How to disable email signatures in Outlook for Windows using Intune
You would like to use Microsoft Intune to prevent your users from manually creating email signatures in Outlook for Windows on their machines.
You can disable the native email signature experience in Outlook for Windows via Intune in two ways – either by using the Configuration profiles feature or a PowerShell script to be run on users’ machines. Click the links below to go to the method of your preference:
- Disabling email signatures in Outlook with a configuration profile
- Disabling email signatures in Outlook with a PowerShell script
To disable email signatures in Outlook for Windows using a configuration profile, proceed as follows:
- Log in to the Microsoft Endpoint Manager admin center.
- Go to Devices > Configuration profiles and click Create profile (Fig. 1.).
- From the Platform and Profile type drop-down menus, choose Windows 10 and later and Templates, respectively. Next, select Administrative Templates under Template name, and click Create to add a new configuration profile (Fig. 2.).
- Now, configure the profile settings. In the Basics step, provide profile name (mandatory) and description (Fig. 3.). Click Next to proceed.
- Select User Configuration from the left-hand menu and type Do not allow signatures in the search box to display the setting you’re looking for (Fig. 4.).
- Click the setting name (Do not allow signatures for e-mail messages) to open its pane. To disable signatures in Outlook for Windows, select Enabled and click OK > Next to proceed (Fig. 5.).
- In the next step, you can configure Scope tags if you use this feature. Click Next to move on.
- The Assignments step allows you to define scope of users for whom the signatures will be disabled. Simply click Add all users to disable signatures for all users in your organization (Fig. 6.). Alternatively, you can click Add groups to turn off signatures for selected Azure Active Directory user groups.
If you wish to allow users belonging to certain AAD groups to use the native signature experience in Outlook for Windows instead, you can exclude them from this policy by clicking Add groups under Excluded groups (see bottom portion of Fig. 6.).
- In the last step, Review + create, you can verify if all the settings are correct. If you’re fine with them, click Create (Fig. 7.) to save and apply your policy. From now on, the native signature experience in Outlook for Windows will be disabled on the machines of all/selected users.
You can track the progress of profile assignment by clicking the configuration profile name on the profiles’ list (Devices > Configuration profiles).
The Overview page allows you to check for how many devices & users the configuration profile was assigned successfully and unsuccessfully. To get more detailed information on devices, users, or particular settings, click the Device status, User status, or Per-setting status option respectively (Fig. 8.).
If you prefer applying a PowerShell script via Microsoft Intune to disable the native email signature experience in Outlook for Windows, complete the following procedure.
Prepare a PowerShell script file
- Open any text editor (e.g. Notepad) or the PowerShell ISE app and paste the code below into it.
New-ItemProperty -path "HKCU:\SOFTWARE\Microsoft\Office\16.0\Common\MailSettings" -Name "DisableSignatures" -Value '1' -PropertyType 'DWORD' -Force
- Use the Save As option (Ctrl+Shift+S) to save the file in the .ps1 format, e.g. Disable_signatures.ps1 (Fig. 9.).
Configure Intune to run the script for given users
- Log in to the Microsoft Endpoint Manager admin center.
- Go to Devices > Scripts, click Add, and choose the Windows 10 and later option (Fig. 10.).
- Name your script, provide an optional description for it, and click Next (Fig. 11.).
- In the Script settings step, load the file you’ve prepared in the previous section of this article and configure the settings as follows:
- Run this script using the logged on credentials: Yes (this will allow to run the script for each specific user that logs in on a machine and disable signatures for their specific account)
- Enforce script signature check: No
- Run script in 64 bit PowerShell Host: Yes (in the case the users’ machines are in 32-bit architecture, choose No)
The final configuration should look as shown in Fig. 12. below. If you’re OK with your settings, click Next.
- If you use the Scope tags feature, you can configure scope tags for this script policy. If not, simply click Next to go to the next step.
- In the Assignments step, choose users in your organization for whom the script will be executed (you can select all users or specific Azure AD user groups only). You can also exclude certain AAD group(s) by configuring the setting in the Excluded groups section (Fig. 13.).
Remember to define assignments according to users and NOT devices, as the script modifies an entry in the Current User registry key. If more than one person uses the same machine, the script must be executed for each user that logs in to it.
- The last step, Review + add, lets you check all the settings for your script policy. If you’re fine with them, click Add (Fig. 14.) – the script will be added to the scripts list.
You can track the progress of script executions by clicking script name on the scripts’ list (Devices > Scripts).
The Overview page allows you to check for how many devices & users the script was executed successfully and unsuccessfully. To get more detailed information on devices or users, e.g. particular device names, user names, etc., click the Device status or User status option respectively (Fig. 15.).