https://worldofeuc.com logo
Join Slack
Powered by
This message was deleted.
# _general
s
This message was deleted.
k
I did come across that issue. I don't think I ever found a workaround
r
Okay, thanks, man. I hope you are doing well and the new role is going well.
đź’Ż 1
j
Redirect the cache somewhere else? (Painful, I know)
r
Yea that was another option we bounced around. The the problem that I see is that because the C location is being restricted from the browser if we redirect it to another location such as Docs or desktop(examples) that the variable that’s being used will still call %usename%\path which is c:\usename\location. Im spitballing here though without testing this. Although cache drive or unc path could be an option. But will need to put sort of script to clean it up. Which adds more overhead for the folks doing the admin side. But that’s me spitballing things
j
TBH that should only be blocked if it actually uses the browser to go to the file. Is it an AppLocker GPO or a Chromium one you are using?
r
Yea that’s right. From my understanding what I sent yesterday a user received a email attachment and they tried to open it and from what I seen it was a link and it was referencing the path to the C location, which edge tried to open it up. I was trying to help a colleague out and it was secondhand information so I might not have all the details correct here but from the screenshot she sent me that is what it looks like.
j
Can you make the link open in Explorer instead?
r
yea maybe.
m
Outlook open everything in edge by default now, you can get it to use the default browser by going to Outlook Options > Advanced > Link Handling > “Open hyperlinks from Outlook in:” > Select “Default Browser”.
j
So attachments open in the browser? Even if they're like, a document? Or does it respect the user-level FTA?
Oh right, that's just if they're hyperlinks
m
a lot of attachments will open in the browser, it’s something they did to teams too
but a lot of attachments are really sharepoint links
especially internally
l
Here is what the users see:
Here is the policy setting:
j
That is ridiculously stupid if you're sending documents, IMO
r
I don’t follow?
j
Why would you set documents to open in the browser? Why not honour the FTA? And remove the risk of it being blocked by a policy which is intended to stop people digging through the filesystem using the browser
r
Oh i see now, yea I agree.
Something MS does it appears. There has to be a way around it. It’s aggravating because the default it wants to open from the C drive. But they (MS) also puts these setting in the edge hardening GPO in the security baseline tool. So I don’t know why they do it. But all in all it’s the dang INetCach lookup they do from the C drive, which in this case pulls up edge. It’s very annoying
Temp workaround is to save the attachment to the docs. Then it should open
l
@Ray Davis I gave them two options and told them I would try to find a different solution. Option 1 was to save it somewhere else that they have access to and then open it and Option 2 was to disable only the "file///C/" on the Edge policy. They opted for option 2 but I could hear the other Admin wasn't happy about it as he preferred option 1. Anyway, I was thinking there had to be a way around this but so far, I haven't found anything yet. I'm not giving up yet!
r
After thinking on this more, There may be a way. @James Rankin mentioned the possibility of having it open Windows Explorer instead. I am not sure how to achieve this yet myself. Basically, the concept would be around if the link is opened, somehow open file explorer to the Location instead. It's a long shot, but I am thinking about how to achieve this. Just not certain it's possible.
@Lacretia Bates I went back and re-read the Define a list of allowed URLS. You can use this policy to open exceptions to restrictive block list. But, I am not sure if it will honor %username%. Example The block list has = file///C/ I was wondering if the allow list would work for : file///C/Users/%username%/AppData/Local/Microsoft/Windows/INetCache/ If I call it in the browser = file///C/Users/%username%/AppData/Local/Microsoft/Windows/INetCache/ = does not work But if I call this in the browser = file///C/Users/ray/AppData/Local/Microsoft/Windows/INetCache/ = works
May be able to script something to insert it in for each user.
Not sure yet though
This may be the ticket 
# Retrieve the currently logged-in user's username
$Username = $env:USERNAME
# Build the URL for the URL allow list
$URLToAdd = "file:///C:/Users/$Username/AppData/Local/Microsoft/Windows/INetCache/"
# Set the registry path
$RegistryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Edge"
# Create a new registry key if it doesn't exist
$URLAllowListKey = Join-Path $RegistryPath "URLAllowList"
if (-not (Test-Path $URLAllowListKey)) {
New-Item -Path $URLAllowListKey -Force
}
# Set the URL value under the URLAllowList key
New-ItemProperty -Path $URLAllowListKey -Name "1" -Value $URLToAdd -PropertyType String
Write-Host "URL $URLToAdd added to the allow list."
Open in Slack
PreviousNext
Powered by