Ability to block all downloads but allow users to select Keep

%3CLINGO-SUB%20id%3D%22lingo-sub-2402766%22%20slang%3D%22en-US%22%3EAbility%20to%20block%20all%20downloads%20but%20allow%20users%20to%20select%20Keep%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2402766%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20our%20company%2C%20we%20just%20got%20version%2091%20and%20everything%20we%20downloaded%20(internally%20it%20seems)%20would%20instantly%20come%20up%20blocked.%3C%2FP%3E%3CP%20class%3D%22%22%3ESo%20it%20seems%20that%20the%20GPO%20%22Allow%20Download%20Restrictions%22%20set%20to%20Block%20Dangerous%20Downloads%20(which%20worked%20before)%20is%20now%20giving%20us%20the%20blocking%20with%20no%20Keep%20option.%3C%2FP%3E%3CP%3ESetting%20it%20to%20Block%20potentially%20dangerous%20or%20unwanted%20downloads%2C%20doesn't%20even%20give%20us%20a%20download%20box.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20setting%20it%20to%20%3CSTRONG%3ENo%20special%20restrictions%3C%2FSTRONG%3E%20-%20allows%20us%20to%20now%20get%20the%20blocked%20prompt%2C%20and%20the%20option%20(...)%20now%20to%20Keep%20or%20delete.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20question%20is%3A%20How%20can%20I%20get%20this%20prompt%20for%20EVERYTHING%3F%3CBR%20%2F%3EIf%20i%20go%20to%20download%20VLC%20player%2C%20i%20get%20the%20download%2C%20and%20I%20can%20just%20open%20it...%20what%20I%20want%20is%20the%20%22block%22%20then%20a%20user%20has%20to%20click%20Keep%20(to%20download%20or%20launch%20it)%20or%20Discard%20to%20delete%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20it%20possible%20to%20have%20this%20setup%3F%3C%2FP%3E%3CP%3EI%20ask%20because%20we%20have%20a%20security%20requirement%20to%20have%20all%20downloads%20behave%20like%20this%20and%20this%20seems%20to%20me%20to%20be%20a%20great%20fit!%3C%2FP%3E%3CP%3EIt%20enforces%20the%20user%20to%20make%20a%20conscious%20decision%20about%20the%20files%20they%20are%20downloading...%20so%20that%20extra%20click%20can%20deter%20(as%20well%20as%20piss%20them%20off).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20control%20policies%20using%20GPOs%2C%20and%20since%20version%2091%20seems%20to%20enforce%20this%20(along%20with%20Chrome%20version%2091)%2C%20i%20am%20really%20curious%20if%20we%20can%20turn%20this%20on%20for%20all%20downloads.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIdeally%20i%20would%20like%20to%20prevent%20it%20for%20internal%20files%2C%20but%20definitely%20for%20external%20sites%20(even%20known%20good%20ones).%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20did%20read%20this%3A%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdeployedge%2Fmicrosoft-edge-security-downloads-interruptions%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EInterrupting%20Downloads%20of%20Potentially%20Dangerous%20Files%20%7C%20Microsoft%20Docs%3C%2FA%3E%3CSPAN%3E%26nbsp%3BBut%20it%20is%20unclear%20to%20me%20if%20this%20is%20what%20I%20really%20need%20to%20do..%20i%20don't%20want%20to%20manage%20file%20types%20and%20domains.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAppreciate%3CSPAN%3E%26nbsp%3Bany%20help.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EKevin%20J%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2405945%22%20slang%3D%22en-US%22%3ERe%3A%20Ability%20to%20block%20all%20downloads%20but%20allow%20users%20to%20select%20Keep%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2405945%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F890384%22%20target%3D%22_blank%22%3E%40KevinJ613%3C%2FA%3E%20Hello!%26nbsp%3B%20Just%20to%20confirm%2C%20was%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdeployedge%2Fmicrosoft-edge-policies%23downloadrestrictions%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EDownloadRestrictions%3C%2FA%3E%26nbsp%3Bpolicy%20working%20for%20your%20organization%20prior%20to%20the%20v91%20update%3F%26nbsp%3B%20(Example%3A%20it%20prompted%20the%20users%20to%20choose%20%22Keep%22%20or%20%22Delete%22%20for%20every%20file%20downloaded)%26nbsp%3B%20Then%20after%20the%20update%20to%20v91%2C%20the%20behavior%20of%20the%20policy%20changed%3F%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20scanned%20through%20the%20policies%20and%20saw%20the%20PromptForDownloadLocation%20policy%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdeployedge%2Fmicrosoft-edge-policies%23promptfordownloadlocation%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdeployedge%2Fmicrosoft-edge-policies%23promptfordownloadlocation)%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3Bwould%20something%20like%20this%20help%20users%20consciously%20decide%20before%20downloading%20a%20file%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks!%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3E-Kelly%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

