Information Rights Management
(http://go.microsoft.com/fwlink/?LinkId=203142) (IRM) is and how you can use it to restrict
permission to content in e-mail messages in
Microsoft Outlook.
Enable or disable ActiveX settings in Office files Explains how to work with ActiveX controls that are
(http://go.microsoft.com/fwlink/?LinkId=202803) in your files, how to change their settings, and how
to enable or disable them by using the Message Bar
and the Trust Center.
Enable or disable macros in Office files Describes the risks involved when you work with
(http://go.microsoft.com/fwlink/?LinkId=202804) macros, and how to enable or disable macros in the
Trust Center.
329
Resource Description
Add, remove, or modify a trusted location for Describes trusted locations, how and where you can
your files create them, and the precautions that you should
(http://go.microsoft.com/fwlink/?LinkId=202806) take before you use a trusted location.
Active content types in your files Lists active-content types that can be blocked by the
(http://go.microsoft.com/fwlink/?LinkId=202807) Trust Center and cause Message Bars to appear
when you open files. Active content types include
macros, add-ins, and data connections.
Access only
Resource Description
Introduction to Access 2010 security Summarizes the security features that are offered by
(http://go.microsoft.com/fwlink/?LinkId=204464) Access 2010, and explains how to use the tools that
Access provides for helping to secure a database.
Decide whether to trust a database Discusses how trust works in Access 2010, how it
(http://go.microsoft.com/fwlink/?LinkId=204613) differs from security in earlier versions of Access, and
what factors that you should consider when you
decide whether to trust a database.
Set or change Access 2003 user-level security Explains how the Access 2003 security features work,
in Access 2010 and how to start and use them in Access 2010.
(http://go.microsoft.com/fwlink/?LinkId=204614)
How database objects behave when trusted Explains how, by default, Access 2010 disables
and untrusted several database objects unless you apply a digital
(http://go.microsoft.com/fwlink/?LinkId=204615) signature to them or you place the database in a
trusted location. The article also lists the components
that Access disables.
Show trust by adding a digital signature Explains how to create your own security certificate to
(http://go.microsoft.com/fwlink/?LinkId=204616) show that you believe that a database is safe and that
its content can be trusted.
330
Plan Group Policy for Office 2010
Group Policy is an infrastructure that is used to deliver and apply one or more desired configurations or
policy settings to a set of targeted users and computers in an Active Directory directory service
environment. The Group Policy infrastructure consists of a Group Policy engine and several individual
extensions. These extensions are used to configure Group Policy settings, either by modifying the
registry through the Administrative Templates extension, or setting Group Policy settings for security
settings, software installation, folder redirection, Internet Explorer Maintenance, wireless network
settings, and other areas. This section provides information for IT administrators who plan to use Group
Policy to configure and enforce settings for Microsoft Office 2010 applications.
In this section:
Article Description
Group Policy overview for Office 2010 Provides a brief overview of how to use Group
Policy to configure and enforce settings for Office
2010 applications.
Planning for Group Policy in Office 2010 Discusses the key planning steps for managing
Office 2010 applications by using Group Policy.
FAQ: Group Policy (Office 2010) Provides answers to common questions about
how Group Policy works with Office 2010
Downloadable book: Group Policy for Office 2010 Provides a description of and a link to the
downloadable book Group Policy for Office 2010.
331
Group Policy overview for Office 2010
This article provides a brief overview of Group Policy concepts. The intended audience for this article is
the IT administrator who plans to use Group Policy to configure and enforce settings for Microsoft Office
2010 applications.
In this article:
Local and Active Directory-based Group Policy
Group Policy processing
Changing how Group Policy processes GPOs
Administrative Templates
True policies vs. user preferences
Group Policy management tools
Office Customization Tool and Group Policy
332
GPOs. However, settings in domain GPOs always take precedence, because they are processed after
the local GPO.
Note:
Windows Vista, Windows Server 2008, and Windows 7 provide support for managing multiple
local GPOs on stand-alone computers. For more information, see Step-by-Step Guide to
Managing Multiple Local Group Policy Objects (http://go.microsoft.com/fwlink/?LinkId=182215).
Although you can configure local GPOs on individual computers, maximum benefits of Group Policy are
obtained in a Windows Server 2003 or Windows Server 2008-based network that has Active Directory
installed.
333
At any domain or OU, Group Policy inheritance can be selectively designated as Block
Inheritance. However, because Enforced GPOs are always applied and cannot be blocked,
blocking inheritance does not prevent the application of policy settings from Enforced GPOs.
Policy inheritance
Policy settings in effect for a user and computer are the result of the combination of GPOs applied at a
site, domain, or OU. When multiple GPOs apply to users and computers in those Active Directory
containers, the settings in the GPOs are aggregated. By default, settings deployed in GPOs linked to
higher-level containers (parent containers) in Active Directory are inherited to child containers and
combine with settings deployed in GPOs linked to the child containers. If multiple GPOs attempt to set a
policy setting that has conflicting values, the GPO with the highest precedence sets the setting. GPOs
that are processed later have precedence over GPOs that are processed earlier.
334
Group Policy refresh interval
By default, Group Policy is processed every 90 minutes, with a randomized delay of up to 30
minutes for a total maximum refresh interval of up to 120 minutes.
For security settings, after you have edited security settings policies, the policy settings are refreshed
on the computers in the OU to which the GPO is linked:
When a computer restarts.
Every 90 minutes on a workstation or server and every 5 minutes on a domain controller.
By default, security policy settings delivered by Group Policy are also applied every 16 hours (960
minutes), even if a GPO has not changed.
335
Each of these methods is described in the following subsections.
Block inheritance
Applying block inheritance to a domain or OU prevents GPOs linked to higher sites, domains, or
organizational units from being automatically inherited by the child-level Active Directory container.
336
permissions can be changed to limit the scope to a specific set of users, groups, or computers within
the OU, domain, or site.
The Group Policy Management Console (GPMC) manages these permissions as a single unit and
displays the security filtering for the GPO on the GPO Scope tab. In GPMC, groups, users, and
computers can be added or removed as security filters for each GPO.
Note:
WMI is the Microsoft implementation of the Web-Based Enterprise Management industry
initiative that establishes management infrastructure standards and lets you combine
information from various hardware and software management systems. WMI exposes
hardware configuration data such as CPU, memory, disk space, and manufacturer, and also
software configuration data from the registry, drivers, file system, Active Directory, the Windows
Installer service, networking configuration, and application data. Data about a target computer
can be used for administrative purposes, such as WMI filtering of GPOs.
337
To use the loopback processing feature, both the user account and the computer account must be in a
domain running Windows Server 2003 or a later version of Windows. Loopback processing does not
work for computers that are joined to a workgroup.
Administrative Templates
The Administrative Templates extension of Group Policy consists of an MMC server-side snap-in that is
used to configure policy settings and a client-side extension that sets registry keys on target computers.
Administrative Templates policy is also known as registry-based policy or registry policy.
The functionality of the administrative template files is limited. The purpose of .adm, .admx, or .adml
template files is to enable a user interface to configure policy settings. Administrative Template files do
not contain policy settings. The policy settings are contained in Registry.pol files that are located in the
Sysvol folder on domain controllers.
The Administrative Templates server-side snap-in provides an Administrative Templates node that
appears in Group Policy Object Editor under the Computer Configuration node and under the User
Configuration node. The settings under Computer Configuration manipulate registry settings for the
computer. Settings under User Configuration manipulate registry settings for users. Although some
policy settings require simple UI elements such as text boxes to enter values, most policy settings
contain only the following options:
Enabled The policy is enforced. Some policy settings provide additional options that define the
behavior when the policy is activated.
Disabled Enforces the opposite behavior as the Enabled state for most policy settings. For
example, if Enabled forces a feature's state to Off, Disabled forces the feature's state to On.
Not configured The policy is not enforced. This is the default state for most settings.
338
The Administrative Template files are stored in the locations on the local computer, as shown in the
following table.
.adm %systemroot%\Inf
.admx %systemroot%\PolicyDefinitions
.adml %systemroot%\PolicyDefinitions\<language-
specific folder, e.g., en-us>
You can also store and use .admx and .adml files from a central store in the folders on the domain
controller, as shown in the following table.
.admx %systemroot%\sysvol\domain\policies\PolicyDefinitions
.adml %systemroot%\sysvol\domain\policies\PolicyDefinitions\<language-
specific folder, for example, en-us>
For more information about how to store and use the templates from a central store, see Group policy
and sysvol in the Group Policy Planning and Deployment Guide
(http://go.microsoft.com/fwlink/?LinkId=182208).
339
The Office 2010 Administrative Templates are as shown in the following table.
True policies
Registry values for true policies are stored under the approved registry keys for Group Policy. Users
cannot change or disable these settings.
For computer policy settings:
HKEY_LOCAL_MACHINE\Software\Policies (the preferred location)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies
For user policy settings:
HKEY_CURRENT_USER\Software\Policies (the preferred location)
340
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
For Office 2010, true policies are stored in the following registry locations.
For computer policy settings:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Office\14.0
For user policy settings:
HKEY_CURRENT_USER\Software\Policies\ Microsoft\Office\14.0
Preferences
Preferences are set by users or by the operating system at installation time. The registry values that
store preferences are located outside the approved Group Policy keys. Users can change their
preferences.
If you configure preference settings by using a GPO, it does not have system access control list (SACL)
restrictions. Therefore, users might be able to change these values in the registry. When the GPO goes
out of scope (if the GPO is unlinked, disabled, or deleted), these values are not removed from the
registry.
To view preferences in Group Policy Object Editor, click the Administrative Templates node, click
View, click Filtering, and then clear the Only show policy settings that can be fully managed check
box.
341
settings in a GPO, an administrator edits the GPO by using Group Policy Object Editor from within
GPMC. Group Policy Object Editor is displayed with the GPO loaded.
An administrator can use GPMC to link GPOs to sites, domains, or OUs in Active Directory.
Administrators must link GPOs to apply settings to users and computers in Active Directory containers.
GPMC includes the following Resultant Set of Policies (RSoP) features that are provided by Windows:
Group Policy Modeling Simulates which policy settings are applied under circumstances
specified by an administrator. Administrators can use Group Policy Modeling to simulate the RSoP
data that would be applied for an existing configuration, or they can analyze the effects of
simulated, hypothetical changes to the directory environment.
Group Policy Results Represents the actual policy data that is applied to a computer and user.
Data is obtained by querying the target computer and retrieving the RSoP data that was applied to
that computer. The Group Policy Results capability is provided by the client operating system and
requires Windows XP, Windows Server 2003, or later versions of the operating system.
342
System requirements for GPMC and Group Policy Object Editor
The Group Policy Object Editor is part of GPMC and is invoked when you edit a GPO. You can run
GPMC on Windows XP, Windows Server 2003, Windows Vista, Windows 7, and Windows Server 2008.
The requirements vary per Windows operating system as follows:
GPMC is part of the Windows Vista operating system. However if you have installed Service Pack 1
or Service Pack 2 on Windows Vista, GPMC is removed. To reinstall it, install the Microsoft Remote
Server Administration Tools for Windows Vista (http://go.microsoft.com/fwlink/?LinkId=89361).
The GPMC is included with Windows Server 2008 and later. However, this feature is not installed
with the operating system. Use Server Manager to install the GPMC. For information about how to
install GPMC, see Install the GPMC (http://go.microsoft.com/fwlink/?LinkID=187926).
To install GPMC on Windows 7, install the Remote Server Administration Tools for Windows 7
(http://go.microsoft.com/fwlink/?LinkId=180743).
To install GPMC on Windows XP or Windows Server 2003, install the Group Policy Management
Console with Service Pack 1 (http://go.microsoft.com/fwlink/?LinkId=88316).
For more information about how to use GPMC and the Group Policy Object Editor, see Enforce settings
by using Group Policy in Office 2010 (http://technet.microsoft.com/library/873a5392-1b1a-47a1-a863-
1f29ef116d0e(Office.14).aspx).
343
See Also
Windows Server Group policy (http://go.microsoft.com/fwlink/?LinkId=177635)
Group Policy Planning and Deployment Guide (http://go.microsoft.com/fwlink/?LinkId=182208)
Group Policy Documentation Survival Guide (http://go.microsoft.com/fwlink/?LinkId=116313)
Planning for Group Policy in Office 2010
Enforce settings by using Group Policy in Office 2010 (http://technet.microsoft.com/library/873a5392-
1b1a-47a1-a863-1f29ef116d0e(Office.14).aspx)
344
Planning for Group Policy in Office 2010
This article discusses the key planning steps for managing Microsoft Office 2010 applications by using
Group Policy.
In this article:
Planning for Group Policy
Define business objectives and security requirements
Evaluate your current environment
Design managed configurations based on business and security requirements
Determine the scope of application
Test and stage Group Policy deployments
Involve key stakeholders
345
Evaluate your current environment
Examine how you currently perform management tasks related to configurations for Microsoft Office
applications to help you determine which kinds of Office policy settings to use. Document the current
practices and requirements. You will use this information to help you design managed configurations, in
the next step. Items to include are as follows:
Existing corporate security policies and other security requirements. Identify which locations and
publishers are considered secure. Evaluate your requirements for managing Internet Explorer
feature control settings, document protection, privacy options, and blocking file format settings.
Messaging requirements for the organization. Evaluate requirements for configuring user interface
settings, virus-prevention, and other security settings for Office Outlook 2007 by using Group
Policy. For example, Group Policy provides settings for limiting the size of .pst files, which can
improve performance on the workstation.
User requirements for Office applications for the various kinds of user roles. This depends largely
on users' job requirements and the organization's security requirements.
Default file save options to use for Microsoft Access 2010, Microsoft Excel 2010, Microsoft
PowerPoint 2010, and Microsoft Word 2010.
Access restrictions to set for Office 2010 user interface items; for example, including disabling
commands, menu items, and keyboard shortcuts.
Software installation issues, if you are considering this deployment method. Although Group Policy
can be used to install software applications in small-sized organizations that have Active Directory
installed, there are some limitations, and you must determine whether it is an appropriate solution
for your deployment requirements. For more information, see "Identifying issues pertaining to
software installation" in Group Policy Planning and Deployment Guide
(http://go.microsoft.com/fwlink/?LinkId=182208).
If you manage large numbers of clients in a complex or rapidly changing environment, Microsoft
System Center Configuration Manager 2010 is the recommended method for installing and
maintaining Office 2010 in medium- and large-sized organizations. System Center Configuration
Manager 2010 offers additional functionality, including inventory, scheduling, and reporting
features.
Another option for deployment of Office 2010 in Active Directory environments is to use Group
Policy computer startup scripts.
Whether to use Group Policy or the OCT. Although both Group Policy and the OCT can be used to
customize user configurations for the Office 2010 applications, there are important differences:
Group Policy is used to configure Office 2010 policy settings contained in Administrative
Templates, and the operating system enforces those policy settings. These settings have
system access control list (SACL) restrictions that prevent non-administrator users from
changing them. Use Group Policy for configuring settings that you want to enforce.
The OCT is used to create a Setup customization file (.msp file). Administrators can use the
OCT to customize features and configure user settings. Users can modify most of the settings
346
after the installation. We recommend that you use the OCT for preferred or default settings
only.
For more information, see Office Customization Tool and Group Policy.
Whether to use local Group Policy to configure Office settings. You can use local Group Policy to
control settings in environments that include stand-alone computers that are not part of an Active
Directory domain. For more information, see Group Policy overview for Office 2010.
347
To help you plan for ongoing administration of GPOs, we recommend that you establish administrative
procedures to track and manage GPOs. This helps ensure that all changes are implemented in a
prescribed manner.
