Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This setting enhances productivity for users that label and encrypt file types other than those for Office and PDF by using the Microsoft Purview Information Protection client. Typical examples of file types other than Office and PDF include .txt, .jpg, .csv, and files from third-party applications.
When users label and encrypt these files with the information protection client and without this setting for advanced label-based protection:
The encrypted file changes its file name extension and becomes read-only, and can no longer be opened by apps that support the original file name extension. Instead, the file opens in the Microsoft Purview Information Protection viewer. To make any changes to the file, users must manually remove the label with encryption.
Although the encryption can include restrictive permissions, such as not allowing copy and save for specific users, not all files can support these restrictions. As a result, when these files are opened in the information protection viewer, users are informed of the configured permissions, but the permissions can’t be enforced. This type of encryption is referred to as generic, rather than native.
For a better understanding of the file name extension changes for encrypted files, see Supported file types from the information protection client documentation. Also be aware of the standard client exceptions for files that are critical for computer operations.
When you configure users for the endpoint data loss prevention setting Advanced label-based protection for all files on devices and use the information protection client, the following changes occur for files types that aren’t supported by Office or that are PDF files:
- When a user selects a sensitivity label that applies encryption, the file name extension now doesn't change. As a result, there's no change to the user workflow because they can continue to view and edit the file in their standard application. Endpoint DLP tracks and monitors the file, enforcing configured permissions without requiring the information protection viewer.
Note
Because the file name extension hasn't changed, users can confirm that the label is applied by using the Microsoft Purview Information Protection File Labeler.
- Only if the user copies or moves the file from the computer, does the file name change:
- If the file is copied or moved to a network drive or USB device, the file there has the changed file name extension that requires the information protection viewer to open it.
- If the file is copied or moved to any other location (Bluetooth device, over remote desktop, or uploaded to the cloud), a local copy of the file is created with the changed file name extension that requires the information protection viewer to open it. Endpoint DLP informs the user that they must use this version of the file to manually copy or move it to the new location.
- If the operation to encrypt the file fails, the copy or move activity is blocked to ensure that the unencrypted file remains on the device and isn't exfiltrated.
Here's a summary of the differences when you label files other than Office and PDF and you use just the information protection client rather than the client with endpoint DLP advanced label-based protection:
| Labeling behavior | Just the client | The client with endpoint DLP setting enabled |
|---|---|---|
| Files labeled with encryption retain their original file name extension | No The file name extension always changes |
Yes Until egress |
| Files labeled with encryption can be opened and edited with the original application or others that support the original file type | No Always requires the information protection viewer |
Yes Until egress |
| Configured permissions for labeled and encrypted files are enforced | Native encryption: Yes Generic encryption: No |
Yes The following permissions are enforced until egress: view, extract, print |
Examples of egress behavior
A user moves a text file to a network drive, and the file has been labeled with encryption:
- The file on the network drive has the .ptxt file extension, must be opened with the information protection viewer, and can't be monitored by DLP.
A user uploads to the cloud an image file with a .jpg file name extension, and the file has been labeled with encryption:
- Endpoint DLP creates a local copy of the file with a .pjpg file name extension and informs the user they must use this version of the file to copy to the new destination. This version of the file must be opened with the information protection viewer and can't be monitored by DLP.
- The original file on the computer retains the .txt file extension and can still be opened and edited with any text editor. DLP continues to monitor this file.
Limitations:
- Supported only for sensitivity labels that apply encryption. For sensitivity labels without encryption, the behavior and supported file types are the same as for the information protection client.
- Not supported for labeling files on network locations or USB drives.
- The applied sensitivity labels won't be detected as conditions in DLP policies before egress.
- When multiple files are selected for labeling, and they include Office files or PDF files, the Office files, and PDF files won't be labeled or encrypted.
- Endpoint DLP doesn't enforce all rights management usage rights before egress: VIEW, EXTRACT, and PRINT are supported.
- The Save As option doesn't automatically inherit the current label and encryption settings. The user must label the new file.
- The Microsoft Purview Information Protection PowerShell module doesn't recognize the DLP setting. Labeling files using PowerShell will encrypt and change the file extension. Only use the Microsoft Purview Information Protection File Labeler when you enable the DLP setting.