Ability to block all downloads but allow users to select Keep

Copper Contributor

In our company, we just got version 91 and everything we downloaded (internally it seems) would instantly come up blocked.

So it seems that the GPO "Allow Download Restrictions" set to Block Dangerous Downloads (which worked before) is now giving us the blocking with no Keep option.

Setting it to Block potentially dangerous or unwanted downloads, doesn't even give us a download box.

 

But setting it to No special restrictions - allows us to now get the blocked prompt, and the option (...) now to Keep or delete.

 

My question is: How can I get this prompt for EVERYTHING?
If i go to download VLC player, i get the download, and I can just open it... what I want is the "block" then a user has to click Keep (to download or launch it) or Discard to delete it.

 

Is it possible to have this setup?

I ask because we have a security requirement to have all downloads behave like this and this seems to me to be a great fit!

It enforces the user to make a conscious decision about the files they are downloading... so that extra click can deter (as well as piss them off).

 

We control policies using GPOs, and since version 91 seems to enforce this (along with Chrome version 91), i am really curious if we can turn this on for all downloads.

 

Ideally i would like to prevent it for internal files, but definitely for external sites (even known good ones).

I did read this: Interrupting Downloads of Potentially Dangerous Files | Microsoft Docs But it is unclear to me if this is what I really need to do.. i don't want to manage file types and domains.

 

Appreciate any help.

 

Kevin J

6 Replies

@KevinJ613 Hello!  Just to confirm, was the DownloadRestrictions policy working for your organization prior to the v91 update?  (Example: it prompted the users to choose "Keep" or "Delete" for every file downloaded)  Then after the update to v91, the behavior of the policy changed? 

 

I scanned through the policies and saw the PromptForDownloadLocation policy (https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#promptfordownloadlocation)

 would something like this help users consciously decide before downloading a file?  

 

Thanks! 

 

-Kelly

 

 

@Kelly_Y 

 

No, we have never had that prompt show up until version 91 was released, but even then it ONLY showed up after I made a change to the DownloadRestrictions Policy.

 

So my Policy was originally set to BlockDangerousDownloads, which allowed files to be downloaded (again never got that Keep or delete message for any downloads that I am aware of).
As soon as the release of v91, we were getting full blocks (no changes to the GPO)

KevinJ613_0-1622781763509.png

I then changed the Policy to ' No Special restrictions' and we were now getting this

KevinJ613_1-1622781824563.png

Once you choose Keep from the menu, after a few minutes the next time this file type is clicked to be downloaded, it will just present the Open/Save As/Save option.

 

The above screenshots is an .msg file from a ticketing system, which we also later found out people trying to download internal applications were also being blocked.

 

I started reading this Interrupting Downloads of Potentially Dangerous Files | Microsoft Docs and got me thinking what if we can ALWAYS enable the prompt that asks a user to Keep or Delete?

I don't fully understand what is actually happening, because according to that page (and subsequent links) the .msg file should not have been blocked as it has always been opened before.. the difference is, that was done prior to version 91.


We have a requirement of the following:

If any of the executable test files are downloaded successfully and can be executed without a warning and prompt for the user to decide whether or not to proceed then record a Fail result for this sub-test. Otherwise, record a Pass result for this sub-test.

 

So to me this fits that requirement, even if it is not intended to do so..

 

So I don't want to Block the files, I just want it to always prompt regardless of what files being downloaded. So any "known good files" from lets say Microsoft will still give us this prompt and then we have to click Keep.

This is a total PITA move, but we have special requirements from au

Bonus points if we can exclude internal domains from being prompted.

 

And to answer your question, I don't see how Prompt for location would provide me with the block prompt and then the option to Keep or Delete.

I get the intent of asking where to save each time, but that is not necessarily a warning, where the above one is a warning if you will.

@KevinJ613 I am also in this same situation.  If you found a resolution I'd be interested in hearing it so I can give it a shot.  Thanks!

I had a ticket opened with MS Edge team, and there really are no options to do what we want. The support agent stated they would bring it up with the product team.. but i dunno.
So i am still looking for a solution to do this (or at least something close to it.

@KevinJ613 I'm not so sure if this is helpful or not but this helped move me a bit forward.  Disable download file type extension-based warnings for specified file types on domains (admx.help)

 

I do not want to manage some giant list of websites and file types but this is letting files download from sites that I've got the Allow Download Restrictions piece set to Block Dangerous Downloads.

From what MS Edge support told me this is only to bypass the blocking messages of file types when entering your domain, like if you wanted any file type from your internal domain to not get the blocking messages.
I also thought about leveraging this somehow to do what I want, but I also did not want to keep a list of domains to ensure things were always being blocked.

So in my case I don't want to bypass file downloads, I just want to always have the Block message (but then have the option for the user to Keep or Delete)

There is also a user based policy (Not MS Edge related) called Attachment Manager (User/Policies/AdminTemplates/WindowsComponents/Attachment Manager) which is supposed to leverage internet zones, but I can't figure out how to get it to work as everything I have tried doesn't "warn" about the downloads