348
Involve key stakeholders
Group Policy deployments in enterprises are likely to have cross-functional boundaries. As part of
preparing for your deployment, it is important to consult key stakeholders from the various functional
teams in your organization and ensure they participate during the analysis, design, test, and
implementation phases, as appropriate.
Make sure that you conduct reviews of the policy settings that you plan to deploy for managing the
Office 2010 applications with your organization's security and IT operations teams to ensure that the
configurations suit the organization and that you apply as strict a set of policy settings as necessary to
protect the network resources.
See Also
Group Policy overview for Office 2010
Enforce settings by using Group Policy in Office 2010 (http://technet.microsoft.com/library/873a5392-
1b1a-47a1-a863-1f29ef116d0e(Office.14).aspx)
349
FAQ: Group Policy (Office 2010)
Find answers to frequently asked questions (FAQ) about Group Policy and Microsoft Office 2010.
350
The workbook Office2010GroupPolicyAndOCTSettings.xls is integrated into the Group Policy templates
download package and is now out-of-date.
351
To view the .admx and .adml template files on a computer that runs at least Windows Vista or
Windows Server 2008
1. Copy the .admx and .adml files to the PolicyDefinitions folder in the local computer:
a. Copy .admx files to this location: %systemroot%\PolicyDefinitions (for example,
C:\Windows\PolicyDefinitions)
b. Copy .adml files to this location: %systemroot%\PolicyDefinitions\ll-cc (where ll-cc
represents the language identifier, such as en-us for English United States)
2. Open the gpedit.msc console and expand Administrative Templates (under Computer
Configuration and User Configuration) to view the Office 2010 policies.
To view the .adm template files on a computer that is running any Windows operating system
1. Open the gpedit.msc console, right-click Administrative Templates in the Computer
Configuration or User Configuration node, and then select Add/Remove Templates.
2. Click Add and locate the folder on your computer where you stored the .adm files.
3. Select the templates that you want in the language of your choice, click Open, and then click
Close. The .adm files are displayed under the respective Administrate Templates nodes in a
subnode called Classic Administrative Templates (ADM).
352
identifies a key on the keyboard. A modifier is the value for a modifier key, such as ALT, CONTROL, or
SHIFT.
To download a list the control IDs for built-in controls in all applications that use the Ribbon, visit Office
2010 Help Files: Office Fluent User Interface Control Identifiers
(http://go.microsoft.com/fwlink/?LinkID=181052).
For more information, see Disable user interface items and shortcut keys in Office 2010
(http://technet.microsoft.com/library/ab942894-fd65-4ebd-ba32-cfc07de97c36(Office.14).aspx)
353
Disadvantages:
Group Policy invokes the script and has limited awareness of the installation status afterward.
Product uninstalls and installs for multiple computers have to be done by using a command-line
script or batch file.
It might be difficult to determine exactly which updates and service packs were applied to each
client computer.
354
Downloadable book: Group Policy for Office
2010
Group Policy for Office 2010 provides information about the Group Policy settings for Microsoft Office
2010. The audiences for this book are IT professionals who plan, implement, and maintain Office
installations in their organizations.
The content in this book is a copy of selected content in the Office 2010 Resource Kit as of the
publication date. For the most current content, see the Office 2010 Resource Kit
(http://technet.microsoft.com/library/9df1c7d2-30a9-47bb-a3b2-5166b394fbf5(Office.14).aspx) on the
web.
Downloadable book: Group Policy for Office 2010 (http://go.microsoft.com/fwlink/?LinkId=204009)
355
Plan for multilanguage deployment of Office
2010
This article discusses planning considerations for deploying Microsoft Office 2010 with multiple
languages.
In this article:
Plan Setup
Plan customizations
Plan for proofing tools
Plan Setup
The language-neutral design of Office 2010 helps simplify the deployment of Office products in multiple
languages. Instead of creating a series of installations, you enable Setup to coordinate a single
installation of multiple language versions.
All language-specific components for a particular language are contained in a Microsoft Office 2010
Language Pack. Each Office 2010 Language Pack includes language-specific folders for all Office 2010
products that are available in that language. Folders are identified by a language tag appended to the
folder name. For a complete list of language tags, see Language identifiers and OptionState Id values
in Office 2010 (http://technet.microsoft.com/library/f5fee727-df49-4ef7-b073-
dd6c08dfecfa(Office.14).aspx).
You copy all the Office 2010 Language Packs that you need to a network installation point that contains
at least one complete Office 2010 product. By default, Setup automatically installs the language version
that matches the Windows user locale that is set on each user's computer. Or, you can override this
default behavior and manage the distribution of multiple language versions more precisely. For
example, you can:
Install more than one language on a single computer.
Specify which languages to install on users' computers, regardless of the language of the operating
system, which is specified by user locale.
Specify custom settings once and then apply them to all language versions that you deploy in your
organization.
Deploy different languages to different groups of users.
Deploy the Microsoft Office 2010 Proofing Tools Kit for additional languages.
356
To identify which deployment solution is appropriate for your scenario, see the model poster Deploy
Multilanguage Packs for Microsoft Office 2010 (http://go.microsoft.com/fwlink/?LinkId=168622).
To determine which companion proofing languages are included in an Office 2010 Language Pack, see
Companion proofing languages for Office 2010 (http://technet.microsoft.com/library/3f4de10b-757a-
4ce5-b9b7-1baafeb4753e(Office.14).aspx).
Each Office 2010 Language Pack contains the proofing tools for one or more additional languages. For
example, the Office 2010 Language Pack - Danish contains the proofing tools for English and German,
in addition to Danish. All Office 2010 Language Packs contain the proofing tools for English. For more
information about proofing tools, see Plan for proofing tools.
Before it installs a language version of an Office 2010 product, Setup determines whether the user has
the required operating system support for that language. Setup stops the installation if there is no
support. For example, if a user has not enabled support for East Asian languages, Setup does not
install the Japanese version of Office 2010.
It is important to plan which languages will be needed at the beginning of your deployment. There are
special steps that you must take if you have to change users' configurations after the initial deployment
and include additional languages as part of your customizations. For more information, see Add or
remove languages after deploying Office 2010 (http://technet.microsoft.com/library/aef95370-7f15-434f-
9311-e792555645d7(Office.14).aspx).
357
If your objective is to install only one language version of Office 2010 on each client computer and if
you do not specify any additional languages in the Config.xml file, Setup uses the following logic to
determine which language to use:
Setup matches the language of the user locale.
If there is no match, Setup looks for a close match. If the user locale is set to English (Canada), for
example, Setup might install Office 2010 in English (U.S).
If there is no close match, Setup looks for a language in the following subkey in the Windows
registry:
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources
If the InstallLanguage entry has not been added to the LanguageResources subkey and set to a
particular language (LCID), Setup prompts the user to select a language (in an interactive
installation), or the installation fails (in a quiet installation).
If your objective is to install more than one language version of Office 2010 on each client computer,
you should edit the Config.xml file and set the <AddLanguage> element for each language that you
want to include. However, when you add more than one language in the Config.xml file, you must
specify which of those languages Setup should use for the Shell UI. If the Shell UI language is not
specified, the installation fails.
You specify a language for the Shell UI by setting the ShellTransform attribute of the
<AddLanguage> element. In this case, the language of the Setup user interface follows the logic
described previously. However, the languages installed on the computer and the language of the Shell
UI are determined by the entries in the Config.xml file.
Setup always installs Office 2010 in the language of the Shell UI, in addition to any other installation
languages. For example, if the Shell UI is set to French, the user can select additional installation
languages on the Languages tab; however, the user cannot remove French.
For specific steps on how to customize Setup for different scenarios, see applicable sections in
Customize language setup and settings for Office 2010 (http://technet.microsoft.com/library/1c423975-
1848-4060-999c-cafcadf3047d(Office.14).aspx):
Deploy a default language version of Office (http://technet.microsoft.com/library/1c423975-1848-
4060-999c-cafcadf3047d.aspx#BKMK_DeployDefaultLanguageVersionOfOffice)
Specify which languages to install (http://technet.microsoft.com/library/1c423975-1848-4060-999c-
cafcadf3047d.aspx#BKMK_SpecifyLanguagesToInstall)
Deploy different languages to different groups of users
(http://technet.microsoft.com/library/1c423975-1848-4060-999c-
cafcadf3047d.aspx#BKMK_DeployDifferentLanguages)
358
Plan customizations
When a user starts an Office 2010 application for the first time, Setup applies default settings that
match the language installed on the computer and the language specified by the Windows user locale
setting.
Four main language settings affect the way users work with Office 2010:
Primary editing language When more than one language version of Office 2010 is installed on
the computer, this setting determines the language in which users work with Office applications and
documents.
Enabled editing languages Users can specify more than one language for editing Office 2010
documents. Depending on the languages selected, this setting might require that the user has
installed additional proofing tools.
User interface language This setting determines the language in which the user interface
(menus and dialog boxes) is displayed.
Help language This setting determines the language in which users view Help topics.
You can configure these language settings for users in advance. If you specify custom language
settings when you install Office, by applying a Setup customization file (.msp file) or by setting policies,
Office 2010 does not overwrite your settings with the default settings when users start the applications
for the first time.
359
Language Settings tool If you do not enforce language settings by policy, users who work in
Office 2010 applications can use the Language Settings tool to change their language settings.
For specific steps on how to use these tools to customize Office 2010 for multiple language
deployments, see Customize language setup and settings for Office 2010
(http://technet.microsoft.com/library/1c423975-1848-4060-999c-cafcadf3047d(Office.14).aspx).
360
Prohibited No settings related to user locale are modified by Office 2010 or by any individual
Office 2010 application.
In some scenarios, ignoring the user locale setting can help maintain a standard configuration across a
multilingual organization. Setting the LangTuneUp entry to Prohibited ensures that language settings
remain consistent and macros are more compatible internationally.
For example, if your organization is based in the United States and you want to standardize settings
internationally, you can deploy Office 2010 with Primary Editing Language set to en-us (U.S. English)
and LangTuneUp set to Prohibited. In this scenario, users receive the same default settings,
regardless of their user locale.
Ignoring user locale is not always the best option. For example, users who read and enter Asian
characters in Office 2010 documents might not always have the Asian fonts they must have to display
characters correctly. If the installation language on the users computer does not match the language
that was used in the document and LangTuneUp is set to Prohibited, Office 2010 does not display
fonts in the non-default language. If your Office 2010 installations need to support multiple Asian
language user locales, make sure LangTuneUp continues to be set to OfficeCompleted. To help
ensure that users do not change the default value, set the corresponding policy.
361
language pack has all the proofing tool languages that you need, deploy a language pack by using
the instructions that fit your scenario in Customize language setup and settings for Office 2010
(http://technet.microsoft.com/library/1c423975-1848-4060-999c-cafcadf3047d(Office.14).aspx).
Office 2010 Proofing Tools Kit This product contains the proofing tools for all of the languages
that are available with Office 2010. Use this option if you do not need the user interface for the
language and you must have many proofing tools that are not included in the set of companion
languages for any languages installed or included in an additional language pack that you could
install.
The Office 2010 Multi-Language Pack contains all of the Office 2010 Language Packs. Individual
Office 2010 Language Packs, the Office 2010 Multi-Language Pack, and Office 2010 Proofing Tools Kit
are available for purchase in major retail stores and their Web sites, and also through Microsoft volume
licensing programs.
The hard disk space requirement to install proofing tools is 1 gigabyte (GB). However, the overall disk
space depends on whether you deploy proofing tools from a language pack or from the Office 2010
Proofing Tools Kit. As with most products in the Office 2010, the complete Office 2010 Proofing Tools
Kit package is cached to the local installation source (LIS).
Note:
Proofing tools do not include bilingual dictionaries or word breakers. Those tools are part of the
language version or language pack.
Syntax
<OptionState
Id="optionID"
State="Absent" | "Advertise" | "Default" | "Local"
[Children="force"]
/>
362
OptionState attributes
The following table shows OptionState attributes, values, and descriptions.
Children force All child features of the feature are set to the
specified state.
Note:
The default value for the State attribute is Local.
363
<!-- <Logging Type="standard" Path="%temp%" Template="Microsoft Office Proofing Tools Kit
Setup(*).txt" /> -->
364
<OptionState Id="ProofingTools_1048" State="Absent" Children="force"/>
</Configuration>
365
Precaching the local installation source for the Office 2010 Proofing
Tools Kit
When you deploy the Office 2010 Proofing Tools Kit, Setup creates a local installation source on the
user's computer a copy of the compressed source files for the Office 2010 Proofing Tools Kit. Once
the files have been copied to the user's computer, Setup completes the installation from the local
installation source. You can minimize the load on the network by deploying the local installation source
separately, before you deploy the Office 2010 Proofing Tools Kit. To precache the local installation
source for the Office 2010 Proofing Tools Kit, see Precache the local installation source for Office 2010
(http://technet.microsoft.com/library/ff0a01a5-33d8-407c-ac52-50edccb32786(Office.14).aspx). Use the
Setup.exe and Config.xml files from the ProofKit.WW folder on the Office 2010 Proofing Tools Kit CD.
See Also
Language identifiers and OptionState Id values in Office 2010
(http://technet.microsoft.com/library/f5fee727-df49-4ef7-b073-dd6c08dfecfa(Office.14).aspx)
Companion proofing languages for Office 2010 (http://technet.microsoft.com/library/3f4de10b-757a-
4ce5-b9b7-1baafeb4753e(Office.14).aspx)
Customize language setup and settings for Office 2010 (http://technet.microsoft.com/library/1c423975-
1848-4060-999c-cafcadf3047d(Office.14).aspx)
Add or remove languages after deploying Office 2010 (http://technet.microsoft.com/library/aef95370-
7f15-434f-9311-e792555645d7(Office.14).aspx)
International reference for Office 2010 (http://technet.microsoft.com/library/db99b5fd-ae5d-43b9-ac5f-
2adce6e00868(Office.14).aspx)
Office Customization Tool in Office 2010 (http://technet.microsoft.com/library/8faae8a0-a12c-4f7b-839c-
24a66a531bb5(Office.14).aspx)
Precache the local installation source for Office 2010 (http://technet.microsoft.com/library/ff0a01a5-
33d8-407c-ac52-50edccb32786(Office.14).aspx)
366
Plan for virtualization for Office 2010
Microsoft Application Virtualization (App-V) provides the administrative capability to make applications
available to end-user computers without having to install the applications directly on those computers.
This section provides contains information to help you plan a deployment of Microsoft Office 2010 by
using Application Virtualization.
In this section:
Article Description
Overview of virtualization to deploy Office 2010 Describes what virtualization is, how you can use
virtualization in your organization, and which
method and type of Microsoft Application
Virtualization (App-V) you can use to deploy Office
2010 in your organization.
Methods to deploy Office 2010 by using Provides information about methods to deploy
Application Virtualization Office 2010 by using Microsoft Application
Virtualization (App-V) in specific environments and
how to deploy by using an Application
Virtualization Management Server or an
Application Virtualization Streaming Server.
Application Virtualization application packages This article contains technical guidance for using
Microsoft Application Virtualization (App-V) to
create an Office 2010 package.
367
Overview of virtualization to deploy Office 2010
This article describes what virtualization is, how you can use virtualization in your organization, and
which method and type can be implemented in your environment. For a visual representation of this
information, see Virtualization Overview, Methods, and Models
(http://go.microsoft.com/fwlink/?LinkId=168624).
In this article:
About virtualization
Virtualization types and technologies
Virtualization delivery methods
Virtualization changes and updates
Application virtualization client architecture
About virtualization
Virtualization is the capability to run an application or a computer in a virtual environment without
affecting the components that already exist on that particular desktop or server. Virtualizing computing
resources can be done in two ways:
Application virtualization Application virtualization is where a software application is packaged
to run in a self-contained, virtual environment that contains all the information that is needed to run
the application on the client computer without installing the software application locally.
