This post describes an issue that surfaced late in 2020 with policy tips not showing within emails in Outlook where data loss presentation policy rules are matched.
Full disclosure, I’ve got a series of posts planned on my experiences of Microsoft 365 compliance that I had hoped to publish last year, but other things have got in the way so apologies for the lack of any background I’d hoped to have in place – but it is coming!
For the past twelve months or so I’ve been creating, testing and tuning data loss prevention rules in Microsoft 365 in my organisation. We’ve published several of the Microsoft standard data loss prevention policies as well as creating our own custom sensitive information types and policies.
Data loss prevention (DLP) policies allow you to enable policy tips to be shown with custom text when a policy match occurs. Going through user acceptance testing in Autumn 2020 there no were no major issues – DLP rules were matching correctly and the policy tips were displaying consistently throughout Microsoft 365 from SharePoint to Outlook.
In November 2020, I noticed that policy tips that had been showing in Outlook had stopped appearing all together. It was around this time I came across this article from Microsoft that says:
Now I’ve interpreted, plus also had it confirmed by Microsoft support that effectively means the policy ips will not work if the version of Office/ Outlook you are running is newer than the version the policy evaluator is using. It doesn’t say that specifically in the excerpt above, but it is most definitely the case. I’ve tested using Outlook on the web as the article describes and the policy tips still show. I’ve also deleted the registry value as suggested in the resolution section of the article to no avail too.
An additional support article was brought to my attention on this issue which you can read here. The article doesn’t reference the one I’ve highlighted in this post, but does mention some additional issues I was hadn’t noted:
- Outlook DLP policy tips are not detecting sensitive information in PDF, Excel, Word and other attachments and it may work inconsistently across attachments
- Policy tip detection may work for smaller attachment such as a 15KB file, but not for larger attachments such as a 2MB file
- Outlook is also not detecting HIPAA or ICD-9 or ICD-10 correctly in the message body
- In some cases, Outlook is not detecting key words with certain syntax such as quotation marks
- In some cases, Outlook is not showing the policy tip if the message is being retrieved from a Draft
Update from Microsoft 15/02/21
I’ve been in discussions with various people from Microsoft who have also tried to help move this issue forwards. Here are some of the suggestions I’ve had so far:
- Update to the latest version of Office on the semi-annual channel to see if the problem persists
- Create a new Windows 10 VM with the latest version of Office installed, added to an OU, but with no organisational GPO’s set to prove if it isn’t related to GPO’s
- Add a device on the insider channel to know when the issue is fixed natively fixed on the Outlook client
- Speak to Microsoft Premier Support
In my organisation we have client machines on different versions of Office so I can rule out option 1, as I test more of the suggestions I will update this post!
Update from readers 22/02/21
One of the readers of this blog – @AT added an update that they had received from Microsoft on this issue:
Our reader had found the policy nudge files weren’t being downloaded to the app data folder when applied (these are under appdata\local\microsoft\outlook). They added that the policy nudge files started to re-appear last weekend (14 February 2021), but the policynudgerules.xml file was incomplete. Pasting text from old policy nudge files into the newly downloaded one allows the override to be seen.
They added that the workaround they used was as follows:
- Close Outlook
- Delete the registry key LastDownloadTimesPerAccount
- Delete the 2 PolicyNudge.xml files in users app data folder
- Reopen outlook and create a new email (this re-creates the registry and 2 .xml files)
- Edit PolicyNudgeRules.xml file
- Restart Outlook
Aside from the fact the policy tips do not detect sensitive information in attachments in Outlook, our reader also noted that Outlook will try to re-download the policy files after 24 hours on an Outlook restart, so the edited PolicyNudgeRules.xml file will be replaced with the incomplete one. At the end of the registry value there is a 9 digit number which is Epoch time, that’s being used to detect if 24 hours has elapsed.