Data loss prevention policy tips not showing in Outlook

This post describes an issue that surfaced late in 2020 with policy tips not showing within emails in Outlook where data loss presentation policy rules are matched.

Full disclosure, I’ve got a series of posts planned on my experiences of Microsoft 365 compliance that I had hoped to publish last year, but other things have got in the way so apologies for the lack of any background I’d hoped to have in place – but it is coming!

For the past twelve months or so I’ve been creating, testing and tuning data loss prevention rules in Microsoft 365 in my organisation. We’ve published several of the Microsoft standard data loss prevention policies as well as creating our own custom sensitive information types and policies.

Data loss prevention policy tips showing within Outlook emails.

Data loss prevention (DLP) policies allow you to enable policy tips to be shown with custom text when a policy match occurs. Going through user acceptance testing in Autumn 2020 there no were no major issues – DLP rules were matching correctly and the policy tips were displaying consistently throughout Microsoft 365 from SharePoint to Outlook.

In November 2020, I noticed that policy tips that had been showing in Outlook had stopped appearing all together. It was around this time I came across this article from Microsoft that says:

This issue occurs because the compatible version criteria that’s processed by the policy evaluator is based on the version of mso20win32client.dll, not the version of Outlook. In many cases, the version of mso20win32client.dll is not the same as the version of Outlook and Office.

For example, an administrator may configure a very restrictive policy that applies only to version 16.0.11727.20244 or a later version of Outlook. However, the policy evaluator uses version 16.0.11727.20222 of mso20win32client.dll and determines that the rule should not be applied. In this example, the rule would have to indicate the minimum required version of 16.0.11727.20222 to have the policy tip appear in Outlook.

From <https://docs.microsoft.com/en-us/outlook/troubleshoot/security/can’t-display-dlp-policytip>

Now I’ve interpreted, plus also had it confirmed by Microsoft support that effectively means the policy ips will not work if the version of Office/ Outlook you are running is newer than the version the policy evaluator is using. It doesn’t say that specifically in the excerpt above, but it is most definitely the case. I’ve tested using Outlook on the web as the article describes and the policy tips still show. I’ve also deleted the registry value as suggested in the resolution section of the article to no avail too.

An additional support article was brought to my attention on this issue which you can read here. The article doesn’t reference the one I’ve highlighted in this post, but does mention some additional issues I was hadn’t noted:

  • Outlook DLP policy tips are not detecting sensitive information in PDF, Excel, Word and other attachments and it may work inconsistently across attachments
  • Policy tip detection may work for smaller attachment such as a 15KB file, but not for larger attachments such as a 2MB file
  • Outlook is also not detecting HIPAA or ICD-9 or ICD-10 correctly in the message body
  • In some cases, Outlook is not detecting key words with certain syntax such as quotation marks
  • In some cases, Outlook is not showing the policy tip if the message is being retrieved from a Draft 

FROM: https://support.microsoft.com/en-us/topic/outlook-dlp-policy-tips-not-working-for-certain-conditions-in-email-body-and-attachments-8a32496a-3478-403c-b2eb-04a218f7443c?ui=en-us&rs=en-us&ad=us

Update from Microsoft 15/02/21

I’ve been in discussions with various people from Microsoft who have also tried to help move this issue forwards. Here are some of the suggestions I’ve had so far:

  1. Update to the latest version of Office on the semi-annual channel to see if the problem persists
  2. Create a new Windows 10 VM with the latest version of Office installed, added to an OU, but with no organisational GPO’s set to prove if it isn’t related to GPO’s
  3. Add a device on the insider channel to know when the issue is fixed natively fixed on the Outlook client
  4. Speak to Microsoft Premier Support

In my organisation we have client machines on different versions of Office so I can rule out option 1, as I test more of the suggestions I will update this post!

Update from readers 22/02/21

One of the readers of this blog – @AT added an update that they had received from Microsoft on this issue:

Click here for the latest Microsoft support article

Our reader had found the policy nudge files weren’t being downloaded to the app data folder when applied (these are under appdata\local\microsoft\outlook). They added that the policy nudge files started to re-appear last weekend (14 February 2021), but the policynudgerules.xml file was incomplete. Pasting text from old policy nudge files into the newly downloaded one allows the override to be seen.

They added that the workaround they used was as follows:

  • Close Outlook
  • Delete the registry key LastDownloadTimesPerAccount
  • Delete the 2 PolicyNudge.xml files in users app data folder
  • Reopen outlook and create a new email (this re-creates the registry and 2 .xml files)
  • Edit PolicyNudgeRules.xml file
  • Restart Outlook

Aside from the fact the policy tips do not detect sensitive information in attachments in Outlook, our reader also noted that Outlook will try to re-download the policy files after 24 hours on an Outlook restart, so the edited PolicyNudgeRules.xml file will be replaced with the incomplete one. At the end of the registry value there is a 9 digit number which is Epoch time, that’s being used to detect if 24 hours has elapsed.