Desktop virtualization Desktop virtualization is where the software application, operating system,
and hardware configuration is packaged to run in a self-contained, virtual environment. When a
layer is created between the hardware and the operating system that is being installed, you are
able to run multiple operating systems with applications on a single computer.
368
Virtualization types and technologies
The enterprise can deploy with one virtual delivery method or it can have multiple virtual environments
in combination with one another.
369
Application Virtualization
Microsoft Application Virtualization (App-V) is an enterprise-level application virtualization solution and
is part of the Microsoft Desktop Optimization Pack (MDOP). App-V enables applications to run on a
single instance of the operating system, turning applications into centrally managed services that are
never installed, that never conflict, and that are streamed on-demand to end-users. App-V supports
legacy applications and their extension points, whereas virtualized applications will not conflict with one
another, do not affect the system, can be completely removed, and easily repaired or upgraded.
App-V is best used for applications that run on the current or target operating system, but have conflict
issues either with other applications or some installed files. By decoupling the physical desktop from the
software or hardware, you can create an isolated environment unseen by the end-user, and then run an
application by using a desktop computer or server that has Remote Desktop Services (formerly known
as Terminal Services) enabled without ever installing the application on the client operating system.
Microsoft Office 2010 includes the traditional Setup.exe method of deployment, and also supports
delivery through virtualization via streaming or deploying Office applications to the end-user without the
need of a CD or Setup.exe file.
For applications that cannot be run on the operating system and need an older version of the operating
system, see Microsoft Enterprise Desktop Virtualization (MED-V)
(http://go.microsoft.com/fwlink/?LinkId=156031), which is a component of MDOP (see Microsoft
Desktop Optimization Pack (http://go.microsoft.com/fwlink/?LinkId=156032). MED-V enables you to
deploy applications by using the Virtual PC tool.
To use Microsoft Application Virtualization in the enterprise, Office 2010 will require the Application
Virtualization Desktop Client (Deployment Kit) configured on each device.
For more information about virtual environments, see About Virtual Environments
(http://go.microsoft.com/fwlink/?LinkId=156039).
Delivery methods
Within each kind of virtualization, there is a delivery method that provides a virtual environment to the
desktop.
For a visual representation of delivery methods, see Virtualization Overview, Methods, and Models
(http://go.microsoft.com/fwlink/?LinkId=168624).
370
Delivery methods for virtualization are as follows:
Presentation delivery Enables a virtualized application to be accessed via Remote Desktop
Services from a desktop computer. Applications are run from one central server location that
provides screen images of the application or a desktop and are controlled by the desktop.
For more information about Remote Desktop Services (formerly known as Terminal Services)
presentation virtualization, see Remote Desktop Services
(http://go.microsoft.com/fwlink/?LinkId=156050).
Streaming delivery Application virtualization is the process where a software application is
packaged and stored on a file server, application server, or alternative source drive, such as in
Microsoft System Center Configuration Manager 2007 and delivered in small sequenced bundles
as needed. For more information, see System Center Configuration Manager
(http://go.microsoft.com/fwlink/?LinkId=156051).
When end-users open a document that is running the virtual application for the first time, a quick
scroll bar is displayed that shows what percentage of the virtual application has streamed to their
computer. The application will load so that end-users can start their work. If there are features that
the end-user needs that were not in the initial feature block, the rest of the application will stream in
the background, into their local cache.
A sequenced package contains several files. This includes one .sft file, one .sprj file, one
Manifest.xml file, and then several .osd and .ico files.
The .sft file contains all the application files that contain all assets and state organized into
streamable feature blocks.
The .osd file contains the description of the application, which includes environment
dependencies, package location, shell integration, and scripts.
The .ico file contains the icons associated with each shortcut or file type association (FTA)
defined in an .osd file or the Manifest.xml file. These are extracted from application resources.
The .sprj file is the sequencing project file that references the .osd default package setting list
of all parser items, classifications, and exclusions.
371
The Manifest.xml file, which publishes parameters for the applications in a package, includes
the definition of shell integration (for example, FTAs, shortcuts, Dynamic Data Exchange
(DDE), and so on).
Stand-alone delivery The process where a software application is packaged and delivered via
CD, USB drive, and so on, to be stored locally on the users cached drive for full access when they
are disconnected from the network.
For a visual representation of the stand-alone delivery method for mobile users, see Virtualization
Overview, Methods, and Models (http://go.microsoft.com/fwlink/?LinkId=168624).
When you create a stand-alone package, an additional file is added to the package. The .msi file is
created to publish and load (install) the virtual application package in a stand-alone environment.
372
New feature Supported in App-V 4.x
Support for Office 2010 Yes (App-V 4.6) x86, and for x64 Office or x86
deployments to x64 computers (under WoW64).
373
Virtualizing an application puts a layer between the operating system and the application itself. This
provides the following benefits:
More flexibility in running applications, which in the past might have had conflicts with other
applications.
Applications can be installed and removed more easily, because they are not affecting any of the
local files on the desktop.
Less regression testing.
More customization on deployment of applications.
When an application is published on a local client computer, the application remains in a virtual
environment. However, it is executed locally by using local resources. Even though the application is in
a virtual environment, it is still able to interact with other locally installed programs.
The virtual environment for each application contains the registry settings and .ini files, .dll files, and the
Group Policy settings file. The application reads from and writes to this virtual environment without
affecting any of those settings on the local client computer. The only items that the App-Venabled
application will read from and write to outside its space are the System Services (for example, cut-and-
paste, OLE, and printers) and the Profile Data. The local system files (for example, registry, .ini, and
.dll) will only be read when it is necessary.
See Also
Planning and Deployment Guide for the Application Virtualization System
(http://go.microsoft.com/fwlink/?LinkId=156611)
Electronic Software Distribution-Based Scenario (http://go.microsoft.com/fwlink/?LinkId=156046)
Application Virtualization Server-Based Scenario (http://go.microsoft.com/fwlink/?LinkId=156047)
Stand-Alone Delivery Scenario for Application Virtualization Clients
(http://go.microsoft.com/fwlink/?LinkId=156048)
Microsoft Application Virtualization Sequencing Guide (http://go.microsoft.com/fwlink/?LinkId=156052)
Best practices to use for sequencing in Microsoft SoftGrid
(http://go.microsoft.com/fwlink/?LinkId=156053)
374
Methods to deploy Office 2010 by using
Application Virtualization
This article provides information about specific methods for deploying Microsoft Application
Virtualization (App-V) in environments that have no servers available to support other methods to
deploy virtual applications, and in environments that plan to deploy virtualized applications from a
connected server, such as an Application Virtualization Management Server or an Application
Virtualization Streaming Server.
For information to help you better understand and deploy App-V and its components, see Planning and
Deployment Guide for the Application Virtualization System
(http://go.microsoft.com/fwlink/?LinkID=156611&clcid=0x409). The guide also provides step-by-step
procedures for implementing the key deployment methods.
For information about how to specifically deploy Office 2010 by using App-V, see Deploy Office 2010 by
using Microsoft Application Virtualization (http://technet.microsoft.com/library/b8b513fe-0306-407c-
bd87-617a79b29ffa(Office.14).aspx).
Deployment methods
The virtual application package content can be placed on one or more Application Virtualization servers
so that it can be streamed down to the clients on demand and cached locally. File servers and Web
servers can also be used as streaming servers, or the content can be placed directly on the end users
computer for example, if you are using an electronic software distribution (ESD) system, such as
Microsoft System Center Configuration Manager 2007.
The following are some deployment methods and resources:
ESD-based deployment For more information, see Electronic Software Distribution-Based
Scenario (http://go.microsoft.com/fwlink/?LinkID=156046&clcid=0x409).
Server-based deployment For more information, see Application Virtualization Server-Based
Scenario (http://go.microsoft.com/fwlink/?LinkID=156047&clcid=0x409).
Stand-alone deployment For more information, see Stand-Alone Delivery Scenario for
Application Virtualization Clients (http://go.microsoft.com/fwlink/?LinkID=156048&clcid=0x409).
See Also
Deploy Office 2010 by using Microsoft Application Virtualization
(http://technet.microsoft.com/library/b8b513fe-0306-407c-bd87-617a79b29ffa(Office.14).aspx)
Planning and Deployment Guide for the Application Virtualization System
(http://go.microsoft.com/fwlink/?LinkID=156611&clcid=0x409)
375
Application Virtualization application packages
This article contains technical guidance for using Microsoft Application Virtualization (App-V) to create a
Microsoft Office 2010 package.
In this article:
Application virtualization sequencer
Application virtualization packages
Creating an Office 2010 system package
Creating application dependencies by using Dynamic Suite Composition
376
The .sft file contains the assets that include one or more Windows-based applications. The App-V
Sequencer, without altering the source code, packages these asset files into chunks of data that can be
streamed to the App-V client. The file is divided into two distinct blocks. The first block, which is known
as the primary feature block, consists of the applications most-used features, as configured during
package creation.
The .sprj (Sequencer project) file is generated when a project is saved. The .sprj file contains a list of
files, directories, and registry entries that are excluded by the Sequencer. Load this file into the
Sequencer to add, change, delete, or upgrade any of the applications in the suite. A common example
might be when you use the .sprj files to add service packs to the application.
The manifest file (XML based) describes all of the applications, file-type associations, and icons that are
used by the package.
377
Architecture of Architecture of Architecture of Licensing support Virtual proxy
sequencing computer that is client computer support
computer running Office
Important:
Packages that are sequenced on x64-based computers can only be deployed to x64-based
client computers. Packages that are sequenced on x86-based computers can be deployed to
x86-based client computers or x64-based client computers.
Note:
Virtual proxies are optional. However, virtual proxies are only supported on 32-bit computers
that are running Office 2010.
The following figure and table describe the minimum requirements and are followed by the procedures
necessary to create a system package.
Prepare a computer for sequencing
Install the deployment kit
Sequence the Office 2010 system package
378
Computer Description Required operating system
Use the following procedure to install the deployment kit that enables Office 2010 client products to be
sequenced and deployed by using App-V. The kit includes the components that are required for Office
license activation.
379
Msiexec /i OffVirt.msi [feature flags][licensing flags]
Note
You must install the version of the deployment kit that matches the operating system architecture of
your computer. For example, if you intend to sequence either Office 32-bit or 64-bit on a 64-bit
operating system computer, you must use the 64-bit version of the deployment kit because it
matches the operating system version.
Use the feature flags for the architecture that matches your sequencing station operating system:
32-bit:ADDLOCAL=Click2runMapi,Click2runOWSSupp,Click2runWDS,OSpp,OSpp_Core
64-
bit:ADDLOCAL=Click2runMapi,Click2runOWSSupp,Click2runWDS,Ospp,OSpp_Core,OSppW
oW64
For more information about the Office 2010 system volume activation and to determine which
activation and licensing flags to use, see Office license activation
(http://go.microsoft.com/fwlink/?LinkID=182959).
The following table lists the Office 2010 product applications and Office 2010 product suites
together with their corresponding licensing flag for KMS activation. To configure the appropriate
license properties for KMS, specify the values that correspond to the Office 2010 product that you
are sequencing, and set the flag value from the following table to 1.
For example: msiexec /i Offvirt.msi PROPLUS=1 VISIOPREM=1
KMS activation
InfoPath InfoPath 0 or 1
OneNote OneNote 0 or 1
Outlook Outlook 0 or 1
PowerPoint PowerPoint 0 or 1
Project PROJECTPRO 0 or 1
380
Professional
Project PROJECTSTD 0 or 1
Standard
Publisher Publisher 0 or 1
SharePoint SPD 0 or 1
Designer
Visio VISIOPREM 0 or 1
Premium
Visio VISIOPRO 0 or 1
Professional
Visio VISIOSTD 0 or 1
Standard
Word Word 0 or 1
The following table lists the flags and values for MAK activation. If the Office client computers will be
using MAK activation, you must install the product key by using one of the methods listed in the
following table.
MAK activation
Flag Value
PIDKEYS XXXXX-XXXXX-XXXXXX-XXXXXX-XXXXXXX
Multiple product keys are semicolon delimited.
Ex. PIDKEYS=X-X-X-X-X;Y-Y-Y-Y-Y
USEROPERATIONS 0 or 1
1. Use the Volume Activation Management Tool (VAMT) 2.0, to install product keys on client
computers that stream the Office 2010 system. To download the tool, see Volume Activation Tool
(http://go.microsoft.com/FWLINK/?LinkID=83292).
2. Deploy one or more MAKs keys by using PIDKEYS property, semicolon delimited, as shown in the
table. In the following example, the Professional Plus and the Visio MAK keys are being entered,
followed by the USEROPERATIONS property set to 1 to allow the client to activate.
msiexec /i OffVirt.msi PIDKEYS=xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx;yyyyy-yyyyy-
yyyyy-yyyyy-yyyyy-yyyyyy USEROPERATIONS=1
381
3. Mixed KMS/MAK deployments are supported. For example: use KMS for PROPLUS and MAK for
Visio:
msiexec /i OffVirt.msi PROPLUS=1 PIDKEYS=yyyyy-yyyyyy-yyyyyy-yyyyyy-yyyyyy-yyyyyy
Note:
UserOperations=1 means non-administrative users can activate Office. UserOperations=0
means only administrators can activate Office.
Use the following procedure to sequence the Office 2010 system on the sequencing computer.
Note:
We recommend that you select a virtual drive assignment and use it consistently;
typically, this is the Q:\ drive.
5. On the Monitoring Installation dialog box, click Begin Monitoring to monitor the installation
phase.
6. Start the setup.exe for the Office 2010 system.
7. At the Choose the installation that you want prompt, click Customize.
Note:
In the Office installation procedure, make sure that you select Install to hard disk
drive if you want that feature installed.
8. Click the File Location tab, and configure the path to match the installation directory that you
selected in step 4. Then click Install.
The following procedure to configure the first start use settings (for example, customizing user settings)
is optional, but should be performed during monitoring. If you do not need the optional steps, go to To
create the Primary Feature Block later in this article.
Optional steps
1. Start virtual applications during monitoring. Click Start, and then click Run.
2. Enter the actual path of the virtual application, and select the executable virtual file to start the
virtual application.
382
For example, to start Word, type q:\Temp123.wxp\Office14\WINWORD.EXE, and then press
ENTER.
3. Configure additional proxies while the sequencer is still monitoring.
Use the following procedure, which is done while on the sequencing computer, to configure additional
proxies. These steps must occur during the monitoring process to have these keys correctly persisted
in a deleted state in the virtual registry. Proxies enable Fast Search in Outlook Search, integration with
SharePoint (openin and, editing documents), and other features.
Note:
To quickly locate the path, click Browse. Copy and paste the application path into the
File name field.
Instant Search (Virtual Search host)
Application Path: %commonprogramfiles%\microsoft shared\virtualization
handler\VirtualSearchHost.exe
Name: Specify a name. The default name is Search MAPI Protocol Handler Host
Virtual SharePoint Proxy
Application Path: %commonprogramfiles%\microsoft shared\virtualization
handler\VirtualOWSSuppManager.exe
Name: Specify a name. The default name is Microsoft SharePoint Client Support
Manager
Simple MAPI
Application Path: %commonprogramfiles%\microsoft shared\virtualization
383
handler\MapiServer.exe
Name: Specify a name. The default name is Microsoft Virtual Office Simple MAPI Proxy
Server
Virtual Mail Control Panel Item
Application Path: %windir%\system32\Control.exe %SFT_MNT%\short
path\Office14\mlcfg32.cpl
Name: Specify a name. The default name is Windows Control Panel
Note
To add the parameter %SFT_MNT%\short path\Office14\mlcfg32.cpl to the application path,
browse to the Control.exe application path, and click OK. Append the parameter in the Application
Path field.
