ExemptDomainFileTypePairsFromFileTypeDownloadWarnings policy

Iron Contributor

I am trying to configure the ExemptDomainFileTypePairsFromFileTypeDownloadWarnings policy to allow EML and MSG attachments from our HR systems to be downloaded automatically, without having to allow them.


edge error.png


We use DNS aliases, so I have whitelisted ".hrm.app.ourcompany.com", ".hrm.appdev.ourcompany.com" and ".hrm.appacc.ourcompany.com", as I read in the documentation that you need to start with a period to match that specific entry.  We don't want to whitelist our entire domain if possible, for security reasons.


I have configured this through Group Policy using the example in the documentation, and it loads correctly in the edge://policy list.  Its strange that "domains" and "file_extension" are swapped around, although it says OK.  In edge://policy I have the following:


{ "domains": [ ".hrm.app.ourcompany.com", ".hrm.appacc.ourcompany.com", ".hrm.appdev.ourcompany.com" ], "file_extension": "eml" } ,{ "domains": [ ".hrm.app.ourcompany.com", ".hrm.appacc.ourcompany.com", ".hrm.appdev.ourcompany.com" ], "file_extension": "msg" }


But this doesn't work, my users still receive the message that they first need to allow the file.  Is there somewhere I can check the internal processing of these rules?  I don't see anything in DevTools, unless I am looking in the wrong place.


Has anybody successfully implemented this policy?

15 Replies

@Tom_Fox Hi!  There have been some recent discussions about this same policy.  Re: SmartScreen turned off -> Java Webstart JNLP Files are marked as "can harm your computer - Micro...


Also, separately we've had a user mention that if using the GP editor "each file_extension MUST be entered on a separate line in the editor, or the policy will not apply." 



Hi @Kelly_Y,

Sorry for my late reply to this. After extensive testing, we can confirm that this policy works fine when we specify server names, but fails when we use DNS aliases. I believe this a bug. Please can you ask your Dev Team to replicate this to confirm.

I tried looking in the DevTools logs when launching a download, to see if I can find a check on these rules, but didn't find anything. Can you confirm if there is some logging generated when downloading?

Tom Fox

@Tom_Fox Hi!  I've reached out to the team about the issue you are having with DNS aliases.  We will follow up with any insights from them.  Thanks!



Hi Kelly,
Are you able to offer the syntax for multi files types on a single domain? We use MEM and OMA-URI to achieve this, but struggling to get more than one file type accepted.



You need to put each file extension on a new line. In my example, this is as follows:


{"file_extension": "eml", "domains": [ ".hrm.app.ourcompany.com", ".hrm.appacc.ourcompany.com", ".hrm.appdev.ourcompany.com" ] }

{"file_extension": "msg", "domains": [ ".hrm.app.ourcompany.com", ".hrm.appacc.ourcompany.com", ".hrm.appdev.ourcompany.com" ] }

Hi @Tom_Fox,

Our current working example is;
<Enabled/><data id="ExemptDomainFileTypePairsFromFileTypeDownloadWarningsDesc" value='1&#xF000;{"file_extension": "eml", "domains": ["mydomain"]}'/>

Should the 2 line example be;

<Enabled/><data id="ExemptDomainFileTypePairsFromFileTypeDownloadWarningsDesc" value='1&#xF000;{"file_extension": "eml", "domains": [ ".hrm.app.ourcompany.com", ".hrm.appacc.ourcompany.com", ".hrm.appdev.ourcompany.com" ] }, {"file_extension": "msg", "domains": [ ".hrm.app.ourcompany.com", ".hrm.appacc.ourcompany.com", ".hrm.appdev.ourcompany.com" ] }'/>

Would you be able to copy out your working string?




How are you configuring this setting, through Group Policy, InTune or directly in the registry?




Via MEM (Intune). They are set as OMA-URI strings.
@astee1280 I'm not familiar with Intune but found this example of multiple items in Edge policies. I hope you can work it out. Search for multiple on this page

Hi Astee1280, Did you ever work this out? I'm trying to get the OMA-URI settings right for this setting for intune too.
Did you ever get this to work for you?




Unfortunately not. Used Device configuration profile - Settings Catalog instead. 



I finally got this to work, incase you or anyone else want to know how I did it let me know!



Please share the syntax. Thanks



Sure! Create (2) keys under:  Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge



Under AutoOpenFileTypes, create a string and name it "1" and add value "jnlp" no quotes



Create another string under: ExemptDomainFileTypePairsFromFileTypeDownloadWarnings

Also named "1" with the following value:  

{"file_extension": "jnlp", "domains": ["yourDomain"]}


That's it! Hope this works for you!