ExemptDomainFileTypePairsFromFileTypeDownloadWarnings policy

%3CLINGO-SUB%20id%3D%22lingo-sub-2596019%22%20slang%3D%22en-US%22%3EExemptDomainFileTypePairsFromFileTypeDownloadWarnings%20policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2596019%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20trying%20to%20configure%20the%26nbsp%3BExemptDomainFileTypePairsFromFileTypeDownloadWarnings%20policy%20to%20allow%20EML%20and%20MSG%20attachments%20from%20our%20HR%20systems%20to%20be%20downloaded%20automatically%2C%20without%20having%20to%20allow%20them.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22edge%20error.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F299524iAFF847598CFD41E9%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22edge%20error.png%22%20alt%3D%22edge%20error.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20use%20DNS%20aliases%2C%20so%20I%20have%20whitelisted%20%22.hrm.app.ourcompany.com%22%2C%26nbsp%3B%22.hrm.appdev.ourcompany.com%22%20and%26nbsp%3B%22.hrm.appacc.ourcompany.com%22%2C%20as%20I%20read%20in%20the%20documentation%20that%20you%20need%20to%20start%20with%20a%20period%20to%20match%20that%20specific%20entry.%26nbsp%3B%20We%20don't%20want%20to%20whitelist%20our%20entire%20domain%20if%20possible%2C%20for%20security%20reasons.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20configured%20this%20through%20Group%20Policy%20using%20the%20example%20in%20the%20documentation%2C%20and%20it%20loads%20correctly%20in%20the%20edge%3A%2F%2Fpolicy%20list.%26nbsp%3B%20Its%20strange%20that%20%22domains%22%20and%20%22file_extension%22%20are%20swapped%20around%2C%20although%20it%20says%20OK.%26nbsp%3B%20In%20edge%3A%2F%2Fpolicy%20I%20have%20the%20following%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%7B%20%22domains%22%3A%20%5B%20%22.hrm.app.ourcompany.com%22%2C%20%22.hrm.appacc.ourcompany.com%22%2C%20%22.hrm.appdev.ourcompany.com%22%20%5D%2C%20%22file_extension%22%3A%20%22eml%22%20%7D%20%2C%7B%20%22domains%22%3A%20%5B%20%22.hrm.app.ourcompany.com%22%2C%20%22.hrm.appacc.ourcompany.com%22%2C%20%22.hrm.appdev.ourcompany.com%22%20%5D%2C%20%22file_extension%22%3A%20%22msg%22%20%7D%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EBut%20this%20doesn't%20work%2C%20my%20users%20still%20receive%20the%20message%20that%20they%20first%20need%20to%20allow%20the%20file.%26nbsp%3B%20Is%20there%20somewhere%20I%20can%20check%20the%20internal%20processing%20of%20these%20rules%3F%26nbsp%3B%20I%20don't%20see%20anything%20in%20DevTools%2C%20unless%20I%20am%20looking%20in%20the%20wrong%20place.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EHas%20anybody%20successfully%20implemented%20this%20policy%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2596597%22%20slang%3D%22en-US%22%3ERe%3A%20ExemptDomainFileTypePairsFromFileTypeDownloadWarnings%20policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2596597%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F396562%22%20target%3D%22_blank%22%3E%40Tom_Fox%3C%2FA%3E%26nbsp%3BHi!%26nbsp%3B%20There%20have%20been%20some%20recent%20discussions%20about%20this%20same%20policy.%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fenterprise%2Fsmartscreen-turned-off-gt-java-webstart-jnlp-files-are-marked-as%2Fm-p%2F1584480%2Fhighlight%2Ftrue%23M2272%22%20target%3D%22_blank%22%3ERe%3A%20SmartScreen%20turned%20off%20-%26gt%3B%20Java%20Webstart%20JNLP%20Files%20are%20marked%20as%20%22can%20harm%20your%20computer%20-%20Microsoft%20Tech%20Community%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlso%2C%20separately%20we've%20had%20a%20user%20mention%20that%20if%20using%20the%20GP%20editor%20%22%3CSPAN%3Eeach%20file_extension%20MUST%20be%20entered%20on%20a%20separate%20line%20in%20the%20editor%2C%20or%20the%20policy%20will%20not%20apply.%22%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3E-Kelly%3C%2FEM%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2716861%22%20slang%3D%22en-US%22%3ERe%3A%20ExemptDomainFileTypePairsFromFileTypeDownloadWarnings%20policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2716861%22%20slang%3D%22en-US%22%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F757644%22%20target%3D%22_blank%22%3E%40Kelly_Y%3C%2FA%3E%2C%3CBR%20%2F%3E%3CBR%20%2F%3ESorry%20for%20my%20late%20reply%20to%20this.%20After%20extensive%20testing%2C%20we%20can%20confirm%20that%20this%20policy%20works%20fine%20when%20we%20specify%20server%20names%2C%20but%20fails%20when%20we%20use%20DNS%20aliases.%20I%20believe%20this%20a%20bug.%20Please%20can%20you%20ask%20your%20Dev%20Team%20to%20replicate%20this%20to%20confirm.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20tried%20looking%20in%20the%20DevTools%20logs%20when%20launching%20a%20download%2C%20to%20see%20if%20I%20can%20find%20a%20check%20on%20these%20rules%2C%20but%20didn't%20find%20anything.