The short path is the 8.3 directory on which you installed Office 2010. For example, if you installed
Office 2010 to Q:\Temp123.wxp, the short path would be Temp123.wxp.
Office Document Cache
Application Path: Q:\short path\Office14\MSOSync.exe
Name: Specify a name. The default name is Microsoft Office Document Cache
3. Set the Office Document Cache application to start automatically.
Expand the Office Document Cache element in the Applications tree.
4. Select Shortcuts. Edit the shortcut location to be Start Menu\Programs\Startup.
5. Synchronize all application .osd file versions with the proxy .osd version.
Right-click the Office installation file (Setup.exe), and then select Properties.
6. Click the Version tab. Change the version of all .osd files to match that version.
For example: If the version of Setup.exe is 14.0.4763.1000, make sure that the version number
of all proxy application .osd files and Office .osd files are set to 13.04.764.1000.
7. Click Next.
Use the following procedures to create the primary feature block that contains the minimum content
required for an application or multiple applications to run. We recommend that you do not start
OneNote, Outlook, and SharePoint because of the customization settings that are better preserved.
During this step, do not press F1.
384
4. After sequencing is complete, click Finish.
5. To save the package, click Package, and then click Save As.
Important:
If you are deploying Office 2010 to a computer that already has the 2007 Office system
installed (coexistence with Office 2010), follow these steps. Otherwise, skip the rest of
these steps and continue.
3. During monitoring, create the following registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
Messaging Subsystem\Profiles
If you are sequencing on a 64-bit version of Windows, also create the following subkey:
HKEY_CURRENT_USER\Software\WOW6432Node\Microsoft\Windows
NT\CurrentVersion\Windows Messaging Subsystem\Profiles
For App-V 4.6, make sure that the subkey is set to Override local key.
For App-V 4.5, set the parent key \CurrentVersion\Windows Messaging Subsystem to
merge with the local key.
Set the subkey \CurrentVersion\Windows Messaging Subsystem\Profiles to merge with
the local key.
Important:
The following steps must be performed during monitoring to have the key persist in a
deleted state in the virtual registry.
4. On the Tools menu, click Sequencing Wizard.
5. Click Next.
6. Click Begin Monitoring.
7. Create the following virtual registry subkey, and then delete it so that the sequencer monitors
the deletion of the newly added key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins\Microsoft.OMSA
ddin
385
8. Click Stop Monitoring, continue to click Next, and then click Finish to return to the advanced
sequencer properties page.
Note:
You might have to add some of these XML nodes if they currently do not exist.
9. For each .osd file, add TRUE to the following Element text of the tag:
SOFTPKG -> IMPLEMENTATION -> VIRTUALENV -> POLICIES ->
LOCAL_INTERACTION_ALLOWED
Use the following procedure to configure the client computer to run the Office 2010 sequenced
package.
KMS activation
InfoPath InfoPath 0 or 1
OneNote OneNote 0 or 1
Outlook Outlook 0 or 1
PowerPoint PowerPoint 0 or 1
386
Project PROJECTPRO 0 or 1
Professional
Project PROJECTSTD 0 or 1
Standard
Publisher Publisher 0 or 1
SharePoint SPD 0 or 1
Designer
Visio VISIOPREM 0 or 1
Premium
Visio VISIOPRO 0 or 1
Professional
Visio VISIOSTD 0 or 1
Standard
Word Word 0 or 1
The following table lists the flags and values for MAK activation. If the Office clients will be
using MAK activation, you must install the product key by using one of the methods listed in the
table.
MAK activation
Flag Value
PIDKEYS XXXXX-XXXXX-XXXXXX-XXXXXX-
Multiple product keys are semicolon XXXXXXX
delimited.
Ex. PIDKEYS=X-X-X-X-X;Y-Y-Y-Y-Y
USEROPERATIONS 0 or 1
a. Use the Volume Activation Management Tool (VAMT) 2.0 to install product keys on client
computers that stream the Office 2010 system. To download this tool, see Volume
Activation Tool (http://go.microsoft.com/FWLINK/?LinkID=83292) on the Microsoft
Download Web site.
b. Deploy one or more MAK keys by using the PIDKEYS property, semicolon delimited, as
shown in the previous table. In the following example, the Professional Plus and the Visio
MAK keys are being entered, followed by the USEROPERATIONS property set to 1 to
387
allow the client to become active.
msiexec /i OffVirt.msi PIDKEYS=xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx;yyyyy-
yyyyy-yyyyy-yyyyy-yyyyy-yyyyyy USEROPERATIONS=1
c. Mixed KMS/MAK deployments are supported. If you want, some client computers can use
KMS activation, and other client computers can use MAK. For example: use KMS for
PROPLUS and MAK for Visio:
msiexec /i OffVirt.msi PROPLUS=1 PIDKEYS=yyyyy-yyyyyy-yyyyyy-yyyyyy-yyyyyy-
yyyyyy
4. Enable the proxies on the client computer only if you configured proxies during the sequencing
step.
To enable the virtual proxies for the package, open an elevated command prompt and run the
following command:
msiexec /I path of the OffVirt.msi\OffVirt.msi
ADDDEFAULT=Click2runOneNoteProxy,Click2runOutlookProxies,Click2RunWDSProxy,
Click2runOWSSuppProxies PACKAGEGUID={SFT package GUID}
PACKAGEVERSION=versions found in OSD files for proxies, Outlook, and OneNote
OUTLOOKNAME=application name for Outlook from OSD ONENOTENAME=application
name for OneNote from OSD MAPISERVER=MAPI proxy application name
VIRTUALSEARCHHOST=Search proxy application name MLCFG32CPL=application
name for virtual mail configuration OWSSUPPServer=application name for SharePoint
proxy
For example:
msiexec /i c:\OffVirt.msi
ADDDEFAULT=Click2runOneNoteProxy,Click2runOutlookProxies,Click2runWDSProxy,C
lick2runOWSSuppProxies PACKAGEGUID={5971AF75-7831-4AE9-906F-0F30C7DD0CA5}
PACKAGEVERSION=14.0.4763.1000 OUTLOOKNAME=Microsoft Outlook 2010
ONENOTENAME=Microsoft OneNote 2010 MAPISERVER=Microsoft Virtual Office
Simple Mapi Proxy Server VIRTUALSEARCHHOST=Search MAPI Protocol Handler
Host MLCFG32CPL=Windows Control Panel OWSSUPPServer=Microsoft SharePoint
Client Support Manager
388
The Dynamic Suite Composition tool comes as part of the App-V resource kit. It reduces the risk of
mistyping and the complexity that is associated with editing XML directly. The following is a sample
exercise to configure two separate virtualized packages to integrate together:
1. On the App-V server, click Start, and then click Microsoft App-V DSC Tool.
2. In the Package Roots field, click Select, and then click Add Folder.
3. Expand Computer, select Content where the stored packages are listed, click OK, and then click
Done to build the list of available packages.
4. In the Primary Package box, select the first package from D:\Content\....
5. In the Secondary Packages Available box, select the second package from D:\Content\..., and
then click Add.
6. Click Save, click OK to confirm, and then click Exit to complete the procedure.
See Also
Proof of Concept Jumpstart Kit v1.1 (http://go.microsoft.com/fwlink/?LinkId=195525)
389
Plan for Remote Desktop Services (Terminal
Services)
A terminal server is the server that hosts Windows-based programs or the full Windows desktop for
Terminal Services clients. Users can connect to a terminal server to run programs, to save files, and to
use network resources on that server. When a user accesses a program on a terminal server, the
program execution occurs on the server. Only keyboard, mouse, and display information is transmitted
over the network. Each user sees only their individual session. The session is managed transparently
by the server operating system and is independent of any other client session.
The Terminal Services role, now named Remote Desktop Services in Windows Server 2008 R2,
provides the ability to host multiple, concurrent client sessions in Windows. By using Remote Desktop
Services, users can access the Remote Desktop Session Host server (terminal server) from within a
corporate network or from the Internet.
In this section:
Article Description
Plan to deploy Office 2010 in a Remote Desktop Describes the best practices and recommended
Services (Terminal Services) environment guidelines to use when you plan a deployment of
Microsoft Office 2010 in a Remote Desktop
Services environment.
Setup customizations of Office 2010 related to Describes the customizations of Office 2010 that
Remote Desktop Services (Terminal Services) are related to Remote Desktop Services.
390
Plan to deploy Office 2010 in a Remote Desktop
Services (Terminal Services) environment
This article describes the best practices and recommended guidelines to use when you plan a
deployment of Microsoft Office 2010 in a Remote Desktop Services environment (formerly known as
Terminal Services).
In this article:
Planning a Remote Desktop Services environment
Configuring Remote Desktop Session Host server
Customizing the Office 2010 installation
Installing Office 2010 on a Remote Desktop Services-enabled computer
391
Server requirements
You can run Office 2010 on a computer that is running Windows Server 2003 with Server Pack (SP) 1
or later versions. You cannot install or run Office 2010 on a server operating system that was released
earlier than Windows Server 2003.
Deploying on Remote Desktop Services requires a review of the design changes in Office 2010, and a
review of the server requirements depending on the version of Windows Server (2003 or 2008) that you
intend to use. Depending on the current server hardware, which will support multiple concurrent
sessions, the performance will be much affected. Processor and memory requirements will vary
depending on the workload. The following table shows the results of some recent tests.
Remote Desktop Services could be configured to load balance on a Remote Desktop Session Host (RD
Session Host) server farm depending on the customers deployment needs.
As Windows Server 2003 RD Session Host server capacity and scaling shows, the number of
concurrent sessions depends on many factors, such as workload and configuration. To support
thousands of concurrent sessions, an RD Session Host server farm configuration should be used.
To view the Windows Server 2008 tuning guide, which now has a reference for general training of RD
Session Host server knowledge worker workload (the Office-based workload) on Windows Server 2008,
see Performance Tuning Guidelines for Windows Server 2008
(http://go.microsoft.com/fwlink/?LinkId=135703).
To learn about how Microsoft IT deployed Windows Server 2008 Terminal Services at Microsoft, see
How MSIT uses Terminal Services as a Scalable Remote Access Solution
(http://go.microsoft.com/fwlink/?LinkId=135705).
To learn more about the Remote Desktop Load Simulation Toolset, see Remote Desktop Load
Simulation Tools (http://go.microsoft.com/fwlink/?LinkId=178956).
Client requirements
One advantage of running Office 2010 on a Remote Desktop Services-enabled computer is that older,
less robust client computers can access the Remote Desktop Services-enabled computer. Specifically,
any computer that supports the Remote Desktop Protocol (RDP) can connect to a Remote Desktop
Services-enabled computer.
392
Evaluating recommended guidelines and best practices
Be sure that you review the following guidelines and best practice to plan an effective deployment of
Office 2010 in a Remote Desktop Services environment.
The following paper, available for download, guides you on capacity planning of RD Session Host in
Windows Server 2008 R2. It describes the most relevant factors that influence the capacity of a given
deployment. Remote Desktop Session Host Capacity Planning in Windows Server 2008 R2
(http://go.microsoft.com/fwlink/?LinkId=185079&clcid=0x409)
For Microsoft Outlook 2010, the most scalable and optimized configuration for large deployments is
Outlook running in Online Mode against the Exchange Server. However, Customers who deploy
Outlook 2010 now have the supported option of enabling Cached Exchange Mode when Outlook 2010
is installed in a Remote Desktop environment. This may be ideal for small deployments where Outlook
is connecting over a high latency connection to an Exchange Server that is located remotely. For more
information, see Cached Exchange Mode in a Remote Desktop Session Host environment: planning
considerations (white paper).
393
Desktop users group, users are denied access to the Remote Desktop Services-enabled computer. For
more information about how to install and configure Remote Desktop Services (Terminal Services), see
Guidelines for Deploying Terminal Server (http://go.microsoft.com/fwlink/?LinkId=88006).
394
You can configure installation states during a manual installation by clicking Customize on the Choose
the installation you want page. For more information about how to perform a manual installation on a
Remote Desktop Services-enabled computer, see the following section.
395
10. On the Install Options tab, click an application or feature and change the installation state to either
Run from my computer or Not available.
11. If you want to customize other settings, click the File Location tab or the User Information tab,
and then make the changes that you want.
12. To start the installation, click Install Now.
13. When the installation is complete, click Close to close the Setup program.
14. On the After Installation page, click Next.
15. On the Finish Admin Install page, click Finish.
It is important that you perform the last two steps. These steps configure the Remote Desktop Services-
enabled computer for execute mode.
Note:
With Interactive Installations, by default, the user name field is populated with the currently
logged-on users information. This is also true for the user name set in the Config.xml file.
Any user name that is provided during Setup is written to the registry key
HKCU\Software\Microsoft\Office\Common\UserInfo.
396
Remote Desktop Services mirrors this registry key to
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\TerminalServer\Install\Software\Microsoft
\Office\Common\UserInfo.
Any new users then receive the defaults from the HKLM UserInfo key in their own user profiles.
Because a user name already exists, any new Remote Desktop Services users will not be prompted to
input their own names, and instead they get the default user name of the administrator.
To resolve this issue for new users in a current Remote Desktop Services deployment, the
administrator of the computer that is running Remote Desktop Services should remove values from the
registry key
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\TerminalServer\Install\Software\Microsoft
\Office\Common\UserInfo.
To resolve the issue for all users in a new Remote Desktop Services deployment, the administrator of
the computer that is running Remote Desktop Services should perform one of the following tasks:
During installation, select Customize, and then clear the user name and initial values.
Use a Config.xml file that has the user name and initials set to empty values.
After installation, remove the values from the registry key
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\TerminalServer\Install\Software\Micro
soft\Office\Common\UserInfo.
See Also
Whitepaper Release: Application Virtualization 4.5 for Terminal Services
(http://go.microsoft.com/fwlink/?LinkId=185972&clcid=0x409)
397
Setup customizations of Office 2010 related to
Remote Desktop Services (Terminal Services)
Remote Desktop Services deployments of Microsoft Office 2010 require a volume license key to
function correctly. This article describes customizations that are related to Remote Desktop Services
(formerly known as Terminal Services).
In this article:
Install on first use
Screen flickering
TSAbsent and TSDisabled
Screen flickering
When you use PowerPoint 2010 that is connected to a Windows Server 2003 terminal server session
by using a third-party client, such as a Citrix ICA client, the screen will flicker.
This can occur when you run Windows Presentation Foundation (WPF) applications in the terminal
server session.
For information about the cause and resolution of this problem, see Microsoft Knowledge Base article
955692: Your screen flickers when you start WPF applications in a Windows Server 2003 terminal
server session (http://go.microsoft.com/fwlink/?LinkId=184709&clcid=0x409).
398
The following Office 2010 features are either disabled or the default is set to absent on Remote
Desktop Session Host server configurations.
TSDisabled: OutlookVBScript
TSAbsent: PPTSoundFiles
See Also
Plan to deploy Office 2010 in a Remote Desktop Services (Terminal Services) environment
399
Plan for accessibility in Office 2010
The Accessibility Checker in Microsoft Office 2010 lets users create more accessible documents for
people who have disabilities. The Accessibility Checker (like a spelling checker, but for accessibility
issues) is a core feature of Microsoft Excel 2010, Microsoft PowerPoint 2010, and Microsoft Word 2010.
In this article:
Increase the visibility of violations
Control what the checker reports
Important:
Group Policy settings can be used to control the Accessibility Checker. For Excel 2010,
PowerPoint 2010, and Word 2010, the Group Policy settings are located in the gpedit node
<AppName>\File tab\Check Accessibility.
400
Group Policy settings for Excel 2010
Setting for Excel 2010 Associated registry Description
key
Stop checking for alt text AltText If enabled, the Accessibility Checker does not
accessibility information verify whether objects such as images and shapes
contain alternative text.
If disabled or not configured, objects are checked
for alternative text and issues found appear in the
Accessibility Checker.
