Disabling Suggested Replies in Outlook (Win32) with Proactive Remediations

Disabling Suggested Replies in Outlook (Win32) with Proactive Remediations
Photo by S O C I A L . C U T / Unsplash

Suggested Replies is a feature which is easily configured for individuals or the entire organization for Outlook for the web and the new Outlook client using Exchange Online PowerShell. For the Win32 Outlook client, it's a different story. There are no cloud policies, Intune settings templates or ADMX files to configure this feature. It is default on for new accounts added to Outlook (Win32). In the following, I will describe my solution to disable Suggested Replies at scale.

Analysis

Suggested Replies in Outlook options (German)

The Suggested Replies feature is controlled by a registry value, which is created for each account configured in Outlook.

HKCU:\Software\Microsoft\Office\Outlook\Settings\Data

The value we are looking for is UPN_EnableSuggestedReplies, for example moritz@loebmann.tech_EnableSuggestedReplies. It's a string that looks like this:

{"name":"EnableSuggestedReplies","itemClass":"","id":"","scope":"moritz@loebmann.tech","parentSetting":"","secondaryKey":"","status":"UNKNOWN","type":"Bool","timestamp":0,"metadata":"","value":"true","isFirstSync":"true","source":"UserOverride"}

The relevant part of the string is "value":"true". If the value is changed to "false" and Outlook (Win32) is restarted, Suggested Replies is disabled for that specific account.

Disabled Suggested Replies in Outlook options (German)

My Solution

How do I disable this at scale? I chose to configure this feature using proactive remediations, an Intune feature, part of Endpoint analytics and hidden in the Reports section in the Microsoft Intune admin center. Read more about proactive remediations here.

A proactive remediation works by running a detection script on a client and if a configuration error is detected, indicated by exit code 1, a remediation script is run to fix the issue. The script package can be scheduled to run regularly or just once and report their status into Intune admin center.

detectSuggRepl.ps1

# Computer\HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\Settings\Data
$path = "HKCU:\Software\Microsoft\Office\Outlook\Settings\Data"

$usr = whoami /upn

$value = $usr + "_EnableSuggestedReplies"

function Test-RegistryKeyValue {
	if ( -not (Test-Path -Path $path -PathType Container) ) {
		return $false
	}
	$properties = Get-ItemProperty -Path $path 
	if ( -not $properties ) {
		return $false
	}
	$member = Get-Member -InputObject $properties -Name $value
	if ( $member ) {
		return $true
	} else {
		return $false
	}
}

if (Test-RegistryKeyValue) {
	$curString = Get-ItemPropertyValue -Path $path -Name $value

	if ($curString -match '"value":"false"') {
		exit 0
	}
	else {
		exit 1
	}
} else {
	exit 0
}

The Test-RegistryKeyValue function is inspired by a function included in Carbon.

remediateSuggRepl.ps1

# Computer\HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\Settings\Data
$path = "HKCU:\Software\Microsoft\Office\Outlook\Settings\Data"

$usr = whoami /upn

$value = $usr + "_EnableSuggestedReplies"

$curString = Get-ItemPropertyValue -Path $path -Name $value

$string = $curString.replace('"value":"true"','"value":"false"')

Set-ItemProperty -Path $path -Name $value -Value $string

Both scripts can be found here on my Github.

The detection script only triggers the remediation script if the value UPN_EnableSuggestedReplies exists and is also enabled. Otherwise, the remediation is not run. These scripts won't work if the user signed in to Windows' UserPrincipalName and the e-mail account in Outlook are not identical. The remediation is also only triggered after the user has started Outlook at least once, because the registry key is only added after starting Outlook and adding your account.

Implementation

Let's switch to the Intune admin center. You find Proactive remediations under Reports > Endpoint analytics. Start by creating a new script package.

Choose a descriptive name and optional add a description. Next.

Upload the detection and remediation script from my Github. It is required to run these scripts using the logged-on credentials as described before. Next.

I skipped the scope tags. Next. In assignments, I chose all users in this dev tenant. You can configure the schedule of execution per group. I recommend Daily at first to see results faster. Next.

Review your configuration and create your script package.

After creating the script package regularly check for the first results to come back.

In my example there are four clients. Two clients had the detection ran and it did not detect a configuration issue. That is because one client does not have Outlook installed, and the other client has not started Outlook yet. Client three and four both ran the remediation script because the Suggested Replies feature was detected as enabled.

Thats it! I'm thinking about creating a way to deploy this solution using old school group policies as well. If you are interested, feel free to subscribe to my blog and contact me on Mastodon.