I thought I would write this one up as it took a little bit of time to figure out the answer to this problem, and there are many perfectly valid solutions out there that resolve this error, except, if you are like me and make use of the Microsoft Security Baselines for Office, non of those answers would have helped…and here is why

I am very much of the opinion that no matter how small your business or indeed how large it is, good security controls are essential, its going to protect you from all sorts of headaches and potential lawsuits in the future. That’s why, wherever I can, I make full use of the Microsoft Security Baselines…why, well, they are free and some very talented people have provided us with a very easy way to get started with security.

However, sometimes, these baselines do have undesired consequences, which is exactly what I experienced here.

We have been running with security baselines in place for years now and occasionally software or process change which cause the users a problem.

Today, our users attempted to setup an ODBC connection in Excel to our finance database. When they did, they got the error “Microsoft query could not be started because it isn’t installed” etc. Now, that doesn’t seem right, after a bit of Googleing and some testing on the MSQRY executable (C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE), I realised there was nothing wrong with Excel, or the way it was installed. What I realised was we were probably looking at a security control blocking and innocent process.

After some testing and setting up lab scenarios, I managed to identify that the baseline causing the issue was the Microsoft Office Security Baseline for DDE Blocking. So I navigated to User Configuration | Administrative Templates | Microsoft Excel 2016 | Don’t allow Dynamic Date Exchange (DDE) Server lookup in Excel and switched it from Enabled to Disabled.

Note, that I only needed to change the server lookup policy, not the server launch policy.

I agree, there is a perfectly valid reason why this is disabled, but, there is no point in having a security control in place that doesn’t allow the business to function. Its far better the manage the risk in other ways (such as targeting this policy relaxation to the least number of workstations possible) than to put senior managers off using security controls at all because they ‘get in the way’ or ’cause too many problems’.

I hope this helps someone reduce the amount of time it takes them to figure out what may be causing them the headache!