Data loss prevention policy tips not showing in Outlook

This post describes an issue that surfaced late in 2020 with policy tips not showing within emails in Outlook where data loss presentation policy rules are matched.

Full disclosure, I’ve got a series of posts planned on my experiences of Microsoft 365 compliance that I had hoped to publish last year, but other things have got in the way so apologies for the lack of any background I’d hoped to have in place – but it is coming!

For the past twelve months or so I’ve been creating, testing and tuning data loss prevention rules in Microsoft 365 in my organisation. We’ve published several of the Microsoft standard data loss prevention policies as well as creating our own custom sensitive information types and policies.

Data loss prevention policy tips showing within Outlook emails.

Data loss prevention (DLP) policies allow you to enable policy tips to be shown with custom text when a policy match occurs. Going through user acceptance testing in Autumn 2020 there no were no major issues – DLP rules were matching correctly and the policy tips were displaying consistently throughout Microsoft 365 from SharePoint to Outlook.

In November 2020, I noticed that policy tips that had been showing in Outlook had stopped appearing all together. It was around this time I came across this article from Microsoft that says:

This issue occurs because the compatible version criteria that’s processed by the policy evaluator is based on the version of mso20win32client.dll, not the version of Outlook. In many cases, the version of mso20win32client.dll is not the same as the version of Outlook and Office.

For example, an administrator may configure a very restrictive policy that applies only to version 16.0.11727.20244 or a later version of Outlook. However, the policy evaluator uses version 16.0.11727.20222 of mso20win32client.dll and determines that the rule should not be applied. In this example, the rule would have to indicate the minimum required version of 16.0.11727.20222 to have the policy tip appear in Outlook.

From <https://docs.microsoft.com/en-us/outlook/troubleshoot/security/can’t-display-dlp-policytip>

Now I’ve interpreted, plus also had it confirmed by Microsoft support that effectively means the policy ips will not work if the version of Office/ Outlook you are running is newer than the version the policy evaluator is using. It doesn’t say that specifically in the excerpt above, but it is most definitely the case. I’ve tested using Outlook on the web as the article describes and the policy tips still show. I’ve also deleted the registry value as suggested in the resolution section of the article to no avail too.

An additional support article was brought to my attention on this issue which you can read here. The article doesn’t reference the one I’ve highlighted in this post, but does mention some additional issues I was hadn’t noted:

  • Outlook DLP policy tips are not detecting sensitive information in PDF, Excel, Word and other attachments and it may work inconsistently across attachments
  • Policy tip detection may work for smaller attachment such as a 15KB file, but not for larger attachments such as a 2MB file
  • Outlook is also not detecting HIPAA or ICD-9 or ICD-10 correctly in the message body
  • In some cases, Outlook is not detecting key words with certain syntax such as quotation marks
  • In some cases, Outlook is not showing the policy tip if the message is being retrieved from a Draft 

FROM: https://support.microsoft.com/en-us/topic/outlook-dlp-policy-tips-not-working-for-certain-conditions-in-email-body-and-attachments-8a32496a-3478-403c-b2eb-04a218f7443c?ui=en-us&rs=en-us&ad=us

Update from Microsoft 15/02/21

I’ve been in discussions with various people from Microsoft who have also tried to help move this issue forwards. Here are some of the suggestions I’ve had so far:

  1. Update to the latest version of Office on the semi-annual channel to see if the problem persists
  2. Create a new Windows 10 VM with the latest version of Office installed, added to an OU, but with no organisational GPO’s set to prove if it isn’t related to GPO’s
  3. Add a device on the insider channel to know when the issue is fixed natively fixed on the Outlook client
  4. Speak to Microsoft Premier Support

In my organisation we have client machines on different versions of Office so I can rule out option 1, as I test more of the suggestions I will update this post!

Update from readers 22/02/21

One of the readers of this blog – @AT added an update that they had received from Microsoft on this issue:

Click here for the latest Microsoft support article

Our reader had found the policy nudge files weren’t being downloaded to the app data folder when applied (these are under appdata\local\microsoft\outlook). They added that the policy nudge files started to re-appear last weekend (14 February 2021), but the policynudgerules.xml file was incomplete. Pasting text from old policy nudge files into the newly downloaded one allows the override to be seen.

They added that the workaround they used was as follows:

  • Close Outlook
  • Delete the registry key LastDownloadTimesPerAccount
  • Delete the 2 PolicyNudge.xml files in users app data folder
  • Reopen outlook and create a new email (this re-creates the registry and 2 .xml files)
  • Edit PolicyNudgeRules.xml file
  • Restart Outlook

Aside from the fact the policy tips do not detect sensitive information in attachments in Outlook, our reader also noted that Outlook will try to re-download the policy files after 24 hours on an Outlook restart, so the edited PolicyNudgeRules.xml file will be replaced with the incomplete one. At the end of the registry value there is a 9 digit number which is Epoch time, that’s being used to detect if 24 hours has elapsed.


16 thoughts on “Data loss prevention policy tips not showing in Outlook

  1. DM February 6, 2021 / 2:44 pm

    I’m seeing the same, not a great situation to be in. For them to just say ‘working on it’ with no end in sight is really annoying.

