locked
Outlook 2016+ client and OutlookSecureTempFolder against Exchange Server RRS feed

  • Question

  • The helpful ;-) folks over at answers.Microsoft.com have suggested I post over here. So here I am.

    In a nutshell, I've moved users OutlookSecureTempFolder location outside the default that has PMIE settings and when a user opens a file from Outlook the app in question (Excel, Word) it does NOT prompt the user that the file is open in protected mode. If the location is in the PMIE zone, they would be prompted. I believe Outlook and the apps should still behave in the same way when I use a supported registry entry to move this location, but my testing shows they don't.

    I hope to find a way to flag my new location as a PMIE zone, or tag it "untrusted", so that the Protected Mode prompt comes back.

    My original post: 

    Outlook 2016+ and moving OutlookSecureTempFolder

    I have found many posts talking about the opposite - wanting Protected Mode to not work, but I want it TO work!

    I have, for valid reasons, moved Outlook's temp folder to a different location using the OutlookSecureTempFolder registry value in HKCU\Software\Policies\Microsoft\Office\16.0\Outlook\Security via a GPO, and the consequence of that is that a file (say a Word doc or Excel doc) that's opened from Outlook will only open as Read-Only, and the Protected Mode warning banner isn't shown. 

    I'd like to know if it's possible for me to designate this new file location as an untrusted location or attach a PMIE zone to it in some way, so Word/Excel then show my users the Protected Mode message?

    Thursday, November 7, 2019 3:32 AM

All replies

  • Hi,

    From your description, your issue has more relation to Outlook side, and Exchange server forums provide suggestions about problems lying in server side, we will help you move this case to Outlook forum. You will get more professional suggestions there. Thanks for your understanding. 

    The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us. 

    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Friday, November 8, 2019 4:42 AM
  • thanks for moving it.
    Monday, November 11, 2019 1:16 AM
  • Hi Poundy.

    You'd like to enable Protected View after you change the location of OutlookSecureTempFolde, right?

    >>I've moved users OutlookSecureTempFolder location outside the default that has PMIE settings

    What does “PMIE settings” mean?

    According to my test, I could still get a Protected View warning banner even I changed the path of OutlookSecureTempFolder. So please check the settings below:

    1. Open Word, Excel, or PowerPoint.
    2. Click File > Options > Trust Center.
    3. Select Trust Center settings.
    4. Click Protected View, make sure you have the three options checked.
    5. Then select Trusted Documents, click Clear > Yes.


    Any update, please feel free to post back.

    Regards,

    Aidan Wang


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Monday, November 11, 2019 6:47 AM
  • Hi,

    Have you got the issue fixed?

    Please try my suggestions and let me know the results.

    Regards,

    Aidan Wang


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Tuesday, November 12, 2019 8:56 AM
  • Aidan, thanks for your reply.

    I am setting this all through Group Policy, so the check you mention is not really relevant (users don't have ability to change these settings)

    PMIE == Protected Mode Internet Explorer which is how the regular folder picks up it's untrusted nature. 

    I am redirecting this from the standard C:\ location (within IE's temporary folder structure) and locating it on a home drive folder (which happens to be a network shared location) mapped to H drive. 

    What your image has given me is a lead on the "allow documents on a network to be trusted" as that seems to be set - I need to figure out how to differentiate the insecure location on H drive and the rest of the network location(s) that should be trusted.

    EDIT: no, that setting isn't relevant in this case. That setting, "Turn off Trusted Documents on the network" only allows Trusted Documents to be set.

    So Aidan, can you do a test to move the folder location to a network drive and try your repro? 

    • Edited by Poundy Wednesday, November 13, 2019 11:56 PM more info added after review a setting
    Wednesday, November 13, 2019 11:12 PM
  • I've done some more testing, and there's an inter-play of settings going on here.

    My initial testing was explicitly to change the folder location and ensure the GPO "Turn off Protected View for attachments opened from Outlook" was disabled. (edit) Also to clarify the settings and behaviour, this is in conjunction with the below setting set to ENABLE, and the app opens the attachment in read-only mode and doesn't prompt.

    When I tested with disabling "Do not open files from the Internet zone in Protected View", now an email from a user outside my organisation shows the Protected Mode prompt.

    I can't get protected mode to trigger on an email that just comes from within my organisation (it still opens as read-only) but some other testing from ex colleagues in a large reputable software company show that this is their default behavior as well so perhaps that's all that is expected, can't be sure, but the internet zone setting will probably do me for now (but still willing to hear if anyone thinks that locally emailed content should trigger Protected Mode prompting)



    • Edited by Poundy Friday, November 15, 2019 12:56 AM clarity in paragraph
    Friday, November 15, 2019 12:33 AM
  • Hi Poundy,

    Thanks for your reply.

    According to my research, once you put OutlookSecureTempFolder to a untrusted Location, Protected mode prompts will not be triggered. So this may be by design. So it is suggested to put the location to the "PMIE" zone.

    Or if you still would like to get Protected mode prompts even after moving users OutlookSecureTempFolder location outside the default that has PMIE setting. It is encouraged to share your feedback via the Outlook UserVoice forum.

    Hope this can be helpful.

    Regards,

    Aidan Wang


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Monday, November 18, 2019 9:33 AM
  • Hi,

    Have you got the issue fixed?

    I'm writing to see if the reply above is helpful to you. If yes, would you mind helping mark the reply as answer? So that others who might have a similar question can benefit from your thread? Thanks for your understanding and support.

    Regards, 

    Aidan Wang


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Wednesday, November 20, 2019 8:06 AM
  • I suspect it'll be a bit hard to say this issue will be "fixed" when you say it's by design :-) 

    I'm not going to bother with UserVoice at this point. Hardly seems worth the effort since there are so many items that will never see the light of day. Maybe it'll be a big enough issue for me to change my view here, but I don't think so.

    Ultimately, what I wanted, was confirmation that the design of Protected Mode (without moving the location) was that opening an attachment from a LOCAL email user should open with the protected mode banner, or if it was only internet based senders that it should initiate this. And then, if the answer is that LOCAL users are exempt it seems a flaw in the description of the settings (it doesn't differentiate between scope of senders) or if it's meant to open both in Protected Mode then there's a bug (because that's not my experience, even without relocating the folder, for an internal user mail).


    Thursday, November 21, 2019 9:45 PM
  • Hi,

    Thanks for your reply.

    I haven't found any official article to introduce this, so it is hard to explain this feature clearly. The reason why I recommend submit this issue to the UserVoice is here you may get more information.

    Regards,

    Aidan Wang


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Tuesday, November 26, 2019 6:18 AM