Cartegraph versions beginning with Fall 2016 gain a new system requirement for the web server machine. Disable Set the Windows Local Group Policy computer/machine-level setting for Internet Explorer named Do not save encrypted pages to disk.
This setting is necessary for the reporting engine released with the Fall 2016 release to display attachments in reports that are retrieved via https:// (SSL-encrypted http). It's also the configuration we use internally, test with, and support.
This setting coincides with another change, the web server's IIS application pool was changed to run under the Application Pool Identity instead of LocalSystem. This was done to reduce the privilege elevation of the account (a good security practice) and for process memory utilization to be more balanced across user accounts. However, the reduced privileges require this extra bit of fine-tuning for OMS to be fully functional.
This setting is configured automatically when deploying the OMS Prerequisites project in Octopus.
See more about this Internet Explorer setting here: https://blogs.msdn.microsoft.com/ieinternals/2011/05/06/avoid-do-not-save-encrypted-pages-to-disk/