This post describes an issue that surfaced late in 2020 with policy tips not showing within emails in Outlook where data loss presentation policy rules are matched.
Microsoft have provided an update regarding this issue.
Full disclosure, I’ve got a series of posts planned on my experiences of Microsoft 365 compliance that I had hoped to publish last year, but other things have got in the way so apologies for the lack of any background I’d hoped to have in place – but it is coming!
For the past twelve months or so I’ve been creating, testing and tuning data loss prevention rules in Microsoft 365 in my organisation. We’ve published several of the Microsoft standard data loss prevention policies as well as creating our own custom sensitive information types and policies.
Data loss prevention (DLP) policies allow you to enable policy tips to be shown with custom text when a policy match occurs. Going through user acceptance testing in Autumn 2020 there no were no major issues – DLP rules were matching correctly and the policy tips were displaying consistently throughout Microsoft 365 from SharePoint to Outlook.
In November 2020, I noticed that policy tips that had been showing in Outlook had stopped appearing all together. It was around this time I came across this article from Microsoft that says:
Now I’ve interpreted, plus also had it confirmed by Microsoft support that effectively means the policy ips will not work if the version of Office/ Outlook you are running is newer than the version the policy evaluator is using. It doesn’t say that specifically in the excerpt above, but it is most definitely the case. I’ve tested using Outlook on the web as the article describes and the policy tips still show. I’ve also deleted the registry value as suggested in the resolution section of the article to no avail too.
An additional support article was brought to my attention on this issue which you can read here. The article doesn’t reference the one I’ve highlighted in this post, but does mention some additional issues I was hadn’t noted:
- Outlook DLP policy tips are not detecting sensitive information in PDF, Excel, Word and other attachments and it may work inconsistently across attachments
- Policy tip detection may work for smaller attachment such as a 15KB file, but not for larger attachments such as a 2MB file
- Outlook is also not detecting HIPAA or ICD-9 or ICD-10 correctly in the message body
- In some cases, Outlook is not detecting key words with certain syntax such as quotation marks
- In some cases, Outlook is not showing the policy tip if the message is being retrieved from a Draft
Update from Microsoft – FIXED 12/05/21
Initial fixes for the Outlook Desktop client are available starting with Version 2105, Build 14026.20000. This build is now available in the Beta Channel and Current Channel Preview and is estimated to go to production Current Channel the week of May 24th. You can monitor the Update History page to confirm when Version 2105 goes to current channel.
Service fixes are now available in mailbox version 15.20.4128.0 and higher. You can check your mailbox version using the Outlook Connection Status Dialog.
To improve reliability and stability the current implementation of the policy tip feature in Outlook Desktop is undergoing a broad update. Starting in May 2021 you should start to see a more reliable and predictable experience when using the policy tips feature in Outlook. This work will continue and throughout the year you will see incremental improvements to feature scope and reliability.
Not every potential problem with policy tips is caused by the current design limitations so you should apply normal troubleshooting steps to any new issue. If a determination is made that a new problem is one of those covered by our current renovation efforts, then fixes for that new problem will first be possible in the following months when the updated implementation reaches production.
Update from readers 22/02/21
One of the readers of this blog – @AT added an update that they had received from Microsoft on this issue:
Click here for the latest Microsoft support article
Our reader had found the policy nudge files weren’t being downloaded to the app data folder when applied (these are under appdata\local\microsoft\outlook). They added that the policy nudge files started to re-appear last weekend (14 February 2021), but the policynudgerules.xml file was incomplete. Pasting text from old policy nudge files into the newly downloaded one allows the override to be seen.
They added that the workaround they used was as follows:
- Close Outlook
- Delete the registry key LastDownloadTimesPerAccount
- Delete the 2 PolicyNudge.xml files in users app data folder
- Reopen outlook and create a new email (this re-creates the registry and 2 .xml files)
- Edit PolicyNudgeRules.xml file
- Restart Outlook
Aside from the fact the policy tips do not detect sensitive information in attachments in Outlook, our reader also noted that Outlook will try to re-download the policy files after 24 hours on an Outlook restart, so the edited PolicyNudgeRules.xml file will be replaced with the incomplete one. At the end of the registry value there is a 9 digit number which is Epoch time, that’s being used to detect if 24 hours has elapsed.
Update from Microsoft 15/02/21
I’ve been in discussions with various people from Microsoft who have also tried to help move this issue forwards. Here are some of the suggestions I’ve had so far:
- Update to the latest version of Office on the semi-annual channel to see if the problem persists
- Create a new Windows 10 VM with the latest version of Office installed, added to an OU, but with no organisational GPO’s set to prove if it isn’t related to GPO’s
- Add a device on the insider channel to know when the issue is fixed natively fixed on the Outlook client
- Speak to Microsoft Premier Support
In my organisation we have client machines on different versions of Office so I can rule out option 1, as I test more of the suggestions I will update this post!
Theres a new roadmap item indicating a policy tips revamp is coming for Outlook Win32 in preview from April 2023 https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&searchterms=109589
In my testing Policy Nudge files only download when using these two conditions:
1) Content contains any of these sensitive info types (not sensitive labels)
2) Content is shared from Microsoft 365
Any other Condition or Exception will prevent the Policy Nudge file from being created in %localappdata%\Microsoft\Outlook
Now that is certainly very interesting when you mention it not working when Labels are present as a condition! You’ve given me a new line of enquiry for a problem I have.
