[German]Short information for administrators of Office installations with Microsoft Outlook. I received reports, that since installing August 2023 updates for Microsoft Outlook were installed, the so-called body text of appointments can only be changed by the organizer of the appointment. This is by design, and documented by Microsoft.
Report from a reader
So far, I haven't had noticed that, but German blog reader Heinsolo recently left a this German comment (thanks for that) describing an observation.
Someone creates an appointment in Microsoft Outlook or in OWA, which is accepted.
Previously, even after an appointment was accepted, non-organizers could make changes to content in the body of the appointment (in the screenshot below, the text area at the bottom with the appointment details) (for example, notes about seating, materials needed, etc.).
This does not seem to apply after the August 2023 updates when Microsoft Exchange is involved.
In his comment, Heinsolo refers to a user post Outlook, Zugesagte Termin können nicht mehr geändert werden in German site Franky's Web. The administrator in question wrote there:
Microsoft has introduced a totally unfortunate feature with the last Office patch. It is no longer possible to change a body of a promised appointment.
We already have a lot of complaints within our company, because many colleagues write important personal information about an appointment (e.g. seating, catering, etc.) or a short meeting protocol afterwards.
This is now no longer possible! For us this is an incomprehensible security feature. The organizer may also write something! Or in your own appointments you are allowed to add something.
Some refer to MS Team as a workaround, but we do not use MS Teams. Does anyone know another usable workaround?
Interestingly, it also occurs in OWA. But if I use an older Outlook it still works.
This coincides with Heinsolo's brief description to my German blog post Microsoft Office Updates (8. August 2023):
Hi all, I hope this comment is still being read – can anyone here confirm this:
The issue is that an appointment is accepted in Outlook (in connection with Exchange). In this appointment, after it was accepted as a non-organizer of the appointment, you could still enter your own comments in the lower area (body field) and save. The fact that it no longer works is said to be related to the latest Office updates.
We are currently in a migration from Ex2016 to Ex2019 and it was noticed by a colleague.
No direct connection has been seen now, hence the question if this behavior is caused by the updates.
Thank you very much for any hints.
Many other administrators have confirmed this observation till now.
Microsoft: It's not a bug, it's by design
German blog reader Jörg Maletzky the left this comment and points out that Microsoft documented this in the support post Images are blocked and meeting body is read only in Outlook Desktop if calendar items are from other senders for Microsoft Outlook Spoofing Vulnerability released August 8, 2023 (thanks for that). Within the support article last modified on August 16, 2023, Microsoft confirms the problem and writes:
When you receive meeting items sent from any other sender (internal or external), the security update makes two changes:
- The meeting is now read only for the recipient. It is no longer possible to make changes to the body of the meeting or to attach files to the meeting.
- Images in the meeting item that are stored on network paths such as UNC shares (\\server), file share paths (File://server), or external URL paths (https://) are blocked.
The new behavior is a result of the security updates for Office and for Microsoft Outlook, respectively, which were rolled out on August 8, 2023, to address the CVE-2023-36893 vulnerability (Microsoft Outlook Spoofing Vulnerability). Exploitation of this vulnerability could allow disclosure of NetNTLMv2 hashes.
This vulnerability requires a user with an affected version of Outlook to open a malicious meeting or appointment invitation from the attacker. As a result, Microsoft has set the affected appointment invitations to read-only for third parties who are not organizers.
To address the issue of body content that cannot be changed for non-organizer meeting or appointment invitations, Microsoft proposes the following alternatives:
- write meeting notes in Microsoft Teams
- Create OneNote notes in a meeting
- Create or schedule an appointment yourself
Hope this helps – Windows and Office has been morphed into a daily wonderbox for administrators – each day a new nasty surprise.
Similar articles:
Microsoft Security Update Summary (August 8, 2023)
Microsoft Office Updates (August 8, 2023)
Exchange Server Security Updates (August 8, 2023)
Workaround for Exchange August 2023 security update install issue
Outlook startup asks for "re-open windows", options to disable missing
Outlook: Microsoft releases workaround for "open window" startup bug
Outlook "open window" bug at startup a permission issue?
Workaround/Fix for Outlook issue: Appointments automatically become Teams meetings
Outlook: Microsoft releases temporary fix for slow saving on network paths
Outlook 2016: Links broken after update from July 11, 2023 (KB5002427) – Security warning appears when clicking links
