Old and unpatched Outlook clients can pose a serious security risk to your network. Further, older versions of
Outlook don’t have the newer features that significantly improve network
communications, and may place an additional load on an already strained network.
In both Exchange 2000 SP1+ and Exchange 2003, you can selectively disable
specific versions of Outlook from connecting to your Exchange servers by making
modifications to the registry on your Exchange servers.

To block versions of Outlook, do the following:

  • Start
    the registry editor.
  • Browse
    to HKLM\System\CurrentControlSet\Services\MSExchangeIS\ParametersSystem.
  • Choose
    Edit > Add Value.
  • Name
    the new REG_SZ value Disable MAPI
  • Assign
    the new key values that match the version of the MAPI client you want to

You can provide values in a number of ways. Here are some

  • A
    single value: “5.2653.11”
  • A
    range of values: “5.2653.11-5.2653.22”
  • Up to
    a particular version: “-5.2653.11” (disable all MAPI clients
    older than this version.)
  • Since
    a particular version: “5.2653.11” (disable all MAPI clients
    newer than this version. I can’t imagine why you would do this, but
    included it for completeness)
  • Multiple
    values: “5.2653.11, 5.2653.22” or “5.2653.11; 5.2653.22”
    or “5.2653.11-5.2653.22; 5.2818.9”

If a client using one of the restricted versions attempts to
connect they will receive an error message:

  • Outlook
    2002 and earlier: “Cannot start Microsoft Outlook. The attempt to log
    on to the Microsoft Exchange Server computer has failed.”
  • Outlook
    2003: “Your Exchange Server administrator has blocked the version of
    Outlook that you are using. Contact your administrator for assistance.”

To determine the MAPI version for a particular version of
Outlook, you need to look at the version of the Emsmdb32.dll file, not at Help
> About, or anything else. A MAPI version for this
file may read “11.0.8006.0”. In fact, most MAPI versions have four
values, but only three are used for this registry key. “11.0.8006.0”
would become “11.8006.0”. Drop the second part of the version.