We’re running into the same issue, policy tips are working fine in OWA however do not work in any of the Desktop clients. No policy nudge registry key nor the xml config files exist locally.
We’re running M365 Apps for enterprise. Any ideas on how to force the download of the DLP configs locally?
Policy tips in the Outlook client do work now. However they do not honor exceptions and MS rep has stated that there is nothing in the pipeline to make this possible. Very disappointing considering exceptions do work on the Web client.
Hi Daniel, thanks for the comment. When you say do not honour exceptions can you elaborate please?
Do you mean if you override a policy tip that doesn’t work?
This is now allegedly fixed according to the MS article, not quite sure it is for me, but would love to get feedback from you all on it.
Hi David, great news! Thanks so much for the update I’ll update the main post with the info, were a build and a few versions behind so will keep my eyes peeled once it’s production and test!
I have this same issue. I confirmed the minimum version noted in the XML is less than the version of our mso20win32client.dll file, and am able to get the new XML files after deleting them as well as the reg key. We just never see the policy tips in Outlook, only OWA. Very strange issue that I hope Microsoft resolves soon.
This does make rolling out DLP a bit more complicated. We are going to rollout DLP using email alerts instead of the policy tips for the time being.
LikeLiked by 1 person
I know we’ve had to rethink our rollout of DLP too.
We have agreed turn off DLP for Outlook and just apply it to the other workloads – really not ideal, but the lack of policy tips in Outlook is a deal breaker for our decision makers.
LikeLiked by 1 person
I am having this exact same issue. Does anyone have an example Policy XML? It’s hard to tell if mine is incomplete or not.
LikeLiked by 1 person
I spoke with my reseller yesterday about this as we have premium support with them through to MS. They said that the status on the support article is as much as they would get via MS themselves, but did say that when a problem like this is discovered and in investigation phase with the product team, once fixed, it is is then put in the patch/upgrade release cycle which is usually the last week of each month, so keep an eye out in the next couple of weeks for a possible fix, otherwise it may drag to April.
LikeLiked by 1 person
Hi, thank you for the comment, it’s really useful to get some insight from premium support. I will keep my eyes peeled!
LikeLiked by 1 person
We’ve also been having the issue since last year. After extensive troubleshooting with support we found the policy nudge files weren’t being download (these are under appdata\local\microsoft\outlook).
They have started downloading from last weekend but the policynudgerules.xml file was incomplete. We can edit the file by pasting the text from an old file and we see the override.
This is the most recent article support sent me https://support.microsoft.com/en-us/topic/outlook-dlp-policy-tips-not-working-for-certain-conditions-in-email-body-and-attachments-8a32496a-3478-403c-b2eb-04a218f7443c?ui=en-us&rs=en-us&ad=us
Thank you for commenting! I’ll include your support article in my post, so in your case are the policy tips still not showing even after the nudge files starting to download?
Sorry just re-read your comment – you can get the tips to showing you edit the policy nudge files. How are you dealing with that at scale then, organisation wide?
So far we haven’t deployed anything company wide, instead we’ve been fixing on an individual basis or asking staff to use OWA which works fine. The workaround we have is; close outlook > delete registry key LastDownloadTimesPerAccount > delete the 2 PolicyNudge.xml files in users app data folder > open outlook and click new email (this re-creates the registry and 2 .xml files) > edit PolicyNudgeRules.xml file and then restart Outlook.
A couple of issues are;
1. Outlook doesn’t detect any keywords that are in an attachment.
2. Outlook will try to re-download the policy files after 24 hours on an Outlook restart, so the edited PolicyNudgeRules.xml file is replaced with the incomplete one. At the end of the registry value there is a 9 digit number which is Epoch time, that’s being used to detect if 24 hours has elapsed.
Wow so basically it barely works at all then! Really appreciate the info though as we are looking to press ahead with switching DLP on even without the policy tips but if keywords aren’t detected in Outlook that’s a pretty big hole
Myself and a colleague are experiencing the exact same issue with multiple customers. OWA works perfectly but no policy tips. Another issue I have noticed is that outlook doesn’t create the policynudges registry key.
Have you checked in Office 15.0 folder in the registry too. I know the key can sometimes be in the older office version folder after updating.
I have a new windows 10 VM with the latest version of Office 365 installed. Checked all possible locations in the Registry and never have the PolicyNudges key created.
I am suffering a very similar issue to this link: https://www.reddit.com/r/sysadmin/comments/fdss55/dlp_policytips_not_working_in_outlook_but_do_in/
currently have a case open with Microsoft who have so far advised the same resolution steps as you mention in your updates.
hopefully it will get escalated soon.
Really appreciate the update, I’ve got gone down the completely fresh win10 machine route yet – disappointing the issue still persists.
Did you see my latest post update with a new article from MS?
were you able to fix this issue, i have the same issue policynudges registry key not created.
if any one can help will be great
I’m seeing the same, not a great situation to be in. For them to just say ‘working on it’ with no end in sight is really annoying.
Glad it’s not just me dealing with it, I checked the Microsoft article linked above this week to see if their was any update – sadly not.
I’m going to request an update on my original support ticket next week, but it’s pretty frustrating to say the least!