Category: azure security center
Maxlan71 on Wed, 13 May 2020 11:40:54
I installed the last version of Azure Information Protection (AIP) unified client on an old Windows 7 Service Pack 1 (SP1) PC with extended support.
All AIP labeling activities work fine from Office 365 apps (Outlook, Word, Excel and so on), but when I tried to use AIP Classify and protect client for labeling a .TXT file (for example) I received this error (see screenshot, too): "ERROR: Failed downloading
Information Protection policy".
Also, Checking AIP UL client Help and Feedback on Window 7 SP1, the client status was "Working Offline" (see attached image, too). It seems like it is unable to connect to MS AIP service to download the labels.
Could someone help me to resolve, please?
Thanks in advance.
ShashiShailaj_MSFT on Fri, 15 May 2020 16:27:16
Hello Maxlan71 ,
I understand you are getting this error on Windows 7 SP1 . Can you check if you are getting the same on other Windows clients . If you do not see same behavior then it may be possible due to windows version. It could be a possibility that the Windows 7 does not work because as per the article Windows 7 is not listed as the supported clients. Even though Windows 7 is not listed in the supported client device list https://docs.microsoft.com/en-us/azure/information-protection/requirements#client-devices . I am not sure if this is the reason in your case because it would require to troubleshoot this deeply to come to a conclusion. If API unified labeling is working within Office 365 apps and files on windows file system are unable to be classified then it could be related to OS.
You may get "ERROR: Failed downloading Information Protection policy" error and working offline client status in some scenarios:-
- If Intune app protection policies have been implemented and the API app (MSIP.App.exe) has not been excluded , you may see such issues at the file system level.
- It could be possibly due to network issues. I would suggest you to go through the network requirements for the AIP at https://docs.microsoft.com/en-us/azure/information-protection/requirements#firewalls-and-network-infrastructure .
- The AIP unified labeling client uses the URL dataservice.protection.outlook.com to download labels and label policies. you can take a network trace and check traffic for *.protection.outlook.com and *.aadrm.com .
- You can check the following powershell cmdlets to help you determine whether your client connection is terminated at your firewall or any network device before it reached the Azure rights management services whenever you try to classify a file at file system level in windows explorer.
$request = [System.Net.HttpWebRequest]::Create("https://admin.na.aadrm.com/admin/admin.svc")
You must get a proper response like below.
If the CA name is not from Microsoft , it is very likely your secure client-to-service connection is being terminated at some network device.
- If the above does not help , then I would suggest you to collect some deeper logs using the RMS support Tool and engage Microsoft Support for further troubleshooting.
- Download RMS_Support_tool from https://github.com/schiroky/RMS_Support_Tool/releases/tag/1.1.0 . Once Downloaded you can copy the three files (RMS_Support_Tool.psm1, RMS_Support_Tool.psd1, and RMS_Support_Tool.htm) to the location :- %ProgramFiles%\WindowsPowerShell\Modules\RMS_Support_Tool
- The file RMS_Support_Tool.htm provides guidance on how to use it . Please check the same.
- In order to run this tool you would need to change your powershell execution policy. Open a powershell window as an administrator .
PS C:\> Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -Force
PS C:\> RMS_Support_Tool
- Close all office related apps , and then type 4 from the PS prompt to reset the client side cache.
- Then type 5 to start user logging , and try to reproduce the issue by classifying and protecting a file ..
- Please collect the log and provide the same to Microsoft support.
I hope the above information helps you . Unfortunately providing a solution with the information provided is not possible in this case as there are many possibilities and the logs would provide more information. Should you not have a support plan , please send an email to azcommunity [at] microsoft [dot] com and we will help you with alternative support options. SHould you have any further queries , feel free to let me know. If the information helps , please do mark it as answer so that its helpful for other community members.
Also I wanted to let you know that we have created a new QnA platform for Azure products and we encourage you to check it out . In the coming month we will be making these forums read only as we migrate from MSDN to QnA .
Maxlan71 on Sun, 17 May 2020 21:13:01
Thank you very much for your support.
I resolved the issue. I installed all windows 7 SP1 last updates and all works fine now ;-)