Stop checking for table TableHeaders If enabled, the Accessibility Checker does not
header accessibility verify whether tables have a header row specified.
information If disabled or not configured, tables are checked
for header rows and issues found appear in the
Accessibility Checker.
Stop checking to ensure ProgrammaticAccess If enabled, the Accessibility Checker does not
workbooks allow check whether workbooks have blocked
programmatic access programmatic access through Digital Rights
Management (DRM).
If disabled or not configured, workbooks are
checked for programmatic access and issues
found appear in the Accessibility Checker.
Stop checking for merged MergedCells If enabled, the Accessibility Checker does not
cells check whether tables have merged cells.
If disabled or not configured, worksheets are
checked for merged cells and issues found appear
in the Accessibility Checker.
Stop checking to ensure MeaningfulHyperlinks If enabled, the Accessibility Checker does not
hyperlink text is check whether hyperlinks have meaningful text.
meaningful If disabled or not configured, hyperlink text is
checked and issues found appear in the
Accessibility Checker.
Stop checking to ensure SheetNames If enabled, the Accessibility Checker does not
non-default sheet names check whether worksheets with content have non-
default names.
If disabled or not configured, worksheet names
are checked and issues found appear in the
Accessibility Checker.
401
Setting for Excel 2010 Associated registry Description
key
Stop checking for blank BlankTableRows If enabled, the Accessibility Checker does not
table rows used as check whether blank table rows are used as
formatting formatting.
If disabled or not configured, tables are checked
for blank rows and issues found appear in the
Accessibility Checker.
Stop checking for alt text AltText If enabled, the Accessibility Checker does not
accessibility information verify whether objects such as images and
shapes contain alt text.
If disabled or not configured, objects are
checked for alternative text and issues found
appear in the Accessibility Checker.
Stop checking to ensure HyperlinkText If enabled, the Accessibility Checker does not
hyperlink text is check whether hyperlinks have meaningful text.
meaningful If disabled or not configured, hyperlink text is
checked and issues found appear in the
Accessibility Checker.
Stop checking for media ClosedCaptions If enabled, the Accessibility Checker does not
files which might need flag media files that might need caption
captions information.
If disabled or not configured, presentations are
scanned for media files and issues found appear
in the Accessibility Checker.
Stop checking for table HeaderRow If enabled, the Accessibility Checker does not
header accessibility verify whether tables have a header row
information specified.
If disabled or not configured, tables are checked
for header rows and issues found appear in the
Accessibility Checker.
402
Setting for PowerPoint 2010 Associated registry key Description
Stop checking for blank BlankRowCol If enabled, the Accessibility Checker does not
table rows and columns verify whether blank rows and blank columns
have been inserted into tables.
If disabled or not configured, tables are checked
for blank rows and blank columns and issues
found appear in the Accessibility Checker.
Stop checking for merged SimpleStructure If enabled, the Accessibility Checker does not
and split cells verify whether tables have merged or split cells.
If disabled or not configured, tables are checked
for merged and split cells and issues found
appear in the Accessibility Checker.
Stop checking that slide HasTitle If enabled, the Accessibility Checker does not
titles exist verify whether every slide has a title placeholder.
If disabled or not configured, slides are checked
for titles and issues found appear in the
Accessibility Checker.
Stop checking to ensure UniqueTitle If enabled, the Accessibility Checker does not
each slide has a unique verify whether every slide has a unique title.
title If disabled or not configured, slide titles are
checked for uniqueness and issues found
appear in the Accessibility Checker.
Stop checking to ensure a NonPlaceholderShapes If enabled, the Accessibility Checker does not
meaningful order of check whether a slide has non-placeholder
objects on slides objects which might be read back out of order.
If disabled or not configured, slides are checked
for objects which might be read back out of
order and issues found appear in the
Accessibility Checker.
Stop checking to ensure IRM If enabled, the Accessibility Checker does not
presentations allow check whether presentations have blocked
programmatic access programmatic access through DRM.
If disabled or not configured, presentations are
checked for programmatic access and issues
found appear in the Accessibility Checker.
403
Group Policy settings for Word 2010
Setting for Word 2010 Associated registry key Description
Stop checking for alt AltText If enabled, the Accessibility Checker does not
text accessibility verify whether objects such as images and
information shapes contain alt text.
If disabled or not configured, objects are
checked for alternative text and issues found
appear in the Accessibility Checker.
Stop checking for table TableHeaders If enabled, the Accessibility Checker does not
header accessibility verify whether tables have a header row
information specified.
If disabled or not configured, tables are
checked for header rows and issues found
appear in the Accessibility Checker.
Stop checking for blank BlankTableCells If enabled, the Accessibility Checker does not
table rows and columns verify whether blank rows and blank columns
have been inserted into tables.
If disabled or not configured, tables are
checked for blank rows and blank columns and
issues found appear in the Accessibility
Checker.
Stop checking for 2DTableStructure If enabled, the Accessibility Checker does not
merged and split cells verify whether tables have merged or split cells.
If disabled or not configured, tables are
checked for merged and split cells and issues
found appear in the Accessibility Checker.
404
Setting for Word 2010 Associated registry key Description
Stop checking whether FloatingObjects If enabled, the Accessibility Checker does not
objects are floating check whether a document has objects that are
floating instead of inline.
If disabled or not configured, objects are
checked for floating text wrapping properties
and issues found appear in the Accessibility
Checker.
Stop checking whether BlankCharacters If enabled, the Accessibility Checker does not
blank characters are check whether multiple consecutive white-
used for formatting space characters are used for formatting.
If disabled or not configured, documents are
checked for consecutive white-space usage
and issues found appear in the Accessibility
Checker.
Stop checking for ImageWatermarks If enabled, the Accessibility Checker does not
image watermarks check whether a document has image
watermarks.
405
Setting for Word 2010 Associated registry key Description
If disabled or not configured, documents are
checked for watermarks and issues found
appear in the Accessibility Checker.
Stop checking for LayoutTablesReadingOrder If enabled, the Accessibility Checker does not
tables used for layout flag layout tables (that is, tables that have no
style applied).
If disabled or not configured, tables that have
no styles are flagged and violations appear in
the Accessibility Checker.
See Also
Accessibility Investments and Document Accessibility (blog)
(http://blogs.technet.com/office2010/archive/2010/01/07/office-2010-accessibility-investments-
document-accessibility.aspx)
Accessibility and the Ribbon (http://go.microsoft.com/fwlink/?LinkId=188457)
406
Plan for volume activation of Office 2010
Microsoft policy requires the activation of all editions of Microsoft Office 2010 client software, including
Volume License editions. For Office 2010, volume activation takes place through Office Activation
Technologies, which is based on the Software Protection Platform (SPP) used in Windows Vista and
Windows Server 2008.
In this section:
Article Description
Volume activation overview for Office 2010 Provides an overview of Microsoft Volume
Licensing and Office Activation Technologies for
Office 2010.
Plan volume activation of Office 2010 Describes how to plan for volume activation by
using Office Activation Technologies.
Plan MAK independent activation of Office 2010 Describes how to plan for a deployment of Office
2010 by using Multiple Activation Key (MAK)
independent activation.
Plan MAK proxy activation of Office 2010 Describes how to plan for a deployment of Office
2010 by using MAK proxy activation.
Plan KMS activation of Office 2010 Describes how to plan for a deployment of Office
2010 by using Management Service (KMS)
activation.
Scenario: Core network - KMS activation of Office Describes how to plan KMS activation in a core
2010 network for volume activation of Office 2010.
Scenario: Secure network - KMS or MAK Describes how to plan KMS or MAK activation in a
activation of Office 2010 secure network for volume activation of Office
2010.
Scenario: Roaming or disconnected computers - Describes how to plan KMS or MAK activation in
KMS or MAK activation of Office 2010 roaming or disconnected computers for volume
activation of Office 2010.
Scenario: Test or development lab - KMS or MAK Describes how to plan KMS or MAK activation in a
activation of Office 2010 test or development lab network for volume
activation of Office 2010.
407
Article Description
FAQ: Volume activation of Office 2010 Provides answers to frequently asked questions
(FAQ) about the various aspects of volume
activation of Office 2010.
See Also
Volume activation quick start guide for Office 2010 (http://technet.microsoft.com/library/dbff777c-3a2d-
4d8e-a7be-6c45900c73c2(Office.14).aspx)
Deploy volume activation of Office 2010 (http://technet.microsoft.com/library/b418501a-eb83-4991-
8ea9-b18e7309e060(Office.14).aspx)
408
Volume activation overview for Office 2010
Microsoft includes product activation technologies in the following products sold through the Volume
Licensing channel: Windows 7, Windows Vista, Windows Server 2008 R2, Windows Server 2008, and
now Microsoft Office 2010 client products. Activation establishes a relationship between the software's
product key and a particular installation of that software on a device. This article provides an overview
of volume licensing and the two kinds of volume activation that is available.
In this article:
Volume Licensing overview
Office Activation Technologies
409
Changes in activation policy
Activation for the 2007 Microsoft Office system was required only for Microsoft software purchased from
retail stores and OEMs. Product keys entered in Microsoft Office Enterprise 2007 bypassed activation.
For Office 2010, the activation method uses Office Activation Technologies, based on the Software
Protection Platform introduced in Windows Vista and Windows Server 2008.
Microsoft policy requires the activation of all editions of Office 2010 client software. This includes those
obtained through the Volume Licensing program. This requirement applies to Office 2010 running on
both physical computers and virtual computers. Activation is not required for any Office 2010 server
products, such as Microsoft SharePoint Server 2010 and Microsoft Project Server 2010, or any version
of Microsoft Exchange Server.
Privacy
All methods of activation used by Microsoft are designed to help protect user privacy. The data that is
collected is used to confirm that you have a legally licensed copy of the software. It is then aggregated
for statistical analysis. Microsoft does not use this information to identify you or contact you.
410
You can use the following methods to activate Office 2010 by using Office Activation Technologies,
which are the same methods that are used for Windows Vista, Windows Server 2008, and later
versions of Windows. The kind of product key entered determines the activation method:
Key Management Service (KMS) A computer serves as the KMS host, which requires an Office
2010 KMS host key to be installed and activated. This establishes a local activation service in your
environment. Office 2010 client computers connect to the local KMS host for activation.
Multiple Activation Key (MAK) With a MAK key, Office 2010 client computers activate online by
using the Microsoft hosted activation servers or by telephone.
A combination of KMS and MAK For example, desktop computers that are running Office 2010
will have the KMS client key installed, whereas portable computers that are running Office 2010 will
have the MAK key installed.
To learn about which volume activation method to use, see Plan volume activation of Office 2010
Important:
The Office 2010 KMS host key is not specific to the operating system. It is designed to be used
on any of the operating systems that were mentioned earlier, including both 32-bit and 64-bit
editions.
411
Multiple Activation Key (MAK)
A unique MAK key is given to an organization for each Volume License edition of Office 2010. Each
computer must then activate one time with the Microsoft hosted activation services. Associated with
each key is a count of the number of activations. For example, a MAK key for an Office 2010 product
that has 100 activations allows the organization to install the key on 100 computers and activate each
one.
MAK is appropriate for organizations with computers that are not connected to the corporate network
for long periods of time, such as portable computers. For this to work, a MAK key must be installed
instead of the default KMS client key that is used in Volume License editions of Office 2010. There are
two ways to activate computers by using MAK. The first method is MAK independent activation, which
requires that each computer independently connect and activate with Microsoft, either over the Internet
or by telephone.
The second method is MAK Proxy activation, which is performed by using the Volume Activation
Management Tool (VAMT) 2.0 (http://go.microsoft.com/fwlink/?LinkId=183042). VAMT 2.0 supports
Office 2010 MAK proxy activation. By using this method, a computer collects activation information from
multiple computers on the network and then sends a centralized activation request on their behalf. In
this setup, the VAMT 2.0 console is the only computer that connects to Microsoft hosted servers. For
more information, see Plan a MAK activation in Plan volume activation of Office 2010.
With MAK activation, there is no requirement to periodically renew activation. You must reactivate if
significant hardware changes (such as replacing the hard disk drive) are detected or you re-install the
operating system. Each reactivation will decrement the number of activations associated with the key. If
you save and reapply the confirmation ID from the MAK proxy activation through VAMT 2.0, you can
reactivate the same computer without decrementing the number of activations associated with the key,
because no connection with Microsoft is made. In addition, you must request more activation
allowances when the number of activations passes the predetermined limit. You also have to manage
the installation of MAK keys and you might have to manually activate systems by using a telephone
when no Internet connection is available.
Note:
Only VAMT 2.0 and later versions can support Office 2010.
412
See Also
Plan volume activation of Office 2010
Deploy volume activation of Office 2010 (http://technet.microsoft.com/library/b418501a-eb83-4991-
8ea9-b18e7309e060(Office.14).aspx)
Tools to configure client computers in Office 2010 (http://technet.microsoft.com/library/1825df76-7e23-
459b-a6c1-224dd6eab81e(Office.14).aspx)
Troubleshoot volume activation for Office 2010 (http://technet.microsoft.com/library/976fc06b-faed-
4682-b41f-4a19d8eb3302(Office.14).aspx)
Office 2010 Volume Activation forum (http://go.microsoft.com/fwlink/?LinkId=180346)
Office 2010 forums (http://go.microsoft.com/fwlink/?LinkId=180345)
413
Plan volume activation of Office 2010
This article describes how to plan the testing for Office Activation Technologies. Before you read this
article, we recommend that you read Volume activation overview for Office 2010. We also highly
recommend that you read the Windows Volume Activation Planning Guide
(http://go.microsoft.com/fwlink/?LinkId=183040).
In this article:
Plan a deployment
Review activation methods
Plan a KMS deployment
Plan a MAK activation
Plan a deployment
If you are planning a Windows deployment of Windows Vista, Windows Server 2008, Windows 7, or
Windows Server 2008 R2, you will probably have the same considerations for Windows as for Microsoft
Office 2010. To help determine which activation method Key Management Service (KMS) or Multiple
Activation Key (MAK) or both to use for Windows, see the Windows Volume Activation Planning
Guide (http://go.microsoft.com/fwlink/?LinkId=183040). Most likely, Office 2010 will use the same
method.
A volume activation deployment includes the following steps:
1. Learn about product activation.
2. Review available activation models.
3. Evaluate client connectivity.
4. Map the physical computer or virtual machine to an activation method.
5. Determine product key needs.
6. Determine monitoring and reporting needs.
Most of the information is covered in the Windows Volume Activation Planning Guide
(http://go.microsoft.com/fwlink/?LinkId=183040). This article provides an overview of the technology.
When you plan for Office Activation Technologies, think about the following information:
The KMS activation threshold for Office 2010 is five computers. This means that Office 2010 client
computers will become activated only after five or more client computers have requested activation.
There is no need to enter a product key for Office 2010 KMS clients. You only need to enter a KMS
host key on your KMS host computer.
If you decide to use MAK, enter the product key either through the Office Customization Tool (OCT)
or the Config.xml file. After Office 2010 installation, the product key can be changed by using the
414
Volume Activation Management Tool (VAMT) 2.0 or the Office Software Protection Platform script
(ospp.vbs). For more information about ospp.vbs, see Tools to configure client computers in Office
2010 (http://technet.microsoft.com/library/1825df76-7e23-459b-a6c1-
224dd6eab81e(Office.14).aspx).
For a visual representation of the volume activation methods for Office 2010 and typical network
scenarios, see Volume Activation of Microsoft Office 2010
(http://go.microsoft.com/fwlink/?LinkId=188811).
