Information
This policy setting controls whether Outlook prompts users before executing a custom action. Custom actions add functionality to Outlook that can be triggered as part of a rule. Among other possible features, custom actions can be created that reply to messages in ways that circumvent the Outlook model's programmatic send protections.
The recommended state for this setting is: Enabled: Automatically Deny.
Rationale:
Malicious code can use the Outlook object model to compromise sensitive information or otherwise cause data and computing resources to be at risk.
Impact:
Configuring this setting to Automatically Deny prevents Outlook from executing any custom actions that use the Outlook object model. Users will not be able to utilize this function.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled: Automatically Deny:
User Configuration\Administrative Templates\Microsoft Outlook 2016\Security\Security Form Settings\Custom Form Security\Set Outlook object model custom actions execution prompt
Default Value:
Disabled: (When Outlook or another program initiates a custom action using the Outlook object model, users are prompted to allow or reject the action.)