SOLVED
Home

Encrypt-Only and Do Not Forward Managment

%3CLINGO-SUB%20id%3D%22lingo-sub-379320%22%20slang%3D%22en-US%22%3EEncrypt-Only%20and%20Do%20Not%20Forward%20Managment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-379320%22%20slang%3D%22en-US%22%3E%3CP%3EI%20was%20recently%20tasked%20with%20achieving%20a%20better%20understanding%20of%20our%20Office%20365%20setup%20after%20our%20Information%20Security%20Officer%20left%20for%20another%20position.%20This%20includes%20the%20way%20we%20are%20encrypting%20our%20email.%20Initially%2C%20the%20only%20option%20available%20within%20Outlook%20%26amp%3B%20OWA%20was%20Do%20Not%20Forward.%20Within%20the%20last%20week%20or%20so%20the%20Encrypt-Only%20option%20has%20shown%20up%20under%20the%20same%20Permissions%20button%20in%20Outlook%20and%20I'm%20trying%20to%20better%20understand%20how%2Fwhere%20these%20options%20are%20managed.%20All%20Microsoft%20documents%20I%20have%20been%20able%20to%20find%20are%20a%20higher%20level%20explanation%20of%20what%20these%20options%20do%20and%20not%20how%20to%20manage%20them%20or%20turn%20them%20off%2C%20if%20this%20is%20even%20possible.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20the%20Encrypt-Only%20function%20managed%20through%20the%20%3CSTRONG%3EEncryption%3C%2FSTRONG%3E%20mail%20transport%20rule%20in%20the%20Exchange%20Admin%20Center%3F%20If%20I%20turned%20this%20rule%20off%2C%20would%20that%20eliminate%20the%20Encrypt-Only%20option%20within%20Outlook%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20Do%20Not%20Forward%20option%2C%20is%20this%20managed%20in%20Azure%20Information%20Protection%20(AIP)%3F%20In%20our%20environment%20within%20the%20Global%20Policy%20(On%20the%20%3CSTRONG%3EAzure%20Information%20Protection%20-%20Policies%3C%2FSTRONG%3E%20blade%2C%20select%20the%20Global%20Policy)%20%2C%20it%20looks%20like%20the%20Do%20Not%20Forward%20button%20is%20toggled%20to%20not%20show%20in%20the%20Outlook%20Ribbon.%20Why%20is%20it%20still%20showing%20up%3F%20Or%20is%20the%20attached%20screenshot%20not%20where%20these%20settings%20are%20actually%20managed%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-379320%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-382469%22%20slang%3D%22en-US%22%3ERe%3A%20Encrypt-Only%20and%20Do%20Not%20Forward%20Managment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-382469%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F44888%22%20target%3D%22_blank%22%3E%40Ryan%20Heffernan%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EDNF%20is%20a%20built%20in%20function%20within%20the%20Outlook%20client%20and%20must%20be%20disabled%20via%20GPO%2FRegistry%20keys%20as%20follows%3A%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3EOpen%20the%20following%20registry%20location%20using%20Registry%20Editor%3A%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EHKEY_CURRENT_USER%5CSoftware%5CMicrosoft%5COffice%5C14.0%5CCommon%5CDRM%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EOn%20the%26nbsp%3B%3CSTRONG%3EEdit%26nbsp%3B%3C%2FSTRONG%3Emenu%2C%20point%20to%26nbsp%3B%3CSTRONG%3ENew%3C%2FSTRONG%3E%2C%20and%20then%20click%26nbsp%3B%3CSTRONG%3EDWORD%20(32-bit)%20Value%3C%2FSTRONG%3E.%26nbsp%3B%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EType%26nbsp%3B%3CSTRONG%3EDisableDNF%3C%2FSTRONG%3E%2C%20and%20then%20press%20ENTER.%26nbsp%3B%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EIn%20the%26nbsp%3B%3CSTRONG%3EDetails%20%3C%2FSTRONG%3Epane%2C%20right-click%26nbsp%3B%3CSTRONG%3EDisableDNF%3C%2FSTRONG%3E%2C%20and%20then%20click%26nbsp%3B%3CSTRONG%3EModify%3C%2FSTRONG%3E.%26nbsp%3B%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EIn%20the%26nbsp%3B%3CSTRONG%3EValue%20data%20%3C%2FSTRONG%3Ebox%2C%20type%26nbsp%3B1%2C%20and%20then%20click%26nbsp%3B%3CSTRONG%3EOK%3C%2FSTRONG%3E.%26nbsp%3B%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EExit%20Registry%20Editor.%26nbsp%3B%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EIf%20you%20previously%20disabled%20the%26nbsp%3B%3CSTRONG%3EDo%20Not%20Forward%20%3C%2FSTRONG%3Ecommand%20by%20using%20a%20Group%20Policy%20setting%2C%20remove%20that%20policy%20setting.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E(Note%20the%20registry%20location%20will%20be%20different%20based%20on%20the%20Office%20version.)%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3E14.0%20%3D%202010%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3E15.0%20%3D%202013%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3E16.0%20%3D%202016%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CEM%3EOnce%20the%20policy%20is%20applied%2C%20this%20is%20what%20the%20UI%20shows.%20(Note%20the%20DNF%20options%20is%20greyed%20out.)%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3EMore%20information%20about%20DNF%20is%20found%20here%3A%20%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Finformation-protection%2Fconfigure-usage-rights%23do-not-forward-option-for-emails%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Finformation-protection%2Fconfigure-usage-rights%23do-not-forward-option-for-emails%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EWe%20plan%20to%20allow%20admins%20to%20disable%2Fhide%20Encrypt%20Only%20within%20Office%20later%20this%20year.%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-381430%22%20slang%3D%22en-US%22%3ERe%3A%20Encrypt-Only%20and%20Do%20Not%20Forward%20Managment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-381430%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F301580%22%20target%3D%22_blank%22%3E%40EASchmitt%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECC%3A%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F102197%22%20target%3D%22_blank%22%3E%40Rafael%20Dominguez%3C%2FA%3E%20to%20see%20if%20he%20can%20speak%20to%20the%20AIP%20aspect%20of%20this%20question.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
EASchmitt
New Contributor