415
Key Management Service (KMS)
KMS is a server-client model in which a computer serves as the KMS host. KMS activation requires
TCP/IP connectivity. By default, KMS hosts use DNS to publish the KMS service, and client computers
connect to the KMS host for activation by using anonymous remote procedure calls (RPCs) through
TCP communications port 1688, which is the default port number when you enable the firewall on a
KMS host. You can use the default settings, which require little or no administrative action, or manually
configure KMS hosts and clients based on network configuration and security requirements.
To be licensed, the KMS client must be activated. The following table describes the license state of the
Office 2010 KMS client with respect to activation.
Licensed By default, the KMS client attempts activation with the KMS host one time every seven
days. (The number of days is configurable.) This design allows the maximum possible
time for the client to be in the licensed state. Once the KMS client is successfully
activated, it remains in the licensed state for 180 days. When in the licensed state,
users do not see any notification dialog boxes prompting them to activate. After 180
days, the activation attempt process resumes. If activation is continually successful, the
entire activation experience is transparent to the end-user.
Out-of- If activation does not occur during the 180-day period, Office 2010 goes into the out-of-
tolerance tolerance state for 30 days. Users then see notifications requesting activation.
Unlicensed If activation does not occur during the out-of tolerance state, Office 2010 goes into the
notification unlicensed notification state. Users then see notifications requesting activation and a
red title bar.
The KMS host must be installed with a KMS host key and activated before accepting KMS activation
requests from KMS clients. For information about how to set up a KMS host, see Prepare and configure
the KMS host (http://technet.microsoft.com/library/b418501a-eb83-4991-8ea9-
b18e7309e060.aspx#section2) in Deploy volume activation of Office 2010
(http://technet.microsoft.com/library/b418501a-eb83-4991-8ea9-b18e7309e060(Office.14).aspx).
Important
The KMS host key for Office 2010 is not specific to a particular operating system. It is designed
to be used on any of the operating systems supported as an Office 2010 KMS host, including
both 32-bit and 64-bit editions:
416
dynamic updates are not available or if the KMS host does not have permissions to publish the RRs,
you must publish the DNS records manually or configure client computers to connect to specific KMS
hosts. This might require changing permissions on DNS to let more than one KMS host publish SRV
records.
Note:
DNS changes might take time to propagate to all DNS hosts, depending on the complexity and
topology of the network.
417
KMS activation renewal
KMS activations are valid for 180 days. This is called the activation validity interval. To remain
activated, KMS clients must renew their activation by connecting to the KMS host at least one time
every 180 days. By default, KMS client computers attempt to renew their activation every seven days.
After a clients activation is renewed, the activation validity interval begins again.
Use KMS for computers that are running Windows and Office 2010 client
products
When you use KMS to activate computers that are running both Windows and Office 2010, you have
the following options for Office 2010:
Use the same KMS host on a computer that is running Windows Server 2003, Volume License
editions of Windows 7 or Windows Server 2008 R2 (recommended).
Use separate KMS hosts for computers that are running Windows and Office 2010.
Important:
If you already have a KMS host that is set up to activate Windows products, you still have to
install the Office 2010 KMS host license files, enter the Office 2010 KMS host key, and activate
the key. To do this, go to the Microsoft Office 2010 KMS Host License Pack
(http://go.microsoft.com/fwlink/?LinkID=169244) Web site, and then download and run
KeyManagementServiceHost.exe.
The operating systems supported as an Office 2010 KMS host are as follows:
Windows Server 2008 R2
Volume editions of Windows 7
Windows Server 2003
If you are already using a computer that is running as your Windows KMS host and you want to co-host
the Office 2010 KMS host, follow the steps in Prepare and configure the KMS host
(http://technet.microsoft.com/library/b418501a-eb83-4991-8ea9-b18e7309e060.aspx#section2) in
Deploy volume activation of Office 2010 (http://technet.microsoft.com/library/b418501a-eb83-4991-
8ea9-b18e7309e060(Office.14).aspx).
418
MAK independent activation is best suited for computers in an organization that do not maintain a
connection to the corporate network.
MAK Proxy Activation by using VAMT 2.0 This enables a centralized activation request on
behalf of multiple computers that have one connection to Microsoft. MAK Proxy activation is
configured by using VAMT 2.0. MAK Proxy activation is appropriate for environments in which
security concerns might restrict direct access to the Internet or the corporate network. It is also
suited for development and test labs that do not have this connectivity.
MAK architecture
MAK activation requires that a MAK key is installed on a client computer and instructs that computer to
activate itself against Microsoft hosted activation servers over the Internet. In MAK Proxy activation, a
MAK key must be installed on the client computer by any of the methods previously described. VAMT
2.0 obtains the installation ID (IID) from the target computer, sends the IID to Microsoft on behalf of the
client, and obtains a confirmation ID (CID). The tool then activates the client by installing the CID. The
CID is saved and can be used later, for example, to activate test computers that have been re-imaged
after 90 days.
VAMT 2.0
VAMT 2.0 is a Microsoft Management Console (MMC) snap-in that allows a graphical user interface
(GUI) to easily manage Windows and Office 2010 client products with volume license keys installed.
You may specify a group of products to activate by using Active Directory Domain Services (AD DS),
workgroup names, IP addresses, computer names, or a generic LDAP query. Only VAMT 2.0 and later
versions support Office 2010 in addition to Windows.
VAMT 2.0 enables you to easily transition computers between MAK and KMS activation methods by
clicking the target computer and installing the appropriate key.
VAMT 2.0 also enables you to trigger activation on a remote computer. If the target computer has a
MAK key installed, that computer sends an activation request to the Microsoft activation servers. If a
KMS client key is installed, the target computer sends an activation request to the KMS host.
The tool also supports the collection of activation requests from several computers and then sends
them to Microsoft hosted activation servers in bulk. This is called MAK proxy activation through VAMT
2.0, and the target computers must have MAK keys installed. For proxy activation only, VAMT
distributes the activation confirmation codes from Microsoft hosted activation servers to the computers
that requested activation. Because VAMT also stores these confirmation codes locally, it can reactivate
a previously activated computer after it is reimaged without having to contact Microsoft.
419
Windows Server 2008 R2 to act as a single KMS host that responds to both Windows and Office 2010
KMS client activation requests. This works as long as the appropriate Office 2010 KMS host licenses
are installed and a valid KMS host key is installed, and the key is activated against Microsoft hosted
activation servers. You can install Office 2010 KMS host licenses by running the Microsoft Office 2010
KMS Host License Pack (http://go.microsoft.com/fwlink/?LinkID=169244).
Important:
KMS hosts that were set up by using the Office 2010 Beta release cannot be used to activate
client computers that are running the final released version of Office 2010. To activate these
client computers, you can either run the release version of Microsoft Office 2010 KMS Host
License Pack (http://go.microsoft.com/fwlink/?LinkID=169244) and enter the KMS host key on
the same KMS host, or set up a new KMS server only for activating the final release version of
Office 2010.
420
does not use SRV RRs, you can manually assign a KMS client to use a specific KMS host by
configuring the following registry key:
HKLM\Software\Microsoft\OfficeSoftwareProtectionPlatform
The KMS host name is specified by KeyManagementServiceName (REG_SZ), and the port is specified
by KeyManagementServicePort (REG_SZ). These registry keys can also be set through the ospp.vbs
script. For more information about ospp.vbs, see Tools to configure client computers in Office 2010
(http://technet.microsoft.com/library/1825df76-7e23-459b-a6c1-224dd6eab81e(Office.14).aspx).
421
See Also
Volume activation overview for Office 2010
Deploy volume activation of Office 2010 (http://technet.microsoft.com/library/b418501a-eb83-4991-
8ea9-b18e7309e060(Office.14).aspx)
Tools to configure client computers in Office 2010 (http://technet.microsoft.com/library/1825df76-7e23-
459b-a6c1-224dd6eab81e(Office.14).aspx)
Troubleshoot volume activation for Office 2010 (http://technet.microsoft.com/library/976fc06b-faed-
4682-b41f-4a19d8eb3302(Office.14).aspx)
Plan KMS activation of Office 2010
Plan MAK independent activation of Office 2010
Plan MAK proxy activation of Office 2010
Office 2010 Volume Activation forum (http://go.microsoft.com/fwlink/?LinkId=180346)
Office 2010 forums (http://go.microsoft.com/fwlink/?LinkId=180345)
422
Plan MAK independent activation of Office 2010
You are required to activate your deployment of Volume License editions of Microsoft Office 2010. This
includes Microsoft Office Professional Plus 2010, Microsoft Project 2010, and Microsoft Visio 2010.
Activation reduces the possibility of deploying counterfeit software, which can include malware, viruses,
and other security risks.
In this article:
Overview of MAK independent activation
Plan and assess the Office 2010 environment and configuration
Obtain the product keys
MAK independent activation steps
VAMT management steps
423
Architecture Fabrikam sales office example
424
Architecture Contoso small organization example
425
To assess the system requirements for Office 2010, see System requirements for Office 2010
(http://technet.microsoft.com/library/399026a3-007c-405a-a377-da7b0f7bf9de(Office.14).aspx).
Note:
For examples of scenarios that require KMS activation combined with MAK activation, see
Scenario: Secure network - KMS or MAK activation of Office 2010, Scenario: Roaming or
disconnected computers - KMS or MAK activation of Office 2010, and Scenario: Test or
development lab - KMS or MAK activation of Office 2010.
See Also
Plan MAK proxy activation of Office 2010
Plan KMS activation of Office 2010
Plan volume activation of Office 2010
426
Deploy volume activation of Office 2010 (http://technet.microsoft.com/library/b418501a-eb83-4991-
8ea9-b18e7309e060(Office.14).aspx)
Volume Activation Management Tool (http://go.microsoft.com/fwlink/?LinkId=183042)
Volume Licensing Service Center (http://go.microsoft.com/fwlink/?LinkId=184280)
427
Plan MAK proxy activation of Office 2010
You are required to activate your deployment of Volume License editions of Microsoft Office 2010. This
includes Microsoft Office Professional Plus 2010, Microsoft Project 2010, and Microsoft Visio 2010.
Activation reduces the possibility of deploying counterfeit software, which can include malware, viruses,
and other security risks.
In this article:
Overview of MAK proxy activation
Plan and assess the Office 2010 environment and configuration
Obtain the product keys
MAK proxy activation steps
VAMT management steps
428
Architecture Contoso medium organization example
429
To assess the system requirements for Office 2010, see System requirements for Office 2010
(http://technet.microsoft.com/library/399026a3-007c-405a-a377-da7b0f7bf9de(Office.14).aspx).
To configure each computer for MAK activation, see Customize Office 2010
(http://technet.microsoft.com/library/a33e64b0-46a5-45e5-b76f-3add595af8de(Office.14).aspx).
Follow the relevant procedure to configure Office 2010 by using the Office Customization Tool
(OCT), the Config.xml file, or the Microsoft Office Backstage view.
Important:
You must provide administrator permissions for the selected computer.
Note
If you have 6 to 49 computers in a department or group that are not connected to the corporate
network, we recommend that you follow the MAK activation recommendations in this article.
If you have five or fewer computers in a department or group that are not connected to the
corporate network, we recommend that you use MAK independent activation for each
computer. For more information, see Plan MAK independent activation of Office 2010.
If you increase the number of computers to 50 or more, we recommend that you use KMS
activation as the activation method for all computers that can connect to a KMS host server.
For more information, see Plan KMS activation of Office 2010. Any other computers can
activate with MAK by the methods previously described.
430
Note:
For examples of scenarios that require KMS activation combined with MAK activation, see
Scenario: Secure network - KMS or MAK activation of Office 2010, Scenario: Roaming or
disconnected computers - KMS or MAK activation of Office 2010, and Scenario: Test or
development lab - KMS or MAK activation of Office 2010.
See Also
Plan MAK independent activation of Office 2010
Plan KMS activation of Office 2010
Plan volume activation of Office 2010
Deploy volume activation of Office 2010 (http://technet.microsoft.com/library/b418501a-eb83-4991-
8ea9-b18e7309e060(Office.14).aspx)
Volume Activation Management Tool (http://go.microsoft.com/fwlink/?LinkId=183042)
Volume Licensing Service Center (http://go.microsoft.com/fwlink/?LinkId=184280)
431
Plan KMS activation of Office 2010
You are required to activate your deployment of Volume License editions of Microsoft Office 2010. This
includes Microsoft Office Professional Plus 2010, Microsoft Project 2010, and Microsoft Visio 2010.
Activation reduces the possibility of deploying counterfeit software, which can include malware, viruses,
and other security risks.
In this article:
Overview of KMS activation
Plan and assess the Office 2010 environment and configuration
Obtain the product keys
KMS activation steps
VAMT management steps
432
Architecture Contoso medium to large organization example
Note:
At least five computers must request activation from the KMS host before KMS clients can
become activated. All KMS clients must connect to the KMS host at least one time every 180
days to reactivate.
433
Obtain the product keys
To obtain the KMS host product key for Office 2010, register on the Volume Licensing Service Center
(VLSC) (http://go.microsoft.com/fwlink/?LinkId=184280) Web site. For the KMS clients, the product
keys are preinstalled.
434
Note:
For an example of a scenario that requires KMS activation, see Scenario: Core network - KMS
activation of Office 2010. For examples of scenarios that require KMS activation combined with
MAK activation, see Scenario: Secure network - KMS or MAK activation of Office 2010,
Scenario: Roaming or disconnected computers - KMS or MAK activation of Office 2010, and
Scenario: Test or development lab - KMS or MAK activation of Office 2010.
See Also
Plan MAK independent activation of Office 2010
Plan MAK proxy activation of Office 2010
Plan volume activation of Office 2010
Deploy volume activation of Office 2010 (http://technet.microsoft.com/library/b418501a-eb83-4991-
8ea9-b18e7309e060(Office.14).aspx)
Volume Activation Management Tool (http://go.microsoft.com/fwlink/?LinkId=183042)
Volume Licensing Service Center (http://go.microsoft.com/fwlink/?LinkId=184280)
435
Scenario: Core network - KMS activation of
Office 2010
This article contains a more complex volume activation scenario than the examples described in Plan
KMS activation of Office 2010, Plan MAK proxy activation of Office 2010, and Plan MAK independent
activation of Office 2010. The activation method recommended for this scenario is determined by using
one or more of the activation methods Key Management Service (KMS) and Multiple Activation Key
(MAK) described in these articles.
For information about the KMS activation method, see Plan KMS activation of Office 2010.
Considerations
When you use KMS activation of Office 2010 in the core network, consider the following factors:
The number of KMS hosts should be kept to a minimum. One KMS host key can activate up to six
KMS hosts, and each KMS host can activate many KMS clients.
A KMS host can be activated by telephone or through the Internet.
Each KMS host operates independently from other KMS hosts.
436
Each KMS host must ensure that more than five KMS clients request activation in a 30-day period
to maintain the KMS client activation threshold.
See Also
Plan KMS activation of Office 2010
Plan MAK proxy activation of Office 2010
Plan MAK independent activation of Office 2010
Plan volume activation of Office 2010
Deploy volume activation of Office 2010 (http://technet.microsoft.com/library/b418501a-eb83-4991-
8ea9-b18e7309e060(Office.14).aspx)
437
Scenario: Secure network - KMS or MAK
activation of Office 2010
This article contains a more complex volume activation scenario than the examples described in Plan
KMS activation of Office 2010, Plan MAK proxy activation of Office 2010, and Plan MAK independent
activation of Office 2010. The activation method recommended for this scenario is determined by using
one or more of the activation methods Key Management Service (KMS) and Multiple Activation Key
(MAK) described in these articles.
Secure network
If your organization has a secure network for example, a branch office network or an extranet behind
a firewall we recommend the guidelines shown in the following table for both KMS and MAK
activation of Microsoft Office 2010.
The firewall can be opened to access the core Use Plan KMS activation of Office 2010 through a
network. KMS host within the core network.
