Enable protected view on office files downloaded though OWA

CS 6 Reputation points
2021-02-25T15:25:01.677+00:00

Hello, We have Office and Exchange on premise. The Office protected view trust center settings are enabled for Outlook, internet and other potentially unsafe locations. It's working as it should (browser, Outlook client...) except when it comes to attached file opened though OWA : the office file is opened without protected view. As far as I understand, it boils down to the location of the temporary folder the file is downloaded, but OWA is downloading it to the %temp% folder in the same fashion as the browser does for any other website, which results in a different behavior in this case. Is there any way to mark files downloaded through OWA as unsafe ? Regards

Outlook Management
Outlook Management
Outlook: A family of Microsoft email and calendar products.Management: The act or process of organizing, handling, directing or controlling something.
4,887 questions
Office Management
Office Management
Office: A suite of Microsoft productivity software that supports common business tasks, including word processing, email, presentations, and data management and analysis.Management: The act or process of organizing, handling, directing or controlling something.
2,000 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,350 questions
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Emily Hua-MSFT 27,526 Reputation points
    2021-02-26T09:15:19.893+00:00

    @CS

    > the location of the temporary folder the file is downloaded, but OWA is downloading it to the %temp% folder in the same fashion as the browser does for any other website

    Which Browser are you using? Do you force the download path as %temp% folder for all users?

    I do the test on OWA via Edge, and I set the location for downloads as C:\Users\<User Account>\AppData\Local\Temp, files downloaded from OWA are opened in Protected View like the following image.
    72375-capture49.png

    From the view of Office apps, you may try to add the location as "Unsafe Location" by group policy as a workaround.

    • Please install Administrative Template files first. Here is the link for Microsoft 365 Apps for enterprise, Office 2019, and Office 2016.
    • Go to Group Policy Editor > User Configuration > Administrative Templates > Microsoft Office 2016 > Security Settings > Trust Center > Protected View > Unsafe Location.
    • I test the path of "%temp%" and "C:\Users\%username%\AppData\Local\temp", these path do not work. So if you need to download files from OWA to %temp% folder, I suggest you try the path "C:\Users\%username%\AppData\Local", and tick the box of "Allow sub folders", this path works. I test some local created files in %temp% folder, and they could be opened in Protect View.
      (Please note, I do not redirect the %temp% folder on my test environment.)
      72368-capture50.png

    Hope the information could be helpful.

    If an Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. CS 6 Reputation points
    2021-02-26T09:40:58.65+00:00

    Which Browser are you using? Do you force the download path as %temp% folder for all users?

    It's Firefox, the download path %temp% is the default one when I open a file directly, but it's exactly the same problem with Edge, no matter the folder, (Downloads, %temp%...)
    The location doesn't seem to be relevant, for example, if I download a file though OWA, it will not be opened in protected view, (%temp%, Downloads... doesn't matter). On the other hand, if I download a file with the same browser but from a 3rd party website, it will be opened in protected view, (%temp%, Downloads... It just works).
    So the download location doesn't seem to have an impact. I suspect our OWA server fqdn is somehow whitelisted by Office and any file downloaded through it is marked as safe. As I said, we are on premise, and our AD domain name is the same as our OWA server's. I think we need the same kind of GPO you have posted but for an URL, not a file path, so we can mark our OWA server fqdn as unsafe.

  3. CS 6 Reputation points
    2021-03-02T10:00:16.767+00:00

    Does this affect all Office file attachments or any particular ones like attachments sent by internal users?

    It affects all of them.

    f I click the Unblock button, the file can then be opened without Protected View. So would you please have a look and see how it is at your end?

    This property is only here for files not downloaded through OWA.

    Maybe it's because our OWA server is in our LAN, and therefore is marked as a safe location (intranet zone) ?

  4. CS 6 Reputation points
    2021-03-10T10:27:25.22+00:00

    Thank you, but by doing that, I will lose granularity between internet/intranet.

    Anyway, I managed to find a workaround, I added our OWA server to the internet zone of Internet Explorer with a gpo, and now it's working. Altough all office attachements are now considered unsafe, whever they come from an internal user, or have a safe extension like xlsx instead of xls, but I don't think there is much more we can do.

    0 comments