Plan attachment settings in Outlook 2013
Applies to: Office 365 ProPlus, Outlook 2013
Summary Learn how to use Group Policy to configure attachment security settings for Outlook 2013.
Audience: IT Professionals
In Outlook 2013, you can specify that attachments to Outlook items (such as email messages or appointments) are restricted based on the file name extension of the attachment. You can also configure what users can do with the attachment restrictions. For example, you could allow users to change the restrictions for a group of attachment file name extensions from Level 1 (user can’t view the file) to Level 2 (user can open the file after they save it to disk).
Important
Are you looking for help with blocked attachment in Outlook 2013 on your desktop?You may be looking for Blocked attachments in Outlook, which will help you share your files safely or change the types of files that are blocked on your desktop.
In this article:
Overview of Outlook attachment security
Add or remove Level 1 file name extensions for Outlook 2013
Add or remove Level 2 file name extensions for Outlook 2013
Configure additional attachment file restrictions for Outlook 2013
Overview of Outlook attachment security
To help protect users from malicious attachments, Outlook 2013 restricts access to some attachments in items, such as email messages or appointments. Files that have specific file name extensions can be categorized as Level 1 (the user can’t view the file) or Level 2 (the user can open the file after they save it to disk).
By default, Outlook 2013 classifies several file name extensions as Level 1 and blocks users from receiving files that have those extensions. Examples of Level 1 file name extensions include .cmd, .exe, and .vbs. As an administrator, you can use Group Policy to manage how a file name extension is categorized for email attachment blocking. For example, you can change a file name extension categorization from Level 1 to Level 2 or create a list of Level 2 file name extensions. By default, there are no Level 2 file name extensions.
Note
To enforce attachment settings, you must first use Group Policy to configure the method that Outlook 2013 uses to enforce security settings. For information about how to set the Outlook 2013 method to enforce security settings, see Specifying how security settings are enforced in Outlook in Overview of security and protection settings for Outlook 2013.
You can configure Outlook 2013 attachment security settings by using Group Policy and the Outlook 2013 template. Most of the attachment security settings are the found under User Configuration\Administrative Templates\Microsoft Outlook 2013\Security\Security Form Settings\Attachment Security. You can find settings to prevent users from customizing attachment security settings and to use Protected View for attachments received from internal senders under User Configuration\Administrative Templates\Microsoft Outlook 2013\Security. Attachment security settings can’t be configured by using the Office Customization Tool (OCT).
For more information about Protected View, see Plan Protected View settings for Office 2013.
For information about how to download the Outlook 2013 administrative template, and about other Office 2013 administrative templates, see Group Policy Administrative Template files (ADMX, ADML) and Office Customization Tool (OCT) files for Office 2013. For more information about Group Policy, see Overview of Group Policy for Office 2013.
Add or remove Level 1 file name extensions for Outlook 2013
Level 1 files are hidden from the user. The user can’t open, save, or print a Level 1 attachment. If you specify that users can demote a Level 1 attachment to a Level 2 attachment, Level 2 restrictions apply to the file. If a user receives an email message or appointment that has a blocked attachment, the InfoBar at the top of the item displays a list of the blocked files. Note that the InfoBar doesn’t appear on a custom form.
When you remove a file name extension from the Level 1 list, attachments that have that file name extension are no longer blocked. The default list of Level 1 file name extensions is shown in the table in the article Blocked attachments in Outlook.
The settings in the following table let you add or remove Level 1 file name extensions from the default list. In Group Policy, these settings are found under User Configuration\Administrative Templates\Microsoft Outlook 2013\Security\Security Form Settings\Attachment Security. These settings can’t be configured by using the OCT.
Level 1 attachment security settings
| Setting name | Registry path and value name | Description |
|---|---|---|
Add file extensions to block as Level 1 |
Group Policy registry path: HKEY_CURRENT_USER\software\policies\microsoft\office\15.0\outlook\security!FileExtensionsAddLevel1 |
Specifies the file name extensions (usually three letters) that you want to add to the Level 1 file list. Do not enter a period before each file name extension. If you enter multiple file name extensions, separate them with semicolons. |
Remove file extensions blocked as Level 1 |
Group Policy registry path: HKEY_CURRENT_USER\Software\Policies\Microsoft\office\15.0\outlook\security!FileExtensionsRemoveLevel1 |
Specifies the file name extensions (usually three letters) that you want to remove from the Level 1 file list. Do not enter a period before each file name extension. If you enter multiple file name extensions, separate them with semicolons. |
Add or remove Level 2 file name extensions for Outlook 2013
With a Level 2 file name extension, the user is required to save the file to the hard disk before the file is opened. A Level 2 file can’t be opened directly from an Outlook item.
