Forum Discussion

Esaggese's avatar
Esaggese
Former Employee
Jul 15, 2019

MartinZoller 

Hi. We have several customers using AIP in TS and Citrix environments. It works and is supported, but there are some restrictions customers have identified, I include their observations below:

 

Azure Information Protection in VDI deployments 

 

Background 

Azure Information Protection (AIP) is an Information protection software for labeling and protection of classified files, based on a central policy. This is a description of what to consider when deploying AIP in virtualized or remotely accessed environments (as RDP) AIP runs and is supported on virtual environments with no specific requirements by default 

 

AIP client software components  

AIP client software is composed of Office Add-ons for Word, Excel, PowerPoint, and Outlook from an OS shell extension (provide a right click context menu), the AIP viewer and PowerShell modules. All software component is included in the AIP client software package. For installation instruction of the AIP client refer to the AIP Administrator guide  

 

AIP Configuration  

AIP configuration is retrieved along with the client policy and stored in %localAppData%/Microsoft/MSIP and %localAppData%/Microsoft/MSIPC in a non persistent VDI, the implication is a few seconds delay in the first run in which AIP retrieves the configuration and sets all requirements for normal operation, as long as the user is already logged in into Office 365, no user interaction is required.  

 

AIP activity logs 

AIP activity logs are stored under %localAppData%/Microsoft/MSIP/Logs and %localAppData%/Microsoft/MSIPC/Logs under the user profile and in the windows event logs. If you are required to store the logs between reboots make you can store the user profile in a persistent. The Activity logs are also collected under the windows event log. 

Logs are also collected also in azure log analytics, which make them independent of the client machine.

 

Persistent vs Non persistent VDI   

If you are running persistent VM’s AIP should just work, as on any normal workstation, and all controls and configurations are valid.  

If you are running in a non-persistent environment you can still run AIP, as the client refreshes its policy on every login. However, there are a few recommendations that can minimize the configuration updates required during login to the VDI. 

  • Distribute the policy in you VDI image. 
  • Update Registry changes using GPO to make sure the are applied at login time 
  • If your VDI infrastructure permit, maintain the following locations persistent: 
  • %localAppData%/Microsoft/MSIP 
  • %localAppData%/Microsoft/MSIPC