5 tips for getting started with Microsoft Teams

In this post we will look at five useful tips – in no particular order, to help owners or members to get started using Microsoft Teams.

Contents

  1. Pin your favourite teams channels
  2. Use post formatting, there’s cool stuff in there
  3. Get to know the General channel
  4. Standard vs. Private channels
  5. Consider how you create new teams

#1 Pin your favourite teams channels

This is a simple one, but a really effective way of managing teams you are a part of. Once you start using teams in anger, it can become easy to lose track of what teams you frequent if you don’t manage teams gallery or your notification/ activity feed.

On notifications and the activity feed, notifications are actually turned off for teams by default, so it’s up to the members to manage their own notifications. Naturally, you still see updates by the channel being in bold and any @mentions will notify you.

It’s worth pointing out the distinction that you actually cannot pin an entire team, but only channels within it. Here’s how you pin a channel

  • Click on the ellipsis button … next to the channel you want to pin
  • Press Pin
Pin a channel for easy access from the teams gallery.

NOTE: To unpin a channel, follow the same steps as above button the option will be Unpin.

#2 Use post formatting, there’s cool stuff in there

One thing I’ve definitely starting using more and more is post formatting. There are several extra features post formatting gives you that you don’t get with the standard reply, such as

  • Add a subject – give you new post a prominent subject that stands out
  • Extra formatting options – heading options, text highlight colours, font colours
  • Announcement option – similar to a news post in SharePoint, but adds background colour or image to headline
  • Reply options – allow everyone to reply or just the you and/or moderators
  • Post in multiple channels – allows you to post a message in any of the channels you have access to
  • Format links – display text instead of a full URL, particularly useful if sharing links from Teams, as they are long and pretty ugly
There are several post formatting features that you don’t see in a regular reply.

#3 Get to know the general channel

The general channel is provisioned as standard when you create a new team. It’s generally the place where all communication within a team takes place.

The general channel comes with Posts, Files and Wiki tabs “out the box” to allow you to start collaborating straight away. That said, the general channel does have it’s limitations, such as:

  • You cannot use moderation in the general channel
  • You can’t delete the general channel
  • You can’t rename the general channel
  • You can’t hide the general channel or change the order of the channels to move it down
The general channel comes with Posts, Files & Wiki tabs as standard.

This post I wrote goes into more detail on using the general channel within the context of an org-wide team.

#4 Standard vs. private channels

There are two types of channels you can create in teams:

  • Standard – accessible to everyone on the team
  • Private – accessible only to a specific group of people within a team
When creating new channels you can choose between standard and private.

However, both options are not created equally. Here’s a look at the differences between the two:

StandardPrivate
Number of channels in a team20030
Number of members in a channel*10,000250
Can team owners manage the channel?**YesNo
Can guest create channels?YesNo
Support for connectors & tabs?YesYes
Support for Stream, Planner & Forms?YesNo
Create’s additional SharePoint site collections?NoYes
Creates additional Microsoft 365 Group?NoNo

* The number of members within a standard channel derives from the team membership.

** Team owners can’t see the files, conversations or members list in a private channel unless they are members themselves. Owners can see the names of the private channels in teams they own and also delete them.

Here are some more resources teams limits and standard/ private channels:

Private channel SharePoint site collections

Just to add to the point in the table about of additional SharePoint site collection, each private channel has it’s own, slimmed down version of a SharePoint site optimised for file sharing and fast provisioning.

The key differences between these site collections and standard ones is that private channel site collections are created in the same geographic region as the site collection of the parent team, have a a custom template ID, "TEAMCHANNEL#0" and cannot be accessed via the SharePoint admin center – only through PowerShell and the Graph API.

An example site collection for a private channel.

The URL for a private channel URL concatenates the team name with the private channel name, meaning it will look like this:

https://tenant.sharepoint.com/sites/TeamName-PrivateChannelName

https://www.petri.com/managing-teams-private-channels

#5 Consider how you create new teams

So this point is really to understand what gets provisioned when you create a new team, the different ways you can create them and any limitations with creating in those different ways.

What else do you get when you create a new team?

There is an absolutely brilliant everyday guide to Microsoft 365 Groups by Matt Wade at jumpto365 that does a better job explaining what you get when you create, well anything in Microsoft 365 than I can, but here’s the overview from his site:

Credit – Matt Wade jumpto365: https://www.jumpto365.com/blog/everyday-guide-to-office-365-groups

Outlook groups and the global address list

What I wanted to highlight was depending on how you create a team, the Microsoft 365 group behaves differently – particularly in Outlook.

What I have noticed is that teams created via the client app or web browser are will not appear in Outlook groups or the global address list.

Teams created any other way, be it from the Teams admin center, Outlook, Exchange, Azure or Groups will appear in Outlook groups and in the global address list.