%20Can%20you%20confirm%20if%20there%20is%20some%20logging%20generated%20when%20downloading%3F%3CBR%20%2F%3E%3CBR%20%2F%3ETom%20Fox%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2730384%22%20slang%3D%22en-US%22%3ERe%3A%20ExemptDomainFileTypePairsFromFileTypeDownloadWarnings%20policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2730384%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F396562%22%20target%3D%22_blank%22%3E%40Tom_Fox%3C%2FA%3E%26nbsp%3BHi!%26nbsp%3B%20I've%20reached%20out%20to%20the%20team%20about%20the%20issue%20you%20are%20having%20with%20DNS%20aliases.%26nbsp%3B%20We%20will%20follow%20up%20with%20any%20insights%20from%20them.%26nbsp%3B%20Thanks!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3E-Kelly%3C%2FEM%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2779366%22%20slang%3D%22en-US%22%3ERe%3A%20ExemptDomainFileTypePairsFromFileTypeDownloadWarnings%20policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2779366%22%20slang%3D%22en-US%22%3EHi%20Kelly%2C%3CBR%20%2F%3EAre%20you%20able%20to%20offer%20the%20syntax%20for%20multi%20files%20types%20on%20a%20single%20domain%3F%20We%20use%20MEM%20and%20OMA-URI%20to%20achieve%20this%2C%20but%20struggling%20to%20get%20more%20than%20one%20file%20type%20accepted.%3CBR%20%2F%3EThanks%2C%3CBR%20%2F%3EAlex%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2783633%22%20slang%3D%22en-US%22%3ERe%3A%20ExemptDomainFileTypePairsFromFileTypeDownloadWarnings%20policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2783633%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1013600%22%20target%3D%22_blank%22%3E%40astee1280%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20need%20to%20put%20each%20file%20extension%20on%20a%20new%20line.%20In%20my%20example%2C%20this%20is%20as%20follows%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%7B%22file_extension%22%3A%20%22eml%22%2C%20%22domains%22%3A%20%5B%20%22.hrm.app.ourcompany.com%22%2C%20%22.hrm.appacc.ourcompany.com%22%2C%20%22.hrm.appdev.ourcompany.com%22%20%5D%20%7D%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%7B%22file_extension%22%3A%20%22msg%22%2C%20%22domains%22%3A%20%5B%20%22.hrm.app.ourcompany.com%22%2C%20%22.hrm.appacc.ourcompany.com%22%2C%20%22.hrm.appdev.ourcompany.com%22%20%5D%20%7D%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2787398%22%20slang%3D%22en-US%22%3ERe%3A%20ExemptDomainFileTypePairsFromFileTypeDownloadWarnings%20policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2787398%22%20slang%3D%22en-US%22%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F396562%22%20target%3D%22_blank%22%3E%40Tom_Fox%3C%2FA%3E%2C%3CBR%20%2F%3E%3CBR%20%2F%3EOur%20current%20working%20example%20is%3B%3CBR%20%2F%3E%3CENABLED%3E%3C%2FENABLED%3E%3CDATA%20id%3D%22%26quot%3BExemptDomainFileTypePairsFromFileTypeDownloadWarningsDesc%26quot%3B%22%20value%3D%22'1%26amp%3B%23xF000%3B%7B%26quot%3Bfile_extension%26quot%3B%3A%22%3E%3C%2FDATA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EShould%20the%202%20line%20example%20be%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3CENABLED%3E%3C%2FENABLED%3E%3CDATA%20id%3D%22%26quot%3BExemptDomainFileTypePairsFromFileTypeDownloadWarningsDesc%26quot%3B%22%20value%3D%22'1%26amp%3B%23xF000%3B%7B%26quot%3Bfile_extension%26quot%3B%3A%22%3E%3C%2FDATA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EWould%20you%20be%20able%20to%20copy%20out%20your%20working%20string%3F%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%2C%3CBR%20%2F%3EAlex%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2790724%22%20slang%3D%22en-US%22%3ERe%3A%20ExemptDomainFileTypePairsFromFileTypeDownloadWarnings%20policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2790724%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1013600%22%20target%3D%22_blank%22%3E%40astee1280%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20are%20you%20configuring%20this%20setting%2C%20through%20Group%20Policy%2C%20InTune%20or%20directly%20in%20the%20registry%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETom%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2790828%22%20slang%3D%22en-US%22%3ERe%3A%20ExemptDomainFileTypePairsFromFileTypeDownloadWarnings%20policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2790828%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F396562%22%20target%3D%22_blank%22%3E%40Tom_Fox%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EVia%20MEM%20(Intune).%20They%20are%20set%20as%20OMA-URI%20strings.%3C%2FLINGO-BODY%3E
Contributor

I am trying to configure the ExemptDomainFileTypePairsFromFileTypeDownloadWarnings policy to allow EML and MSG attachments from our HR systems to be downloaded automatically, without having to allow them.

