How to stop Office 365 sending those pesky winmail.dat attachments

Are your attachments breaking?
Are your attachments breaking?

If you have used Outlook for any length of time, you’ve probably heard of winmail.dat – you may not have seen it but someone you have sent a message to may have complained about not being able to open an attachment you sent.

Usually the people complaining are using something like Thunderbird, some weird webmail or the (god awful) Mac mail client.

In the words of Microsoft:

Do some of your users report that e-mail recipients in external domains can’t open their messages that contain a Winmail.dat attachment? If so, the recipients in the external domain are probably using an e-mail client that doesn’t support the Transport Neutral Encapsulation Format (TNEF). Microsoft Outlook is one of the few e-mail clients that support TNEF-encoded messages, although some third-party utilities can help convert Winmail.dat attachments.

They make it sound like Outlook supporting TNEF is a good thing, don’t they? When actually it’s a really bad thing that Exchange does!

If you use the Gmail web client you won’t notice these problems – Gmail automatically converts winmail.dat attachments. Clever Gmail.

If you use Thunderbird, you could use the LookOut add-on – it appears to work well.

Time to be a good corporate citizen

However, lets assume you’re using Office 365, your recipients have complained about winmail.dat attachments and, rather than pass the buck back to them, you want to do the right thing. So how do you stop these attachments going out?

Nerd Alert!There isn’t an easy way to do this on the web client. Like many things, we have to go down the yucky PowerShell route. So, assuming you haven’t used PowerShell with Office 365, you will need the following:

1) Download and install the Microsoft Online Services Sign-In Assistant for IT Professionals

2) Download and install the Microsoft Online Services Module (step 2)

3) Fire up PowerShell on your PC using “Run As Administrator”

You will need to paste in the following commands:

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $LiveCred -Authentication Basic –AllowRedirection

Import-PSSession $Session

Set-RemoteDomain Default -TNEFEnabled $false

The first line asks for your Office 365 (admin account, please!) username and password and connects you to the service.

Line 2 imports the commands you are going to need.

Line 3 prevents TNEF messages being sent outside of your domain.

Setting it to anywhere outside of your domain is a slightly broad brush-stroke, but it does reduce the overhead of having to keep going back and fix it for each domain you discover that cannot cope. But if you really wanted to only disable TNEF for specific domains, you can:

New-RemoteDomain -Name Awkward -DomainName
Set-RemoteDomain Awkward -TNEFEnabled $false

In the first line you define your awkward domain, in the second you prevent TNEF messages going to it.

Is there a bigger hammer?

Yes, but while it’s a big hammer it’s also nice and sharply targeted…

Set-MailContact <ExternalEmailAddress or GUID> -UseMapiRichTextFormat Never

…will set mail sent to ExternalEmailAddress to always be sent plain text – no formatting at all.

Like stepping back in time.

Some might say a happier time, when people cared about the amount of bandwidth they used, didn’t send huge attachments and didn’t expect everyone to be using Outlook.

Some might say that, not me of course! I’m just thinking it…

(Updated 2014 to change -ConnectionUri from to

Follow me

Jonathan Gwyer

Jonathan Gwyer first delved into geekery with a ZX81 in 1981 and has been working in IT since 1990.

A Microsoft Certified Professional with many years of large corporate experience and training, he now focuses on helping small businesses make the most of their IT.
Follow me

Latest posts by Jonathan Gwyer (see all)

  • Johnny Blaze

    Thank you!

  • Alex C Smith

    Worked well, thanks heaps! Only extra thing I had to do first, was to run:
    Set-ExecutionPolicy RemoteSigned

    Also to verify it works i.e. to get a list of all remote domains where TNEF is disabled:
    Get-RemoteDomain | Where {$_.TNEFEnabled -eq $false}

    Also notes:
    “Be sure to disconnect the remote PowerShell session when you’re finished. If you close the Windows PowerShell window without disconnecting the session, you could use up all the remote PowerShell sessions available to you, and you’ll need to wait for the sessions to expire. To disconnect the remote PowerShell session, run the following command.”

    Remove-PSSession $Session

  • directionforward

    Very useful, thanks! Can anyone clarify what the “Set-ExecutionPolicy RemoteSigned” that Alex suggested does?

  • frustrated assistant

    have come across an instance where a gmail recipient is receiving winmail.dat from only one of our office365 outlook users. seems to be only between these two individuals. any ideas?

  • MP

    Damn legend – thank you! – Also linked back with thanks to your page.

    • Thanks – I don’t get called a legend very often – may print and frame this comment!

  • Tom Beech

    Hi – Thanks for this. i keep getting the following error when trying the powershell commands:

    New-PSSession : The WinRM client cannot process the request. Requests must include user name and password when Basic

    or Digest authentication mechanism is used. Add the user name and password or change the authentication mechanism and

    try the request again.

    At line:1 char:12

    + $Session = New-PSSession -ConfigurationName Microsoft.Exchange -Conne …

    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo : InvalidArgument: (https://outlook…com/powershell/:Uri) [New-PSSession], PSInvalidOpera


    + FullyQualifiedErrorId : CreateRemoteRunspaceFailed,Microsoft.PowerShell.Commands.NewPSSessionCommand

    • Sorry, Tom, that’s beyond my level of experience, I’m afraid.

      • Tom Beech

        Not to worry, I managed to get it working, I’ll find and post what I did tomorrow for future people. Thank you

  • Otto Von Braunschweiger

    Hi there,

    Everything goes well until the last command – Don’t know what else to do, have you got an idea?

    powershell The term ‘]’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the a path was included, verify that the path is correct and try again. At line:1 char:1 + ]Set-RemoteDomain Default -TNEFEnabled $false + ~ + CategoryInfo : ObjectNotFound: (]:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException the term set-mailbox is not recognized

  • DouglasTerborg

    Note: As of this post, the Microsoft Online Services Sign-In Assistant for IT Professionals will not install unless you install the BETA (not the RTW) of the Microsoft Online Services Module.

    The RTW is linked; the beta may be found here:

  • Charlie Murphy

    Would like to repeat the legend comment from MP below. Really great and helpful guide! Keep up the good work. 🙂

Copyright © 2008-2017 Jonathan Gwyer
Web Design by fairly marvellous Kent

How to stop Office 365 sending those pesky winmail.dat attachments

by Jonathan Gwyer time to read: 2 min