    Like

    • Anthony February 6, 2021 / 2:47 pm

      Glad it’s not just me dealing with it, I checked the Microsoft article linked above this week to see if their was any update – sadly not.

      I’m going to request an update on my original support ticket next week, but it’s pretty frustrating to say the least!

      Like

  2. Jamie February 17, 2021 / 10:13 pm

    Myself and a colleague are experiencing the exact same issue with multiple customers. OWA works perfectly but no policy tips. Another issue I have noticed is that outlook doesn’t create the policynudges registry key.

    Like

    • Anthony February 18, 2021 / 5:24 pm

      Hi @Jamie

      Have you checked in Office 15.0 folder in the registry too. I know the key can sometimes be in the older office version folder after updating.

      Cheers,
      Anthony

      Like

      • Jamie February 26, 2021 / 9:51 am

        Hi Anthony,

        I have a new windows 10 VM with the latest version of Office 365 installed. Checked all possible locations in the Registry and never have the PolicyNudges key created.

        I am suffering a very similar issue to this link: https://www.reddit.com/r/sysadmin/comments/fdss55/dlp_policytips_not_working_in_outlook_but_do_in/

        currently have a case open with Microsoft who have so far advised the same resolution steps as you mention in your updates.

        hopefully it will get escalated soon.

        Like

      • Anthony February 26, 2021 / 1:00 pm

        Hi Jamie,

        Really appreciate the update, I’ve got gone down the completely fresh win10 machine route yet – disappointing the issue still persists.

        Did you see my latest post update with a new article from MS?

        Like

  3. AT February 21, 2021 / 9:55 pm

    We’ve also been having the issue since last year. After extensive troubleshooting with support we found the policy nudge files weren’t being download (these are under appdata\local\microsoft\outlook).

    They have started downloading from last weekend but the policynudgerules.xml file was incomplete. We can edit the file by pasting the text from an old file and we see the override.

    This is the most recent article support sent me https://support.microsoft.com/en-us/topic/outlook-dlp-policy-tips-not-working-for-certain-conditions-in-email-body-and-attachments-8a32496a-3478-403c-b2eb-04a218f7443c?ui=en-us&rs=en-us&ad=us

    Like

    • Anthony February 21, 2021 / 10:03 pm

      Thank you for commenting! I’ll include your support article in my post, so in your case are the policy tips still not showing even after the nudge files starting to download?

      Like

      • Anthony February 21, 2021 / 10:05 pm

        Sorry just re-read your comment – you can get the tips to showing you edit the policy nudge files. How are you dealing with that at scale then, organisation wide?

        Like

      • AT February 21, 2021 / 10:23 pm

        So far we haven’t deployed anything company wide, instead we’ve been fixing on an individual basis or asking staff to use OWA which works fine. The workaround we have is; close outlook > delete registry key LastDownloadTimesPerAccount > delete the 2 PolicyNudge.xml files in users app data folder > open outlook and click new email (this re-creates the registry and 2 .xml files) > edit PolicyNudgeRules.xml file and then restart Outlook.

        A couple of issues are;

        1. Outlook doesn’t detect any keywords that are in an attachment.
        2. Outlook will try to re-download the policy files after 24 hours on an Outlook restart, so the edited PolicyNudgeRules.xml file is replaced with the incomplete one. At the end of the registry value there is a 9 digit number which is Epoch time, that’s being used to detect if 24 hours has elapsed.

        Like

      • Anthony February 22, 2021 / 7:01 am

        Wow so basically it barely works at all then! Really appreciate the info though as we are looking to press ahead with switching DLP on even without the policy tips but if keywords aren’t detected in Outlook that’s a pretty big hole

        Like

  4. DM March 18, 2021 / 9:29 am

    I spoke with my reseller yesterday about this as we have premium support with them through to MS. They said that the status on the support article is as much as they would get via MS themselves, but did say that when a problem like this is discovered and in investigation phase with the product team, once fixed, it is is then put in the patch/upgrade release cycle which is usually the last week of each month, so keep an eye out in the next couple of weeks for a possible fix, otherwise it may drag to April.

    Like

    • Anthony March 18, 2021 / 10:03 am

      Hi, thank you for the comment, it’s really useful to get some insight from premium support. I will keep my eyes peeled!

      Like

  5. Tim March 18, 2021 / 11:28 pm

    I am having this exact same issue. Does anyone have an example Policy XML? It’s hard to tell if mine is incomplete or not.

    Like

  6. Tim March 19, 2021 / 11:12 pm

    I have this same issue. I confirmed the minimum version noted in the XML is less than the version of our mso20win32client.dll file, and am able to get the new XML files after deleting them as well as the reg key. We just never see the policy tips in Outlook, only OWA. Very strange issue that I hope Microsoft resolves soon.

    This does make rolling out DLP a bit more complicated. We are going to rollout DLP using email alerts instead of the policy tips for the time being.

    Like

    • Anthony March 20, 2021 / 6:15 am

      Hi Tim,
      I know we’ve had to rethink our rollout of DLP too.

      We have agreed turn off DLP for Outlook and just apply it to the other workloads – really not ideal, but the lack of policy tips in Outlook is a deal breaker for our decision makers.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s