 

edge error.png

 

We use DNS aliases, so I have whitelisted ".hrm.app.ourcompany.com", ".hrm.appdev.ourcompany.com" and ".hrm.appacc.ourcompany.com", as I read in the documentation that you need to start with a period to match that specific entry.  We don't want to whitelist our entire domain if possible, for security reasons.

 

I have configured this through Group Policy using the example in the documentation, and it loads correctly in the edge://policy list.  Its strange that "domains" and "file_extension" are swapped around, although it says OK.  In edge://policy I have the following:

 

{ "domains": [ ".hrm.app.ourcompany.com", ".hrm.appacc.ourcompany.com", ".hrm.appdev.ourcompany.com" ], "file_extension": "eml" } ,{ "domains": [ ".hrm.app.ourcompany.com", ".hrm.appacc.ourcompany.com", ".hrm.appdev.ourcompany.com" ], "file_extension": "msg" }

 

But this doesn't work, my users still receive the message that they first need to allow the file.  Is there somewhere I can check the internal processing of these rules?  I don't see anything in DevTools, unless I am looking in the wrong place.

 

Has anybody successfully implemented this policy?

15 Replies

@Tom_Fox Hi!  There have been some recent discussions about this same policy.  Re: SmartScreen turned off -> Java Webstart JNLP Files are marked as "can harm your computer - Micro...

 

Also, separately we've had a user mention that if using the GP editor "each file_extension MUST be entered on a separate line in the editor, or the policy will not apply." 

 

-Kelly

Hi @Kelly_Y,

Sorry for my late reply to this. After extensive testing, we can confirm that this policy works fine when we specify server names, but fails when we use DNS aliases. I believe this a bug. Please can you ask your Dev Team to replicate this to confirm.

I tried looking in the DevTools logs when launching a download, to see if I can find a check on these rules, but didn't find anything. Can you confirm if there is some logging generated when downloading?

Tom Fox

@Tom_Fox Hi!  I've reached out to the team about the issue you are having with DNS aliases.  We will follow up with any insights from them.  Thanks!

 

-Kelly

Hi Kelly,
Are you able to offer the syntax for multi files types on a single domain? We use MEM and OMA-URI to achieve this, but struggling to get more than one file type accepted.
Thanks,
Alex

@astee1280 

 

You need to put each file extension on a new line. In my example, this is as follows:

 

{"file_extension": "eml", "domains": [ ".hrm.app.ourcompany.com", ".hrm.appacc.ourcompany.com", ".hrm.appdev.ourcompany.com" ] }

{"file_extension": "msg", "domains": [ ".hrm.app.ourcompany.com", ".hrm.appacc.ourcompany.com", ".hrm.appdev.ourcompany.com" ] }

Hi @Tom_Fox,

Our current working example is;
<Enabled/><data id="ExemptDomainFileTypePairsFromFileTypeDownloadWarningsDesc" value='1&#xF000;{"file_extension": "eml", "domains": ["mydomain"]}'/>

Should the 2 line example be;

<Enabled/><data id="ExemptDomainFileTypePairsFromFileTypeDownloadWarningsDesc" value='1&#xF000;{"file_extension": "eml", "domains": [ ".hrm.app.ourcompany.com", ".hrm.appacc.ourcompany.com", ".hrm.appdev.ourcompany.com" ] }, {"file_extension": "msg", "domains": [ ".hrm.app.ourcompany.com", ".hrm.appacc.ourcompany.com", ".hrm.appdev.ourcompany.com" ] }'/>

Would you be able to copy out your working string?

Thanks,
Alex

@astee1280 

 

How are you configuring this setting, through Group Policy, InTune or directly in the registry?

 

Tom

@Tom_Fox

Via MEM (Intune). They are set as OMA-URI strings.
@astee1280 I'm not familiar with Intune but found this example of multiple items in Edge policies. I hope you can work it out. Search for multiple on this page

https://docs.microsoft.com/en-us/deployedge/configure-edge-with-mdm
Hi Astee1280, Did you ever work this out? I'm trying to get the OMA-URI settings right for this setting for intune too.
@Tom_Fox
Did you ever get this to work for you?

-Shon

@TofuFace 

 

Unfortunately not. Used Device configuration profile - Settings Catalog instead. 

@astee1280 

 

I finally got this to work, incase you or anyone else want to know how I did it let me know!

 

-Shon

Please share the syntax. Thanks

@astee1280 

 

Sure! Create (2) keys under:  Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge

 

Regkeys1.png

Under AutoOpenFileTypes, create a string and name it "1" and add value "jnlp" no quotes

jnlp.jpg

 

Create another string under: ExemptDomainFileTypePairsFromFileTypeDownloadWarnings

Also named "1" with the following value:  

{"file_extension": "jnlp", "domains": ["yourDomain"]}

testDomain.jpg

That's it! Hope this works for you!

 

-Shon