Cumulative Updates KB5026363 and KB5023697 both seem to cause an issue with Office security block on attachments

Moy A 0 Reputation points
2023-05-10T14:49:06.6766667+00:00

After installing KB5023697 on Windows Server 2016, attachments sent via email are automatically blocked once saved. Users are unable to open the attachments unless they unblock the file through its properties (see screenshot below). I uninstalled the update and the issue went away.

unblock

It seems like KB5026363 also had this effect. Although I'm not 100% sure for this update because there were other updates that were installed along with it. I uninstalled all the updates to work around the issue.

System information

Windows Server 2016 Standard, version 1607

OS Build 14393.5717

Microsoft Office 2016 (16.0.5387.1000) MSO (16.0.5366.1000) 32-bit

Before finding out that a Windows Update was causing this problem, I had paid some attention to Attachment Manager and applied the group policy to some domain users, as described here:

User Configuration\Administrative Templates\Windows Components\Attachment Manager

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\SaveZoneInformation

  • set value to 1 to enable the policy.
  • this however, did not resolve the problem and the attachments were still being blocked
Office
Office
A suite of Microsoft productivity software that supports common business tasks, including word processing, email, presentations, and data management and analysis.
1,447 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,776 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 44,091 Reputation points
    2023-05-18T13:11:47.6666667+00:00

    Hello,

    The steps seem correct, but I would suggest to check if the policy is applied correctly to the affected clients. You can use the command line "GPRESULT /H output.html" in order to create an HTML file that contains the policy infomation or issues in a client computer.

    Additionally on the administrative template, you can try using the next policy to disable Attachment Manager:

    User Configuration > Administrative Templates > Windows Components > Attachment Manager > Do not preserve zone information in file attachments = Enabled

    --If the reply is helpful, please Upvote and Accept as answer--