Open Encrypted File

[Hebe Zuelke]

ashmelburnian Hey guys, this is interesting so I'm going to enter the conversation as well :) The first two options are associated with OME (built-in Office Message Encryption) and the two others are the pretty old default policy templates from AIP, not being created as of april 2019 for new customers. When using OME the external (anonymous) recipients should indeed get a link to enter the OME portal, either with their social id or pass code depending on the OME-configuration. Perhaps this is old news for you, I just wanted to say something entering the conversation!

Hi, I received your test message and whilst I was unable to access it via the Gmail web interface, I was able to open it via Outlook using the AIP viewer. This is going to be the only way that the Gmail users will be able to do this.

As @ChristianBergstrom pointed out, the options you are using for encryption are the built-in OME / and older default AIP templates. I would recommend taking a look at updating your labels and policies. Could be a good time to start looking to migrate to Sensitivity Labels from the Security and Compliance Center, as Microsoft are planning to "sunset" the older AIP method in 2021 as per -information-protection/announcing-timelines-for-sunsett...

@ashmelburnian Hey! There's really no need to look for third-party solutions when you have them built-in with your subscriptions. Not only in Office Message Encryption but you mentioned AIP as well. If you don't want to update your AIP settings or migrate to the unified labeling experience you could at least configure OME (for the end-users to choose as an option or as mail flow rule) as it should solve the particular external encryption issue.

"All Microsoft 365 end-users that use Outlook clients to read mail receive native, first-class reading experiences for encrypted and rights-protected mail even if they're not in the same organization as the sender. Supported Outlook clients include Outlook desktop, Outlook Mac, Outlook mobile on iOS and Android, and Outlook on the web (formerly known as Outlook Web App)."

Recipients of encrypted messages who receive encrypted or rights-protected mail sent to their Outlook.com, Gmail, and Yahoo accounts receive a wrapper mail that directs them to the OME Portal where they can easily authenticate using a Microsoft account, Gmail, or Yahoo credentials.

We had been using the previous version of OME; however, encryption via the mail flow rule that was set up stopped working for one user some time ago. Other accounts, and new ones, were not affected. Suddenly on December 16 the previous version of OME stopped working for all. We switched to the new version, Azure Information Protection. It works for internal staff members who are using the Outlook client. It does not work for external recipients, as described by telecaster below. We have read extensively on what to do, reviewed the steps provided below, and have run numerous PowerShell scripts that are published in Microsoft's extensive library. All our efforts have not brought us closer to collaborating securely with outside users, which we were able to do with the previous version of OME before December 16. And out internal users cannot decrypt their secure messages when signed in to Outlook Web Access e-mail. Does anyone have suggestions? Where do we go from here?

@piekedahla Hi, this is a rather delicate subject trying to explain in the community. So I'm just going to start by saying that as I understand it you've been using legacy OME (only mail flow rules possible) and then you have moved on to AIP. What you could have done is to upgrade to the new OME instead of going over using AIP. OME is built on Azure RMS as part of AIP, securing only the email/attachments while AIP are securing the documents wherever they may be in all products and services. If you do use AIP labels right now you need to migrate to the sensitivity labels before March 31st.

You mentioned you have read extensively but I wonder if you been reading the associated docs? I'm attaching a couple of links, if it still doesn't make sense I recommend you contact Microsoft for assistance.

When I send to an M365-Family recipient, and/or an "Outlook.com personal account", the recipient can open and read the Encrypted email. Recipient using OWA on Chrome. Recipient sees a Lock icon in the Inbox list, and when message is open shows message-- This message is encrypted.

Sorry, we can't display your message right now

Something went wrong and your encrypted message couldn't be opened.

Please try again by following the instructions in the original email message in 5 minutes.

Note: a few months ago, this did indeed work correctly. The Gmail recipient was asked to Logon with an account or receive a one-time code. The recipient used the one-time code, and then was able to read the encrypted email.

@ChristianBergstrom, we already had reviewed all the articles you referenced. None of them help. We seem to be configured properly. Our mail flow rules work for internal users. Again, the previous version of OME worked for everyone until December 16. The new version never worked for outside recipients. We want them to be able to request a one-time passcode. They do not get the option. We also tried to enable those with Gmail and other major provider accounts the ability to to sign in. None of the steps we have taken have resolved the issue. We still cannot collaborate securely with our outside partners. The change in our ability to manage our encryption capabilities continues to be a mystery.

Protected messages allow the sender to set specific permissions on a message, such as Do Not Forward or Do Not Print. If you receive a protected email message sent to the work or school account you use with Microsoft 365 in Outlook or Outlook on the web, the message should open like any other message. You'll see a banner at the top of the message that informs you of any restrictions on the message.

Some email clients and services can't automatically open protected messages. If you have an email account with Yahoo or other Internet Service Provider, you'll need to obtain a single-use code to read the message.

@piekedahla Hello, well I have used and configured the new OME so that external users that are not using EXO for ex. but instead Gmail, Yahoo etc. use either a OTP or their Social ID sign-in, to enter the OME portal.

How does your IRM-config and OME-config and mail flow rules look like? You said you're using AIP now. That's quite different as OME only have the "Encrypt-Only" and "Do not Forward" as options. The other options you get from your client are based from AIP.

Hi Folks just wondering if there is a simple fix to this yet? I am very much a non tech person just trying to help my wife send encrypted mail for her business via 365. All works fine as per the previous threads outlook to outlook but not with Gmail. All the advice in the previous threads looks too daunting for me to try! Hoping a simple fix has been found? Thanks Phil

We had to move to Azure and start using the new encryption method. When we made the change, encrypted messages sent to Gmail, Hotmail, Outlook, and other e-mail services could be decrypted. Azure enabled the authentication needed to make the decryption process seamless. Now, all is well. Our external partners and collaborators can open and respond to secured messages sent to their corporate and personal accounts.

My issues is the I'm already signed in to my Microsoft account with "stay signed in checked" so when I get an encrypted message in Gmail just display the freaking message. I'm already signed in to my Microsoft account so stop making me jump through hoops to see the message. Sometimes I get a couple dozen encrypted messages a day and I have to go through the ridiculous process for every single message.

I password-protected a PDF with Acrobat Pro 2020, then tried to open it again. Instead of being asked for the password, however, I received an error message that told me the file was corrupted and couldn't be repaired. What!!!

As if that wasn't weird enough, here's the next level: I encrypted a PDF in Preview this time, and saved it. When I tried to open it in Acrobat, I was asked for the password, typed it in, and it worked, too!

Thanks for replying, also to try67. Opening the file in Preview first didn't change anything. The Acrobat version is 2020.001.30020. But I don't think this plays a role here. - Why? Because here's what I found today:

That't what I usually do with scans - I OCR them. And no, not in Acrobat, but in ABBYY Fine Reader. Obviously, the two don't get along too well. For the sake of testing, I tried using Acrobat's OCR function and then encrypted the file. And bingo, this time it worked! I could open the file with my password, the way it's supposed to be.

I didn't ask in order to encourage you to try it, but to warn you that opening it in Preview may very well cause this issue, as it's a buggy application that corrupts PDF files just by opening them...

Actually that does sound like a fault in Acrobat, and a serious one. I'm glad you found a way to avoid it. I can confirm the version you are running (2020.001.30020) is the latest available update to Acrobat 2020, as of May 2021. I asked because I think I remember a similar problem being fixed.

3a8082e126