locked
AIP Scanner - Automatically label and protect PDF file uploaded in SharePoint Library - Not working RRS feed

  • Question

  • Hi Fellows.

    I have AIP Scanner integrated with SharePoint Library with below configuration:

    PS C:\Windows\system32> Get-AIPScannerConfiguration

    Enforce                  : On

    ReportLevel              : Debug

    Schedule                 : Continuous

    Type                     : Incremental

    DiscoverInformationTypes : PolicyOnly

    JustificationMessage     : Applied by AIP Scanner Automatically

    ScannedFileTypes         : *,-.lnk,-.exe,-.com,-.cmd,-.bat,-.dll,-.ini,-.pst,-.sca,-.drm,-.sys,-.cpl,-.inf,-.drv,-.dat,

                               -.tmp,-.msp,-.msi,-.pdb,-.jar,-.ocx

    PS C:\Windows\system32> Get-AIPScannerRepository

    Repository          : http://sp.domain.com/sites/dataclassification/Test DataClassification Library
    OverrideLabel       : On
    PreserveFileDetails : Off
    DefaultOwner        :
    DefaultLabel        : xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx
    ScannedFileTypes    : *,-.lnk,-.exe,-.com,-.cmd,-.bat,-.dll,-.ini,-.pst,-.sca,-.drm,-.sys,-.cpl,-.inf,-.drv,-.dat,-.tmp
                          ,-.msp,-.msi,-.pdb,-.jar,-.ocx
    MatchPolicy         : Off

    When I upload a pdf file, I expect the AIP Scanner to automatically apply label (with protection) and convert the PDF file to a protected PDF file (regardless of what the extension is assigned after protection. I just need the file to be protected). But when a PDF file is uploaded on SharePoint library, it remains unchanged. AIP Scanner logs below error:

    Client Version: 1.29.5.0
    Client Policy ID: b942xxxx-xxxx-xxxx-xxxx-xxxxxxx
    Item Full Path: http://sp.domain.com/sites/dataclassification/Test DataClassification Library/PDF File 1.pdf
    Item Name: PDF%20File%201.pdf
    Item Directory: http://sp.domain.com/sites/dataclassification/Test DataClassification Libr
    IP Addresses: 10.20.113.220
    Process Name: MSIP.Scanner
    Action: Set Label
    Protection Before Action: Unprotected
    Protection After Action: Unprotected
    Label Before Action: Internal Use
    Label ID Before Action: 872413xx-xxxx-xxxx-xxxx-xxxxxxx
    Label After Action: Internal Use
    Label ID After Action: 872413xx-xxxx-xxxx-xxxx-xxxxxxx
    User Justification: Applied by AIP Scanner Automatically
    Matched Conditions: Default
    Labeled Before Action: Automatically
    Action Source: Automatic
    Error: The remote server returned an error: (500) Internal Server Error.

    Any help on how can I ensure PDF file automatically protects when uploaded to SharePoint Library.


    J.A

    Tuesday, September 25, 2018 7:53 AM

All replies

  • Have you added the .pdf file extension to the registry?  By default, only Office document types are protected:

    https://docs.microsoft.com/en-us/azure/information-protection/deploy-aip-scanner#how-files-are-scanned

    By default, only Office file types are protected by the scanner, so PDF and text files are not protected unless you edit the registry to specify the file types:

    • If you do not add the file type of .pdf to the registry: Files that have this file name extension will be labeled but if the label is configured for protection, the protection is not applied.

    Tuesday, September 25, 2018 11:11 PM
  • Yes. Registry has been already set for PDF extension (HKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\FileProtection\PDF).

    I have tried both Native and PFile encryption value. but no change in AIP Scanner's behavior.

    a File Share is also configured as repository on this same AIP Scanner and that is working fine. this problem is happening on SharePoint library for PDF files. I have enabled debug level reporting and every few seconds, getting above listed event in event viewer. the last "modified by" field also doesnt change (while for Office files which are successfully updated and last modified by field shows the AIP Scanner's service account).


    J.A

    Wednesday, September 26, 2018 10:13 AM
  • Your registry edit should look like this:

    Thursday, September 27, 2018 1:54 AM
  • Hi.

    Yes it looks like this.

    Any other Recommendation / considerations?


    J.A

    Wednesday, October 3, 2018 7:12 AM

  • J.A

    Wednesday, October 3, 2018 8:34 AM
  • I recently rebooted the AIP Scanner and performed two tests.

    1. uploaded an unclassified PDF file on the same AIP-Scanner Integrated SharePoint Library. Got below event error logged on AIP Scanner Server BUT PDF got protected using "Internal" label successfully.

    Log Name:      Azure Information Protection
    Source:        Azure Information Protection
    Date:          10/3/2018 12:43:31 PM
    Event ID:      101
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          DOMAIN\pocazure
    Computer:      AIPSCANNER.DOMAIN.COM
    Description:
    Client Version: 1.29.5.0
    Client Policy ID: 5d4cxxxx-xxxx-xxxx-xxxx-xxxxxx138f40
    Item Full Path: http://sp.domain.com/sites/dataclassification/Test DataClassification Library/PDFUnClassified (1).ppdf
    Item Name: PDFUnClassified%20(1).ppdf
    Item Directory: http://sp.domain.com/sites/dataclassification/Test DataClassification Librar
    IP Addresses: xx.xx.xx.xx
    Process Name: MSIP.Scanner
    Action: Set Label
    Protection Before Action: Protected
    Protection After Action: Protected
    Content-id Before Action: {6f9d7243-xxxx-xxxx-xxxx-e1e5e0184cf8}
    Content-id After Action: {6f9d7243-xxxx-xxxx-xxxx-5e0184cf8}
    Owner After Action: uatuser@domain.com
    Owner Before Action: uatuser@domain.com
    Label Before Action: Internal Use
    Label ID Before Action: 872413d5-xxxx-xxxx-xxxx-df1979e2850b
    Label After Action: Internal Use
    Label ID After Action: 872413d5-xxxx-xxxx-xxxx-df1979e2850b
    User Justification: Applied by AIP Scanner Automatically
    Matched Conditions: Default
    Labeled Before Action: Automatically
    Action Source: Automatic
    Error: The path is not of a legal form.

    ------------------------

    2. uploaded a (automatically classified) public file on the same AIP-Scanner Integrated SharePoint Library and nothing happened.

    Log Name:      Azure Information Protection
    Source:        Azure Information Protection
    Date:          10/3/2018 12:46:56 PM
    Event ID:      106
    Task Category: None
    Level:         Information
    Keywords:      Classic
    User:          DOMAIN\pocazure
    Computer:      AIPSCANNER.DOMAIN.COM
    Description:
    Client Version: 1.29.5.0
    Client Policy ID: 5d4c65a2-xxxx-xxxx-xxx-7eff20138f40
    Item Full Path: http://sp.domain.com/sites/dataclassification/Test DataClassification Library/PDFAutoClassifiedPublic (1).pdf
    Item Name: PDFAutoClassifiedPublic%20(1).pdf
    Item Directory: http://sp.domain.com/sites/dataclassification/Test DataClassification Librar
    IP Addresses: xx.xx.xx.xx
    Process Name: MSIP.Scanner
    Action: Discover
    Owner After Action: azurepoc@domain.com
    Owner Before Action: pocazure@domain.com
    Label Before Action: Public
    Label ID Before Action: 896300ae-xxxx-xxxx-xxxx-fda2b95320b3
    User Justification: Applied by AIP Scanner Automatically
    Labeled Before Action: Automatically
    Action Source: Automatic


    J.A

    Wednesday, October 3, 2018 8:58 AM