AIP auto save and ActiveX block

Question

AIP auto save and ActiveX block

Karthik Palani 100

Hi All,

Does Auto save and ActiveX control gets blocked in Microsoft Purview AIP labeling. Auto save doesn't work for encrypted labels and ActiveX also getting blocked. Is this by design, Please advice on how to fix it

Ganesh Gurram 6,860 Reputation points Microsoft External Staff Moderator

2025-04-29T07:02:42.3366667+00:00

@Karthik Palani

Yes, the behavior you're observing with AutoSave being disabled and ActiveX controls getting blocked when using Microsoft Purview AIP (Azure Information Protection) sensitivity labels especially those with encryption applied is expected and by design.

AutoSave and AIP Labels with Encryption

According to this MS documentation: Microsoft Docs - Limitations when you apply labels with encryption

"When a document is protected by a sensitivity label that applies encryption, the AutoSave feature is automatically turned off to help prevent data loss."

When you apply an AIP label with encryption to a document (Word, Excel, PowerPoint), AutoSave is disabled.

Reason - AutoSave requires files to be stored in an editable way (e.g., OneDrive, SharePoint). However, when a file is encrypted using AIP (e.g., with RMS encryption), the document protection limits real-time saving to protect data integrity.

ActiveX Controls and AIP Labels with Encryption

According to this MS documentation: Microsoft Docs - Sensitivity labels and active content

"Active content such as ActiveX controls and macros might be disabled when a document is encrypted by sensitivity labels."

If a document (e.g., Word or Excel) has ActiveX controls, and you apply a sensitivity label with encryption, the ActiveX content may not work or be blocked.

Reason - ActiveX controls can execute code, and encrypted documents limit what can be executed to reduce security risks. Also, some encryption settings can interfere with the macros/ActiveX loading in trusted ways.

Note: If these features are business-critical, we recommend using sensitivity labels without encryption which still provide classification and visual markings, but do not enforce encryption.

I hope this information helps.

Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.
Ganesh Gurram 6,860 Reputation points Microsoft External Staff Moderator

2025-04-30T01:07:44.7166667+00:00

@Karthik Palani

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Karthik Palani 100 Reputation points

2025-04-30T06:20:58.2566667+00:00

Regarding ActiveX "Reason - ActiveX controls can execute code, and encrypted documents limit what can be executed to reduce security risks. Also, some encryption settings can interfere with the macros/ActiveX loading in trusted ways".

We removed encryption and applied only content marking label. Still Activex is blocked, Any reason for this please
Karthik Palani 100 Reputation points

2025-05-04T05:28:20.2933333+00:00

Thanks Ganesh for the clear explanation
Ganesh Gurram 6,860 Reputation points Microsoft External Staff Moderator

2025-05-05T08:53:08.7233333+00:00

@Karthik Palani

Glad to know the answer was helpful! Kindly 'accept the answer' and click "Yes" for "Was this answer helpful?" This will assist other community members who come across this thread.

Accepted answer

0 additional answers

Your answer

Ganesh Gurram 6,860 Reputation points Microsoft External Staff Moderator

2025-04-30T01:07:44.7166667+00:00

@Karthik Palani

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Karthik Palani 100 Reputation points

2025-04-30T06:20:58.2566667+00:00

Regarding ActiveX "Reason - ActiveX controls can execute code, and encrypted documents limit what can be executed to reduce security risks. Also, some encryption settings can interfere with the macros/ActiveX loading in trusted ways".

We removed encryption and applied only content marking label. Still Activex is blocked, Any reason for this please
Karthik Palani 100 Reputation points

2025-05-04T05:28:20.2933333+00:00

Thanks Ganesh for the clear explanation
Ganesh Gurram 6,860 Reputation points Microsoft External Staff Moderator

2025-05-05T08:53:08.7233333+00:00

@Karthik Palani

Glad to know the answer was helpful! Kindly 'accept the answer' and click "Yes" for "Was this answer helpful?" This will assist other community members who come across this thread.

Answer 1

@Karthik Palani

If ActiveX controls remain blocked even after removing encryption from your sensitivity labels, several factors could be contributing to this behavior. Here's a comprehensive overview based on Microsoft's official documentation:

Office COM Kill Bit Blocking Specific Controls

Microsoft Office employs a security feature known as the COM Kill Bit, which can block specific ActiveX controls from running, regardless of other settings. This mechanism is designed to prevent known vulnerable controls from executing. Even if encryption is removed from a sensitivity label, a control with its CLSID listed in the registry under the COM Kill Bit will remain blocked.

Reference: Security Settings for COM objects in Office

ActiveX Controls Disabled by Default in Office 2024

Starting with Office 2024, ActiveX controls are disabled by default across applications like Word, Excel, PowerPoint, and Visio. This change enhances security by preventing the automatic execution of potentially unsafe controls. Users can re-enable ActiveX controls through the Trust Center settings.

Reference: ActiveX controls are disabled by default in Office 2024

Trust Center Settings and Protected View

Office's Trust Center provides settings that govern the behavior of ActiveX controls. If the setting is configured to "Disable all controls without notification," all ActiveX controls will be blocked. Additionally, documents opened in Protected View—such as those downloaded from the internet or received via email—will have active content, including ActiveX controls, disabled until the document is trusted.

Reference: Enable or disable ActiveX settings in Office files

I hope this information helps.

Share via

AIP auto save and ActiveX block

0 additional answers

Your answer