When you remove a file name extension from the Level 2 list, it becomes a regular file name extension that can be opened, saved, and printed in Outlook 2013. There are no restrictions on the file.
The settings in the following table let you add or remove Level 2 file name extensions from the default list. In Group Policy, these settings are found under User Configuration\Administrative Templates\ Microsoft Outlook 2013\Security\Security Form Settings\Attachment Security. These settings can’t be configured by using the OCT.
Level 2 attachment security settings
| Setting name | Registry path and value name | Description |
|---|---|---|
Add file extensions to block as Level 2 |
Group Policy registry path: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\Outlook\Security!FileExtensionsAddLevel2 |
Specifies the file name extension (usually three letters) that you want to add to the Level 2 file list. Do not enter a period before each file name extension. If you enter multiple file name extensions, separate them with semicolons. |
Remove file extensions blocked as Level 2 |
Group Policy registry path: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\Outlook\Security!FileExtensionsRemoveLevel2 |
Specifies the file name extension (usually three letters) that you want to remove from the Level 2 file list. Do not enter a period before each file name extension. If you enter multiple file name extensions, separate them with semicolons. |
Configure additional attachment file restrictions for Outlook 2013
The settings in the following table are additional settings that you can configure for attachments in Group Policy. In Group Policy, these settings are found under User Configuration\Administrative Templates\Microsoft Outlook 2013\Security\Security Form Settings\Attachment Security. These settings can’t be configured by using the OCT.
Additional attachment security settings
| Setting name | Registry path and value name | Description |
|---|---|---|
Display Level 1 attachments |
Group Policy registry path: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\Outlook\Security!FileExtensionsAddLevel2 |
Enables users to access all attachments that have Level 1 file name extensions by first saving the attachments to disk, and then opening them (as with Level 2 attachments). |
Allow users to demote attachments to Level 2 |
Group Policy registry path:HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Security!AllowUsersToLowerAttachments |
Enables users to create a list of attachment file name extensions to demote from Level 1 to Level 2. If you do not configure this Group Policy setting, the default behavior in Outlook is to ignore the user’s list. The registry key in which users create the list of file name extensions to demote is as follows: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Security!Level1Remove. In the registry key, users specify the file name extensions (usually three letters) to remove from the Level 1 file list, separated by semicolons. |
Do not prompt about Level 1 attachments when sending an item |
Group Policy registry path:HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Security!DoNotPromptLevel1AttachSend |
Prevents users from receiving a warning when they send an item that contains a Level 1 attachment. This option affects only the warning. After the item is sent, recipients might be unable to view or access the attachment, depending on their security settings. If you want users to be able to post items to a public folder without receiving this prompt, you must enable this setting and the Do not prompt about Level 1 attachments when closing an item setting. |
Do not prompt about Level 1 attachments when closing an item |
Group Policy registry path:HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Security!DoNotPromptLevel1AttachClose |
Prevents users from receiving a warning when they close an email message, appointment, or other item that contains a Level 1 attachment. This option affects only the warning. After the item is closed, the user can’t view or gain access to the attachment. If you want users to be able to post items to a public folder without receiving this prompt, you must enable this setting and the Do not prompt about Level 1 attachments when sending an item setting. |
Display OLE package objects |
Group Policy registry path:HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Security!ShowOLEPackageObj |
Displays OLE objects that are packaged. A package is an icon that represents an embedded or linked OLE object. When you double-click the package, the program that was used to create the object either plays the object (for example, if the object is a sound file) or opens and displays the object. Allowing Outlook to display OLE package objects can be problematic, because the icon can be easily changed and used to disguise malicious files. |
The settings in the following table are found in Group Policy under User Configuration\Administrative Templates\Microsoft Outlook 2013\Security. These settings can’t be configured by using the OCT.
Additional security settings
| Setting name | Registry path and value name | Description |
|---|---|---|
Prevent users from customizing attachment security settings |
Group Policy registry path:HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook!DisallowAttachmentCustomization |
When enabled, users can’t customize the list of file name extensions that are allowed as attachments in Outlook, regardless of how you have configured other Outlook security settings. |
Use Protected View for attachments received from internal senders |
Group Policy registry path:HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Security!MarkInternalAsUnsafe |
When enabled, attachments that are received from senders within your organization will open in Protected View. This setting only applies to Outlook accounts that connect to a Microsoft Exchange Server computer. |
See also
Overview of security and protection settings for Outlook 2013
Plan Protected View settings for Office 2013