Policy prevents the firewall from being opened. More than 50 computers: Plan KMS activation
of Office 2010 through a local KMS host set up
within the secure network.
Fewer than 50 computers: Plan MAK
independent activation of Office 2010 or Plan
MAK proxy activation of Office 2010.
For information about the KMS activation method, see Plan KMS activation of Office 2010.
For information about the MAK proxy activation method, see Plan MAK proxy activation of Office 2010.
For information about the MAK independent activation method, see Plan MAK independent activation of
Office 2010.
Considerations
When you prepare a secure network for volume activation of Office 2010, consider the following factors:
The firewall should be configured as RPC over TCP and use TCP port 1688.
The configuration of the client computer firewall can be initiated by the client computer.
438
See Also
Plan KMS activation of Office 2010
Plan MAK proxy activation of Office 2010
Plan MAK independent activation of Office 2010
Plan volume activation of Office 2010
Deploy volume activation of Office 2010 (http://technet.microsoft.com/library/b418501a-eb83-4991-
8ea9-b18e7309e060(Office.14).aspx)
439
Scenario: Roaming or disconnected computers
- KMS or MAK activation of Office 2010
This article contains a more complex volume activation scenario than the examples described in Plan
KMS activation of Office 2010, Plan MAK proxy activation of Office 2010, and Plan MAK independent
activation of Office 2010. The activation method recommended for this scenario is determined by using
one or more of the activation methods Key Management Service (KMS) and Multiple Activation Key
(MAK) described in these articles.
Computers with Internet Plan MAK independent activation of Office 2010 through the Internet.
access that never
connect to the core
network.
Networks that cannot Five or more computers (the KMS activation threshold) require activation,
connect to the core then use Plan KMS activation of Office 2010 as follows:
network. Small organization: 1 KMS host
Medium organization: 1 or more KMS hosts.
Large organization (enterprise): 2 or more KMS hosts.
440
Network setup Recommended activation method
If fewer than five computers require activation, use Plan MAK
independent activation of Office 2010 or Plan MAK proxy activation of
Office 2010 (through VAMT
(http://go.microsoft.com/fwlink/?LinkId=183042).
Computers that Plan KMS activation of Office 2010 through the KMS hosts in the core
periodically connect to network.
the core network
directly or through a
VPN.
For information about the KMS activation method, see Plan KMS activation of Office 2010.
For information about the MAK proxy activation method, see Plan MAK proxy activation of Office 2010.
For information about the MAK independent activation method, see Plan MAK independent activation of
Office 2010.
Considerations
When you prepare roaming or disconnected networks and computers for volume activation of Office
2010, consider the following factors:
There might be restricted environments or networks that cannot connect to other networks.
A KMS host can be activated, and then moved to a disconnected network.
Both KMS host activation and MAK independent activation can be done by telephone.
MAK proxy activation is performed through VAMT.
See Also
Plan KMS activation of Office 2010
Plan MAK proxy activation of Office 2010
Plan MAK independent activation of Office 2010
Plan volume activation of Office 2010
Deploy volume activation of Office 2010 (http://technet.microsoft.com/library/b418501a-eb83-4991-
8ea9-b18e7309e060(Office.14).aspx)
441
Scenario: Test or development lab - KMS or
MAK activation of Office 2010
This article contains a more complex volume activation scenario than the examples described in Plan
KMS activation of Office 2010, Plan MAK proxy activation of Office 2010, and Plan MAK independent
activation of Office 2010. The activation method recommended for this scenario is determined by using
one or more of the activation methods Key Management Service (KMS) and Multiple Activation Key
(MAK) described in these articles.
Five or more Plan KMS activation of Office 2010 through a single KMS host.
computers that
require activation Note:
(the KMS You can set up a KMS host for each network that has five or more
activation computers to activate.
threshold).
Fewer than five 1. If computers are re-imaged within 90 days, no activation is necessary. Simply
computers that reset the 25-day grace period as required. See Rearm the Office 2010
require activation. installation (http://technet.microsoft.com/library/b418501a-eb83-4991-8ea9-
b18e7309e060.aspx#section4) in Deploy volume activation of Office 2010
(http://technet.microsoft.com/library/b418501a-eb83-4991-8ea9-
b18e7309e060(Office.14).aspx).
2. Otherwise, activate with Plan MAK proxy activation of Office 2010 by using the
saved confirmation ID (CID). For more information, see MAK architecture in
Plan volume activation of Office 2010.
For information about the KMS activation method, see Plan KMS activation of Office 2010.
For information about the MAK proxy activation method, see Plan MAK proxy activation of Office 2010.
For information about the MAK independent activation method, see Plan MAK independent activation of
Office 2010.
442
Considerations
When you prepare a test or development lab network for volume activation of Office 2010, consider the
following factors:
There are generally fewer computers in a lab network than there are in the production network.
A lab network configuration can vary from setup to setup, and the activation method (KMS, MAK
proxy, MAK independent) can also vary.
If you have more than one lab network, each lab network requires its own activation method.
See Also
Plan KMS activation of Office 2010
Plan MAK proxy activation of Office 2010
Plan MAK independent activation of Office 2010
Plan volume activation of Office 2010
Deploy volume activation of Office 2010 (http://technet.microsoft.com/library/b418501a-eb83-4991-
8ea9-b18e7309e060(Office.14).aspx)
443
FAQ: Volume activation of Office 2010
The following frequently asked questions (FAQ) provide information about various aspects of volume
activation of Microsoft Office 2010.
In this article:
Volume Activation FAQ overview
Key Management Service (KMS) FAQ
Multiple Activation Key (MAK) FAQ
Volume Activation Management Tool (VAMT) FAQ
Product Keys FAQ
As part of the installation, it is important to plan and manage deployment of any product that uses
volume activation (for example, Windows 7, Windows Server 2008 and Windows Vista). Read the
documents and review the videos before you start deployment in your organization. You can find all
Office 2010, Project 2010, and Visio 2010 resources at the Volume Activation for Office 2010 Resource
Center (http://go.microsoft.com/fwlink/?LinkId=189005).
How are volume activation for Office 2010 and volume activation for Windows associated?
Office 2010 has adopted the Software Protection Platform (SPP) introduced with Windows Vista and
Windows Server 2008, and the SPP is also used with Windows 7 and Windows Server 2008 R2. Office
2010 client products must be activated either by KMS or MAK.
444
How does volume activation help Microsoft customers?
Volume activation is useful to customers for the following reasons:
Reliability Studies have shown that the process of downloading counterfeit software often results
in the introduction of other malicious code, such as keystroke loggers and Trojan horses, which can
put the security of the user and the ecosystem at risk. Volume activation helps reduce that risk and
provides better reliability and stability.
Supportability Software versions that are validated as Office genuine and activated receive the
full range of support offered by Microsoft.
License compliance Volume activation tools help determine which software is installed and
activated, which reduces the risk of software being out of compliance.
Is volume activation connected to licensing?
Activation is connected to licensing. However, activation is not license enforcement. There is no change
to existing Volume Licensing agreements or programs. Keys and corresponding activation limits (MAK
only) depend on the specific Volume Licensing agreement that the user has. Microsoft uses the
information collected during activation to confirm that the user has a licensed copy of the software, and
the information is aggregated for statistical analysis. Microsoft does not use the information to identify
or contact customers.
Can an Office activated installation be rearmed?
No. An Microsoft Office-activated installation cannot be rearmed at present.
Are there any changes specific to volume activation regarding Office 2010, Project 2010, and
Visio 2010?
Volume activation changes are available in the following areas:
Only one Office 2010 KMS client key is required to be installed and used for activation. The Office
2010 KMS client key activates any version of Office 2010 suites, Office 2010 applications, Project
2010, and Visio 2010.
Office 2010 has a specific MAK for each product version; for example: Office 2010 Standard MAK,
Word 2010 MAK, Visio 2010 MAK, and so on.
For more information, see the Volume Activation for Office 2010 Resource Center
(http://go.microsoft.com/fwlink/?LinkId=189005).
Are there any changes specific to volume activation regarding Windows 7 and Windows Server
2008 R2?
Volume activation is applicable to the following areas:
Activation of virtual computers.
Using a Windows Server 2008 R2 KMS key and Windows 7 KMS key for earlier versions of the
products.
Deployment improvements and improvements in performance, product key management, and
reporting.
445
Inclusion of Office 2010, Project 2010, and Visio 2010 on the same activation platform as
Windows Vista, Windows Server 2003, and Windows Server 2008.
For more information, see Windows Volume Activation (http://go.microsoft.com/fwlink/?LinkId=184668).
446
Choose a key based on the following:
A KMS host activated with a Windows 7 KMS key activates Windows Vista and Windows 7 KMS
clients.
A KMS host activated with a Windows Vista KMS key activates Windows Vista KMS clients.
Windows Vista can also use MAK.
If you want to downgrade to Windows XP, you must use only the Windows XP Professional key.
If a child company (owned by a parent company) has an individual agreement, can the
parent company use the same key (such as a Windows Server 2008 Standard/Enterprise R2
KMS key) to deploy Windows 7 and Windows Server 2008 R2 across both companies?
Although they can choose to do so, customers do not have to use keys provided under a specific
Licensing ID (agreement, enrollment, affiliate, or license) with the licenses specified under that
Licensing ID. Customers have this flexibility so that they can centrally manage their deployment/image.
They can choose to use keys specific to agreements/licenses or one set of keys for all.
What if we do not activate our computers?
Activation is designed to provide a transparent activation experience for users. If within the grace period
provided (usually 30 days), activation does not occur, Windows or Office 2010 transitions into
notification mode. During notification mode for Windows, the user sees activation reminders during
logon. In Windows 7, for example, the user sees a notification in the Action Center
(http://go.microsoft.com/fwlink/?LinkId=189038), and the desktop background is set to black.
What is the difference between Reduced Functionality Mode and Notification mode?
Under Reduced Functionality Mode (applies to retail only), the application can only be accessed under
a restrictive mode with constrained capabilities when it is not properly activated within the grace period
of 30 days. It is important to note that all volume customers have no reduced functionality and only
experience regular notifications beyond the grace period. Notification mode (applies to all volume
systems running Office 2010) is a licensing state in which the user receives clear, recurring reminders
about activation if activation is not completed within the grace period.
What if customers are a victim of counterfeit software or license non-compliance?
Microsoft provides various licensing options known as Get Genuine legalization offers.
Can I use my Volume License Keys to exercise my reimaging rights?
Yes. Reimaging rights are granted to all Microsoft Volume Licensing customers. Under these rights,
customers can reimage original equipment manufacturer (OEM), or full packaged product (FPP)
licensed copies by using media provided under their Volume Licensing agreement, as long as copies
made from the Volume Licensing media are identical to the originally licensed product.
As a Volume Licensing customer, the Volume License keys that you need can be found on the Product
Key page. You can also request your keys through the Activation Call Centers. For a list of call centers,
see Volume Licensing Service Center (http://go.microsoft.com/fwlink/?LinkId=184280). If you are an
Open License customer, you must purchase at least one unit of the product that you want to reimage to
obtain access to the product media and receive a key.
447
For more information, see Re-imaging Rights in About Licensing
(http://go.microsoft.com/fwlink/?LinkId=154939).
With a VPN connection, how long do I have to activate?
The reminder is every two hours. Once activated, the reminder changes to every seven days. These
are default settings that can be customized through ospp.vbs. Mobile users on the VPN can activate
manually either by launching an Office 2010 application to send the activation request or by running
ospp.vbs /act.
On a remote computer, how do I remove the red bar in the application?
Connect through the VPN, and then activate as described in the previous answer.
Can I set Group Policy for Windows Management Instrumentation (WMI)?
Yes. Through Group Policy, you can open up the firewall to allow WMI.
Can activation information be pulled through System Center Configuration Manager (SCCM)?
Yes.
Does sysprep automatically rearm Office 2010?
No. At present, sysprep does not have this capability.
What if I do not rearm before imaging?
Imaged computers are then recognized as the same computer. The request counter does not
increment, and the computers do not activate.
What about Token Activation?
Token activation can be used with Office 2010 for specific highly secure customers.
KMS requires a minimum number of physical or virtual computers in a network environment. You must
have at least five computers to activate computers running Windows Server 2008 or Windows Server
2008 R2, at least 25 computers to activate computers running Windows Vista or Windows 7, and at
least 5 computers running Office 2010, Project 2010, and Visio 2010. These minimums, known as
activation thresholds, are set so that they can easily be met by enterprise customers.
For more information about activation thresholds, see Windows Volume Activation
(http://go.microsoft.com/fwlink/?LinkId=184668). For Office 2010, Project 2010, and Visio 2010, see
Volume activation quick start guide for Office 2010 (http://technet.microsoft.com/library/dbff777c-3a2d-
4d8e-a7be-6c45900c73c2(Office.14).aspx) and Volume activation overview for Office 2010.
448
A KMS key is used to activate only the KMS host with a Microsoft activation server. A KMS key can
activate up to six KMS hosts with 10 activations per host. Each host can activate an unlimited number
of computers. If you need to activate more than six KMS hosts, contact your Volume Licensing Service
Center (http://go.microsoft.com/fwlink/?LinkId=184280), and state why you must increase the activation
limit.
Warning:
For more details about product activation, see Windows Volume Activation
(http://go.microsoft.com/fwlink/?LinkId=184668) and Volume Activation for Office 2010
Resource Center (http://go.microsoft.com/fwlink/?LinkId=189005).
I have installed part of the Office 2010 suite that requires KMS. What is the impact on
functionality?
There is no impact as long as the installation follows all the outlined steps.
Can the Office 2010 KMS license and key install on Windows 7 and Windows Server 2008 R2?
Yes.
Are there separate KMS host keys for Office 2010?
One KMS Host key can activate all Office 2010 client products.
My organization's KMS host computer was activated by using a Windows Server 2008 KMS key.
Can I use that same computer as a host to deploy Windows Server 2008 R2?
Existing KMS hosts installed on Windows Server 2003, Windows Server 2008, or Windows Vista must
be updated to support activation of Windows 7 and Windows Server 2008 R2 in addition to Office 2010,
Project 2010, and Visio 2010. This update is available through Windows Server Update Services
(WSUS) (http://go.microsoft.com/fwlink/?LinkId=151433), the Microsoft Download Center
(http://go.microsoft.com/fwlink/?LinkId=189018), and Windows Volume Activation
(http://go.microsoft.com/fwlink/?LinkId=184668). After installing the update, you can install the Windows
Server 2008 R2 KMS key on the host and activate.
Can you use these activation tools to true-up?
Activation itself is not intended to assist customers in correcting licensing.
Activation is not linked to true-up. There is no automated way to do true-up by using KMS host or
Volume Activation Management Tool (VAMT) (http://go.microsoft.com/fwlink/?LinkId=183042).
KMS host or VAMT are not intended as reporting tools. However, a user who uses Microsoft
System Center can use it to keep a count of activations.
Can I run the slmgr.vbs script in Safe Mode?
No. Activation information is unavailable in Safe Mode.
What if a computer is in a test lab or is disconnected?
If a test lab has enough physical and virtual computers to meet the KMS threshold, the system
administrator can deploy KMS to activate Microsoft Office 2010 client installations in the lab. The
KMS host can be activated by telephone.
449
If a computer has occasional connectivity to the Internet, the Office client installation can activate
with Microsoft directly by using MAK through the Internet or by telephone.
If the computer has no network connectivity, it can be activated by telephone, or through MAK
Proxy activation by using VAMT.
Why is the Office 2010 KMS host supported only on Windows Server 2003, Windows 7, and
Windows Server 2008 R2?
Microsoft made the decision based on the release cycle of Office 2010. Office 2010 ships after
Windows 7 ships. Microsoft anticipates that most customers will upgrade from Windows Server 2003 to
Windows Server 2008 R2. Microsoft believes Windows Server 2008 R2 will replace Windows Server
2008 in the channel after release, so it will be the most recent version that customers receive.