In our company, we just got version 91 and everything we downloaded (internally it seems) would instantly come up blocked.

So it seems that the GPO "Allow Download Restrictions" set to Block Dangerous Downloads (which worked before) is now giving us the blocking with no Keep option.

Setting it to Block potentially dangerous or unwanted downloads, doesn't even give us a download box.

 

But setting it to No special restrictions - allows us to now get the blocked prompt, and the option (...) now to Keep or delete.

 

My question is: How can I get this prompt for EVERYTHING?
If i go to download VLC player, i get the download, and I can just open it... what I want is the "block" then a user has to click Keep (to download or launch it) or Discard to delete it.

 

Is it possible to have this setup?

I ask because we have a security requirement to have all downloads behave like this and this seems to me to be a great fit!

It enforces the user to make a conscious decision about the files they are downloading... so that extra click can deter (as well as piss them off).

 

We control policies using GPOs, and since version 91 seems to enforce this (along with Chrome version 91), i am really curious if we can turn this on for all downloads.

 

Ideally i would like to prevent it for internal files, but definitely for external sites (even known good ones).

I did read this: Interrupting Downloads of Potentially Dangerous Files | Microsoft Docs But it is unclear to me if this is what I really need to do.. i don't want to manage file types and domains.

 

Appreciate any help.

 

Kevin J

2 Replies

@KevinJ613 Hello!  Just to confirm, was the DownloadRestrictions policy working for your organization prior to the v91 update?  (Example: it prompted the users to choose "Keep" or "Delete" for every file downloaded)  Then after the update to v91, the behavior of the policy changed? 

 

I scanned through the policies and saw the PromptForDownloadLocation policy (https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#promptfordownloadlocation)

 would something like this help users consciously decide before downloading a file?  

 

Thanks! 

 

-Kelly

 

 

@Kelly_Y 

 

No, we have never had that prompt show up until version 91 was released, but even then it ONLY showed up after I made a change to the DownloadRestrictions Policy.

 

So my Policy was originally set to BlockDangerousDownloads, which allowed files to be downloaded (again never got that Keep or delete message for any downloads that I am aware of).
As soon as the release of v91, we were getting full blocks (no changes to the GPO)

KevinJ613_0-1622781763509.png

I then changed the Policy to ' No Special restrictions' and we were now getting this

KevinJ613_1-1622781824563.png

Once you choose Keep from the menu, after a few minutes the next time this file type is clicked to be downloaded, it will just present the Open/Save As/Save option.

 

The above screenshots is an .msg file from a ticketing system, which we also later found out people trying to download internal applications were also being blocked.

 

I started reading this Interrupting Downloads of Potentially Dangerous Files | Microsoft Docs and got me thinking what if we can ALWAYS enable the prompt that asks a user to Keep or Delete?

I don't fully understand what is actually happening, because according to that page (and subsequent links) the .msg file should not have been blocked as it has always been opened before.. the difference is, that was done prior to version 91.


We have a requirement of the following:

If any of the executable test files are downloaded successfully and can be executed without a warning and prompt for the user to decide whether or not to proceed then record a Fail result for this sub-test. Otherwise, record a Pass result for this sub-test.

 

So to me this fits that requirement, even if it is not intended to do so..

 

So I don't want to Block the files, I just want it to always prompt regardless of what files being downloaded. So any "known good files" from lets say Microsoft will still give us this prompt and then we have to click Keep.

This is a total PITA move, but we have special requirements from au

Bonus points if we can exclude internal domains from being prompted.

 

And to answer your question, I don't see how Prompt for location would provide me with the block prompt and then the option to Keep or Delete.

I get the intent of asking where to save each time, but that is not necessarily a warning, where the above one is a warning if you will.