I was recently tasked with achieving a better understanding of our Office 365 setup after our Information Security Officer left for another position. This includes the way we are encrypting our email. Initially, the only option available within Outlook & OWA was Do Not Forward. Within the last week or so the Encrypt-Only option has shown up under the same Permissions button in Outlook and I'm trying to better understand how/where these options are managed. All Microsoft documents I have been able to find are a higher level explanation of what these options do and not how to manage them or turn them off, if this is even possible.

 

Is the Encrypt-Only function managed through the Encryption mail transport rule in the Exchange Admin Center? If I turned this rule off, would that eliminate the Encrypt-Only option within Outlook?

 

The Do Not Forward option, is this managed in Azure Information Protection (AIP)? In our environment within the Global Policy (On the Azure Information Protection - Policies blade, select the Global Policy) , it looks like the Do Not Forward button is toggled to not show in the Outlook Ribbon. Why is it still showing up? Or is the attached screenshot not where these settings are actually managed?

2 Replies

@EASchmitt

 

CC: @Rafael Dominguez to see if he can speak to the AIP aspect of this question. 

Solution

Thanks @Ryan Heffernan.

 

DNF is a built in function within the Outlook client and must be disabled via GPO/Registry keys as follows:

Open the following registry location using Registry Editor:

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\DRM

  1. On the Edit menu, point to New, and then click DWORD (32-bit) Value
  2. Type DisableDNF, and then press ENTER. 
  3. In the Details pane, right-click DisableDNF, and then click Modify
  4. In the Value data box, type 1, and then click OK
  5. Exit Registry Editor. 
  6. If you previously disabled the Do Not Forward command by using a Group Policy setting, remove that policy setting.

(Note the registry location will be different based on the Office version.)

  • 14.0 = 2010
  • 15.0 = 2013
  • 16.0 = 2016 

Once the policy is applied, this is what the UI shows. (Note the DNF options is greyed out.)

More information about DNF is found here: https://docs.microsoft.com/en-us/azure/information-protection/configure-usage-rights#do-not-forward-...

 

We plan to allow admins to disable/hide Encrypt Only within Office later this year.