For the Office 2010 KMS host, why is Windows Server 2008 not supported?
Windows Server 2003 originally did not have a KMS service, so it was easy to add the KMS service to
it. Windows Server 2008 has a code base that is different from Windows 7 and Windows Server 2008
R2. Supporting Windows Server 2008 for the Office 2010 KMS host requires a complete overhaul of the
code, which is not cost-effective.
Why can Windows Server 2008 R2 and Windows 7 be activated simply by patching Windows
Server 2008?
This patch contains license files that recognize the new KMS host key to activate Windows Server 2008
R2 and Windows 7. No change to the KMS service is required.
What if my configuration won't allow me to upgrade my Windows Server 2008 computer? Is
there any other alternative for setting up an Office 2010 KMS host?
You can set up a Windows Server 2003, Windows 7, or Windows Server 2008 R2 virtual machine on
the Windows Server 2008 computer, and then set up the Office 2010 KMS host on the virtual machine.
What does the error, The KMS host cannot be activated, mean?
It means that the KMS host key threshold is surpassed. There are several possible sources for this
error:
KMS host for Office 2010 can be set up only on one of the following servers: Windows Server 2003,
Windows Server 2008 R2 and Windows 7. Using another operating system causes this error to
appear.
For Windows Server 2003, install KMS host version 1.2 (version 1.1 does not count virtual
computers into the threshold). Follow the instructions specified in Microsoft Knowledge Base article
968915: An update is available that installs Key Management Service (KMS) 1.2 for Windows
Server 2003 Service Pack 2 (SP2) and for later versions of Windows Server 2003
(http://go.microsoft.com/fwlink/?LinkId=183046).
Not enough computers to reach the threshold for the KMS host to activate.
The KMS client configuration is incorrect.
How do I enable the firewall for KMS host activation?
Make sure that the TCP communications port number is set to the default of 1688.
450
If I suspect that my KMS host key is leaked, can it be blocked from further activations?
Yes, you can work with Microsoft to block a KMS host key. For more information contact your Activation
Call Center. For a list of call centers, see Volume Licensing Service Center
(http://go.microsoft.com/fwlink/?LinkId=184280).
What does a count of -1 mean?
A count of -1 means that no clients have contacted the KMS host.
Can I expose my KMS host to the Internet so my outside users can activate against it?
You are responsible for both the use of keys assigned to you and the activation of Office 2010 clients
through your KMS hosts. You should not disclose keys to non-Microsoft parties, and you must not
provide unsecured access to your KMS over an uncontrolled network such as the Internet.
What provisions are available for KMS host failover?
Multiple KMS hosts can be registered in DNS SRV resource records. If one KMS host is down, the KMS
client computer will choose another from the list. If direct registration is used on the KMS Office client,
you can use round-robin DNS or network load-balancing mechanisms (software or hardware) to
increase KMS host availability.
Do I have to back up the KMS service data?
You do not have to back up KMS service data. However, if you want a record of KMS activations, you
could keep the Key Management Service log on the Applications and Services Logs folder to preserve
activation history.
If a KMS host fails, how do I restore a backup KMS host?
You merely replace the failed KMS host with a new KMS host that uses the same configuration and
ensure that the SRV resource record of the new KMS host is added to DNS if you are using DNS auto-
discovery. The old SRV record is eventually deleted if record scavenging is implemented for DNS, or
you can delete it manually. The new KMS host then starts to collect renewal requests, and KMS clients
begin to activate as soon as the KMS activation threshold is met.
When routine cleanup of event logs is performed, is there a risk of losing the activation history
stored in the event log?
Yes. If you use a cleanup tool, consider exporting data from the Key Management Service. Log on the
Applications and Services Logs folder to archive activation history. You do not have to do this if you
use the Operations Manager KMS Management Pack updated for Office. This Management Pack
collects event log data and stores it in the Operations Data Warehouse for reporting.
Many organizations block all ActiveX as a security measure. Does volume activation use
ActiveX in the same manner as Genuine Validation does?
Volume activation does not use ActiveX. It uses WMI properties and methods. These are described in
Appendix 1 of the Volume Activation 2.0 Operations Guide, which you can download on the Volume
Activation 2.0 Technical Guidance (http://go.microsoft.com/fwlink/?LinkId=190472) page.
How do I respond to, Activation server determined that Specific Product key could not be used,
when activating the KMS host with the KMS key?
451
This message can be caused by any of the following:
KMS host key has more than six activations (the maximum is six activations).
Commands were not run correctly during activation of the KMS host.
KMS host key was leaked and the activations are used up (see first bullet).
I have deployed Microsoft Office 2010 clients but the KMS host did not receive activation
requests. Where do I go to check my current status of activation requests on the client-side?
On the client computer, go to the Microsoft Office Backstage view for any Office 2010 application. Click
the application name, and the status is displayed in the upper-right corner.
Where do I go to check my current status of activation requests on the server side?
On the server side, use slmgr.vbd to check activation requests. For more information, see Configure the
Office 2010 KMS host (http://technet.microsoft.com/library/b418501a-eb83-4991-8ea9-
b18e7309e060.aspx#section6) in Deploy volume activation of Office 2010
(http://technet.microsoft.com/library/b418501a-eb83-4991-8ea9-b18e7309e060(Office.14).aspx).
We have to see servers by either name or IP. Is there a command or a way to see which servers
are activated using the KMS?
The following command shows you a list of KMS that are registered in DNS and available to
provide activation to clients: Nslookup type=srv _vlmcs._tcp.
On the client side, slmgr/dlv provides all the information.
On the KMS host, you can monitor the KMS events or you can use Microsoft System Center
Operations Manager.
Note:
Each MAK has a predetermined number of allowed activations, based on your Volume
Licensing agreement. To increase your MAK activation limit, contact the Volume Licensing
Service Center (http://go.microsoft.com/fwlink/?LinkId=184280).
MAK independent activation Each computer individually connects to Microsoft through the
Internet or telephone to complete activation.
MAK proxy activation MAK proxy activation uses VAMT
(http://go.microsoft.com/fwlink/?LinkId=183042), which is part of the Windows Automated
Installation Kit (http://go.microsoft.com/fwlink/?LinkId=180604) for Windows 7. One centralized
activation request is made on behalf of multiple computers by using one connection to Microsoft
452
online or by telephone. This method enables IT professionals to automate and centrally manage
the MAK volume activation process.
Can I use both MAK and KMS keys for deployment across my organization?
Yes. KMS, MAK, or both can be used to activate volume licensed Windows and Office 2010 computers.
My organization plans to use our MAKs to activate most of our computers. The amount of
activations provided by our MAKs does not match the number of licenses that we have
purchased. Why dont the activations match our licenses purchase, and what do I need to do to
request more activations?
There are many benefits to using KMS as the preferred activation method, and most customers choose
to do so. Using KMS as the primary method of activation is one reason that we do not match the
number of licenses and activations on a MAK, because the MAK might not be used. Microsoft looked at
many factors to determine the number of activations associated with each MAK. These include licenses
purchased, the customer purchase pricing level, and the Volume Licensing program.
For Open License customers, we look at the number of licenses they have and usually give them more
than what might be needed to ensure activations are available for scenarios such as reactivations and
virtual machine (VM) licensing rights. For example, if a customer purchases between 1-25 licenses,
they can get 50 activations on their MAK. For Select, Enterprise Agreement, Campus Agreement,
School Agreement, and SPLA, we look at the pricing levels (A, B, C, D) and give a specific amount of
activations for each level based on the general amount of licenses purchased for each level. We also
consider that KMS is the most common activation method to use.
To increase your MAK activation limit, contact the Volume Licensing Service Center
(http://go.microsoft.com/fwlink/?LinkId=184280).
I want to reimage Windows 7 Professional by using MAK activation rather than KMS. What if I
dont have enough MAK activations to do so?
First, check how many activations are associated with the Windows 7 MAK by going to the product key
page, or by using VAMT (http://go.microsoft.com/fwlink/?LinkId=183042), which is part of the Windows
Automated Installation Kit (http://go.microsoft.com/fwlink/?LinkId=180604) for Windows 7.
To increase your MAK activation limit, contact the Volume Licensing Service Center
(http://go.microsoft.com/fwlink/?LinkId=184280).
How do customers get a MAK activation limit revised?
Customers can check their MAK allocation limit, check remaining activations on the keys, and request
to increase the activation limit by contacting the Volume Licensing Service Center
(http://go.microsoft.com/fwlink/?LinkId=184280).
Why is a key with a 250-activation limit not given to someone with a Volume Licensing
agreement that contains 49 licenses? Will they not activate more than their license allows for?
MAK limits on keys are specific to the programs - Open and Select, as shown in the following table.
For example, Open_MAK_50 means that key has 50 activations.
453
Open Select
Open_MAK_50 Select_MAK_500
Open_MAK_100 Select_MAK_1000
Open_MAK_250 Select_MAK_2500
Open_MAK_500 Select_MAK_5000
Open_MAK_750
Open_MAK_1000
Therefore, a customer who has up to 35 licenses could have an Open_MAK_50 key, for example,
which enables them to install and activate 35 computers. However, if one hard disk fails and it is
replaced, that computer must be reactivated.
What happens when a customer receives a MAK key and creates a single installation image?
How is the upper limit of the MAK key accounted for?
For example, if a customer is using an Open_MAK_50 key, the system administrator creates an image,
and users can install the image on a large number of computers. During this phase, the piracy solution
has not yet triggered, and the MAK upper limit has not been reached. The MAK upper limit is reached
when these computers try to activate by using Microsoft Activation services. Computers 1 through 50
successfully activate, but with computer 51, activation fails and the remaining computers receive
Unlicensed Notifications.
Is there a time limit on how long a MAK activation remains activated?
No. the MAK activation is permanent.
Will MAK-activated clients ever be required to activate through KMS?
No, but if you want to reactivate the MAK-activated clients through KMS after setting up a KMS host,
you simply change the client product key.
What do I do if I use up all of my MAK activations?
Contact Microsoft and explain the situation. You will be provided additional activations (under
reasonable circumstances).
During setup, what if I want to transition from MAK to KMS?
You can do either of the following:
Wait to activate when the number of Office 2010 clients is above the KMS activation threshold.
Activate the first few Office 2010 clients by using MAK, and then change the client product keys to
KMS when the number of clients is above the KMS activation threshold.
454
Volume Activation Management Tool (VAMT) FAQ
The Volume Activation Management Tool (VAMT) enables IT professionals to automate and centrally
manage the volume activation process.
Will VAMT install on any Windows operating system?
Yes.
Will VAMT install on any computer, not necessarily on a KMS host?
Yes. VAMT is primarily used for MAK activation, but can be used to monitor KMS activations.
If I want to MAK activate a certain number of computers through VAMT, can I configure the
computers to detect the VAMT automatically?
Computers cannot detect VAMT. VAMT is simply a tool that allows you to manage the MAK activation
of one or more computers. For more information, see Plan volume activation of Office 2010.
The Error Code Lookup tool does not show the content of an error returned by VAMT on
Windows XP or Windows Server 2003.
Volume Activation 2.0 errors are native to Microsoft Windows Vista operating system and Windows
Server 2008 operating systems. VAMT relies on the operating system to provide descriptive text for
some error codes. This text is not available for Windows XP or Windows Server 2003 systems. To look
up the text associated with such error codes, install VAMT on a computer that is running Microsoft
Windows Vista operating system, or run SLUI 0x2A <error_code> at a command prompt on a
computer that is running Microsoft Windows Vista operating system.
Does VAMT require Internet access to function?
Certain operations available in VAMT require Internet access. These include retrieving the remaining
MAK activations count, and the retrieve confirmation ID (CID) step in MAK Proxy activation. However,
most VAMT operations do not require Internet access.
Is the CID saved for image activation?
Yes.
When changing out a hard drive or re-imaging, can I use the MAK CID?
Yes, through VAMT. Hardware changes are not an issue with KMS. Be aware that changing out the
hard drive most likely can cause hardware drift and a need for reactivation.
Does VAMT need to be activated?
No.
Can I run VAMT on a virtual computer?
Yes.
What customer problem are we solving with the Volume Activation Management Tool in a MAK
scenario? Is this not similar to KMS, if we have an activation with a customer hosted VAMT in a
MAK scenario?
MAK activation occurs directly with Microsoft Hosted Activation Services in which a user enters the
key in the Office 2010 user interface. The rationale for using VAMT is that it provides convenience
455
to the system administrator so that the MAK can be applied to multiple computers at the same time,
instead of having to apply the MAK on each computer one at a time.
Perform proxy activation for Office 2010 installations that do not have Internet connectivity.
The difference with KMS is that without a KMS host, KMS clients cannot be activated. VAMT is not
comparable to KMS and is a way to deploy MAKs to individual Office 2010 clients. KMS manages
activations on the customers network without administrative overhead beyond the initial setup.
456
Download fulfillment For products obtained by download, the setup key is provided with the
download.
For products that are available for download from the Volume Licensing Service Center
(http://go.microsoft.com/fwlink/?LinkId=184280), the setup key is provided on the download screen
and might be accompanied by the following text: "Some products available for download require
setup keys. Please take note of this setup key as it will be needed during product installation."
Call the appropriate Microsoft Activation Centers Worldwide Telephone Numbers
(http://go.microsoft.com/fwlink/?LinkId=182952) to obtain the setup keys that you need. You will be
asked to provide Volume Licensing agreement information and proof of purchase.
Are product keys required for all Volume Licensing products?
No, not all products require a product key. To view the list of products that require a Volume License
product key, see Product Activation and Key Information
(http://go.microsoft.com/fwlink/?LinkId=110471).
How do I respond to Invalid Volume License Key or Use a different type of key or Invalid
key for activation?
These messages can be caused by either of the following:
The administrator tries to install a KMS Host key on a KMS client.
Mismatch between SKU and key.
How does Microsoft determine which product keys are associated with my agreement?
Volume License product keys are provided for each Licensing ID listed in the Microsoft Relationship
Summary. You can have several Licensing IDs. For more information about the Licensing ID and the
Relationship Summary, see Frequently Asked Questions Overview
(http://go.microsoft.com/fwlink/?LinkId=189254).
Enterprise Agreement (EA) customers receive all applicable Volume License keys for available
products.
Select Agreement customers receive keys per product pool (systems, servers, applications) based
on their purchasing forecasts.
Select Plus Agreement customers receive all applicable Volume License key for available products.
Open License and Open Value customers receive applicable keys based on their license purchase.
For more information about reimaging and downgrade, see Re-imaging Rights in About Licensing
(http://go.microsoft.com/fwlink/?LinkId=154939). EA, Select, and Select Plus customers are also
provided with evaluation rights and limited software copies for training and backup.
How do I know which key should be used?
For Windows products, see the video, Fundamentals of Volume Activation
(http://go.microsoft.com/fwlink/?LinkId=150087). For Office 2010, Visio 2010, and Project 2010, see the
video, Volume Activation for Office 2010 Products at the Volume activation for Office 2010 Resource
Center (http://go.microsoft.com/fwlink/?LinkId=189005).
457
How do I respond to, Activation server determined that Specific Product key could not be used,
when activating the KMS host with the KMS key?
This message can be caused by any of the following:
KMS host key has more than six activations (the maximum is six activations).
Commands were not run correctly during activation of the KMS host.
KMS host key was leaked and the activations are used up (see first bullet).
See Also
Plan for volume activation of Office 2010
Configure and deploy volume activation of Office 2010 (http://technet.microsoft.com/library/0327f69a-
b908-4a72-bbc2-9be13e359115(Office.14).aspx)
Office 2010 Volume Activation forum (http://go.microsoft.com/fwlink/?LinkId=180346)
458