Configure Intune Outlook Safe Senders Win32 App and Settings Catalog

Introduction

Email remains one of the most critical communication tools in the workplace, yet it is also a common target for spam and phishing. While Exchange Online Protection (EOP) and Microsoft Defender for Office 365 provide strong filtering, users often encounter false positives—legitimate emails ending up in the Junk Email folder. This can disrupt workflows, cause delays, and impact business productivity.

One way to reduce these false positives is by configuring Outlook Safe Senders. Safe Senders allow administrators to define a list of trusted email addresses and domains that Outlook will always treat as safe, ensuring that messages from these sources never get marked as junk.

Traditionally, Safe Sender lists are managed per user, but at scale this becomes difficult to control. Using Microsoft Intune, we can automate the deployment of a centralized Safe Senders list across all managed endpoints. This approach ensures consistency, reduces administrative overhead, and helps maintain a secure yet user-friendly email experience.

In this guide, we’ll walk through:

• Creating a Win32 app in Intune to deliver the SafeSenders.txt file to devices.
• Using the Intune Settings Catalog to enforce Outlook Junk Email protection and Safe Senders policy.
• Updating the registry with version control, so IT teams can track deployments.

Step 1: Prepare the SafeSenders.txt File

Create a plain-text file (safesenders.txt or something you name it) listing all trusted/safe sender email addresses or domains, each on a new line:

info@microsoft.com
donotreply@eskonr.com
info@edgeflow.com
billing@eskonr.com

Step 2: Package and Deploy with Win32 App in Intune

• Prepare a PowerShell script to copy safesenders.txt to C:\ProgramData\eskonr\outlooksafesender.
• Log actions to a designated logs folder and update deployment status to the registry.
• Package the script and txt file into a .intunewin file using Microsoft Win32 Content Prep Tool.
• Upload and configure deployment in Microsoft Intune Admin Center:
  • Go to Apps > Windows > Add > Win32 app.
  • Specify the install and uninstall commands.
  • Install:powershell.exe -ExecutionPolicy Bypass –File .\deploy-safesenders.ps1
  • Uninstall:cmd.exe /c
  • Detection:  HKEY_LOCAL_MACHINE\SOFTWARE\eskonr\outlooksafesender (keypath), Version (Valuename),String comparision (method), Equals (operator), 1 or script version (value).

  • 

  • Assign to required device or user groups groups (prefer device group)

I have uploaded a PowerShell script to Github repository that helps to copy the txt file to local drive and also create a registry key which can be used as as detection method.

If you wish to make any changes to the txt file at a later stage, you can repackage win32 with revision in the version and re-upload the win32 app and update detection method. otherwise you can look at alternatives where the file can be uploaded to secure location (blog storage or something for accessing it). Test it first.

The script contains the following variables if you would like to make changes.

# Define variables

$ScriptDir = Split-Path -Parent $MyInvocation.MyCommand.Definition

$SourceFile = Join-Path -Path $ScriptDir -ChildPath 'safesenders.txt'

$TargetFolder = 'C:\ProgramData\eskonr\outlooksafesender'

$TargetFile = "$TargetFolder\safesenders.txt"

$LogFolder = 'C:\ProgramData\eskonr\logs'

$LogFile = "$LogFolder\outlooksafesender.log"

$RegPath = 'HKLM:\Software\eskonr\outlooksafesender'

$RegValueName = 'Version'

$RegValue = '1'

# Define variables

$ScriptDir = Split-Path -Parent $MyInvocation.MyCommand.Definition

$SourceFile = Join-Path -Path $ScriptDir -ChildPath 'safesenders.txt'

$TargetFolder = 'C:\ProgramData\eskonr\outlooksafesender'

$TargetFile = "$TargetFolder\safesenders.txt"

$LogFolder = 'C:\ProgramData\eskonr\logs'

$LogFile = "$LogFolder\outlooksafesender.log"

$RegPath = 'HKLM:\Software\eskonr\outlooksafesender'

$RegValueName = 'Version'

$RegValue = '1'

Step 3: Configure Outlook Safe Sender with Intune Settings Catalog

• In Intune, create a new Settings Catalog policy for Windows devices.

• 

• Search for “Safe Senders” in the Outlook configuration options and choose the following.

• 

• Specify path to Safe Senders list (User)
• Specify full path and filename to Safe Senders list (User)
• Add e-mail recipients to users’ Safe Senders Lists (User)
• Set the policy to Enabled and provide the path to your txt file (e.g. C:\ProgramData\eskonr\outlooksafesender\safesenders.txt).

• 

• 

• Assign the policy to appropriate device or user groups ( prefer device groups).
• Devices will receive the policy, and Outlook will use the specified txt file to identify safe/whitelisted senders automatically.

Step 4: Validate and Monitor Intune Outlook Safe Senders

• After deployment, check the target directory to confirm delivery.
• Open Outlook’s Junk Email settings to ensure safe sender addresses appear and emails are not delivered to Junk.
• Review logs for deployment status and troubleshoot any issues.
• You can validate the new outlook by going to settings –> mail—> junk email –>senders you will see safe senders and domains.

• 

This method has been tested in classic and new outlook and works fine.

Hope you find this article useful