Forum Discussion
Outlook Classic for M365 - File > Encrypt > 'Encrypt-Only' option applies 'Do Not Forward' label?
Would suggest taking a look at the following:
- Review Sensitivity Label Configuration in Purview
- Go to Microsoft Purview portal > Information Protection > Labels.
- Check the Encrypt-Only label:
- Ensure it’s not configured with “Do Not Forward” permissions.
- Confirm it’s published to the correct users/groups.
- Verify that Outlook and OWA are selected under “Apps that support this label.”
- Check Outlook Client behavior
- Ensure users are on the latest Outlook Classic build.
- Clear Outlook cache and restart the client.
- Optionally, check registry keys under:
HKEY_CURRENT_USER\Software\Microsoft\Office\<version>\Common\SecurityLook for any overrides related to IRM or encryption.
- Test with a Clean Profile
- Create a new Outlook profile and test the File > Encrypt > Encrypt-Only path.
- If it works correctly, the issue may be profile-specific or cached label metadata.
- Consider Disabling Legacy IRM Mapping
- If your org migrated from legacy IRM templates, they may still be influencing behavior.
- You can disable legacy IRM mapping via PowerShell:
Set-IRMConfiguration -SimplifiedClientAccessEnabled $true- Educate Users to Use the Options Ribbon
- Until resolved, recommend users always use the Options ribbon > Encrypt method.
- You can even customize the ribbon or disable the File > Encrypt path via GPO or UI customization.
Would suggest taking a look at the following:
- Review Sensitivity Label Configuration in Purview
- Go to Microsoft Purview portal > Information Protection > Labels.
- Check the Encrypt-Only label:
- Ensure it’s not configured with “Do Not Forward” permissions.
- Confirm it’s published to the correct users/groups.
- Verify that Outlook and OWA are selected under “Apps that support this label.”
- Check Outlook Client behavior
- Ensure users are on the latest Outlook Classic build.
- Clear Outlook cache and restart the client.
- Optionally, check registry keys under:
HKEY_CURRENT_USER\Software\Microsoft\Office\<version>\Common\SecurityLook for any overrides related to IRM or encryption.
- Test with a Clean Profile
- Create a new Outlook profile and test the File > Encrypt > Encrypt-Only path.
- If it works correctly, the issue may be profile-specific or cached label metadata.
- Consider Disabling Legacy IRM Mapping
- If your org migrated from legacy IRM templates, they may still be influencing behavior.
- You can disable legacy IRM mapping via PowerShell:
Set-IRMConfiguration -SimplifiedClientAccessEnabled $true
- Educate Users to Use the Options Ribbon
- Until resolved, recommend users always use the Options ribbon > Encrypt method.
- You can even customize the ribbon or disable the File > Encrypt path via GPO or UI customization.
Kidd,
Thanks for your reply and suggestions!
Regarding #1, we don't even have Sensitivity Labels setup in our org - so this is likely part of the issue, but I'll report this encryption behavior as a bug to Microsoft.
In the meantime, I'll talk with my internal IT team on how to handle Sensitivity Labels going forward (will have to do the same for #3 Legacy IRM Mapping!).
For now, we will go with #5 the Educate Users route always use the Options ribbon > Encrypt method.
This will let my team and I address the other items, and our users can continue working as normal.
I will test with suggestions #2 and #4 and let you know if those work!