Forum Discussion
Error when applying Sensitive Labels with Encryption
The user has a M365 E5 license assigned. The same behavior with and without the AIP UL client installed.
"I have been able to recreate the problem from the customer in a Microsoft Demo Tenant."
In the MSIP Logs I can see the RAC and CLC is ok
***************************************************************
++++++++ INFORMATION: RAC details: ++++++++
User: "Email address removed",
User type: "Federation",
Issuer name: "Contoso",
Issuer Id: "{478b1d52-ca90-4b80-a56c-0719879f15b8}",
Intranet Certification Url: "https://dd8d01a3-db71-4562-8143-fd83cb5b54c1.rms.na.aadrm.com/_wmcs/certification",
Extranet Certification Url: "https://dd8d01a3-db71-4562-8143-fd83cb5b54c1.rms.na.aadrm.com/_wmcs/certification",
Valid Until: "01/27/2022 03:56:00.000".
}}{{[348][msipc]:[Info]:[7032]:[2021-12-28 13:59:26.030]: cclclicense.cpp:Microsoft::InformationProtection::CCLCLicense::LogCLC:218
++++++++ INFORMATION: CLC details: ++++++++
User: "Email address removed",
Issuer name: "Contoso",
Issuer Id: "{478b1d52-ca90-4b80-a56c-0719879f15b8}",
Intranet Licensing Url: "https://dd8d01a3-db71-4562-8143-fd83cb5b54c1.rms.na.aadrm.com/_wmcs/licensing",
Extranet Licensing Url: "https://dd8d01a3-db71-4562-8143-fd83cb5b54c1.rms.na.aadrm.com/_wmcs/licensing".
*********************************************************************************************
The templates only show the default (new tenant)
*********************************************************************************************
[msipc]: ++++++++ INFORMATION: Adding template: ++++++++
Id: "{01c77b23-fb7a-4cc4-bfbc-665a8698f1c1}",
Name: "$title",
Description: "$description",
IssuerName: "Contoso".
}}{{[621][msipc]:[Info]:[7032]:[2021-12-28 13:59:26.701]: win7ippstore.cpp:Microsoft::InformationProtection::TemplateManager::copyTemplateInfoToList:518
[msipc]: ++++++++ INFORMATION: Adding template: ++++++++
Id: "{5cf200d3-d62d-4590-bad8-f93ad50d9ecd}",
Name: "Confidential \ All Employees",
Description: "Confidential data that requires protection, which allows all employees full permissions. Data owners can track and revoke content.",
IssuerName: "Contoso".
}}{{[628][msipc]:[Info]:[7032]:[2021-12-28 13:59:26.701]: win7ippstore.cpp:Microsoft::InformationProtection::TemplateManager::copyTemplateInfoToList:518
[msipc]: ++++++++ INFORMATION: Adding template: ++++++++
Id: "{75714ede-b62a-4d55-b2ed-2ba727ec6940}",
Name: "Highly Confidential \ All Employees",
Description: "Highly confidential data that allows all employees view, edit, and reply permissions to this content. Data owners can track and revoke content.",
IssuerName: "Contoso".
}}{{[629][msipc]:[Info]:[7032]:[2021-12-28 13:59:26.701]: win7ippstore.cpp:Microsoft::InformationProtection::TemplateManager::GetTemplateList:196
++++++++ INFORMATION: Getting templates succeeded. ++++++++
}}{{[630][msipc]:[Info]:[7032]:[2021-12-28 13:59:26.701]: ippapi.cpp:IpcGetTemplateListInternal:2577
-------- Done getting templates -------
iamarnoldmcse Hi, I just recently got the above message and it's simply the propagation time. At least it was for me. I bet it works now as your post has been here for a while?
Hi ChristianJBergstrom, tks for your response.
Indeed in my Demo Tenant, I am able to apply Sensitive Labels with encryption, as you said it seems it was a matter of "a lot of time for propagation", but on the production tenant we are still getting the same error and the tenant was configured with templates about 15 days ago.
From the PC:
1- The Internet has no restrictions.2- We have tried with the three client versions: https://www.microsoft.com/en-us/download/details.aspx?id=53018
3- We have tried with users with and without local admin permissions.
4- We have cleaned up the Client folders to reset client config
4- We have tried with different PCs and Users
From the Tenant (MIP Config):
1- Sensitivity Labels are configured with the correct permissions (Including users for testing)2- Label Policies correctly configured for end-user visibility
3- More than 10 days for label propagation.
Any other idea is really appreciated!
- Hello iamarnoldmcse
I had the same problem. For me it was the Protection Template which holds the status 'Archived' and never gets 'Published', when Encryption was applied to a new created Label. So with status 'Archived' the Information Protection Template is never stored on the client.
A possible workaround for me was, setting the AIPServiceTemplate manually to published, using the following script.
------------------------------------------------------
Set-ExecutionPolicy Bypass
Install-Module AIPService
Import-Module AIPService
Connect-AIPService
Get-AipServiceTemplate | FL
Get-AipServiceTemplateProperty -TemplateId <xxxxxxxx> -Status <--- this reports the custom label is at "Archived" state by default, why??
To fix it:-
Set-AipServiceTemplateProperty -TemplateId <xxxxxx> -Status Published
------------------------------------------------------
Don't forget to reset settings in the ULC, so templates can be fetched again.- Hi, must ask if you haven't migrated your AIP labels yet?
https://docs.microsoft.com/en-us/azure/information-protection/configure-policy-migrate-labels
iamarnoldmcse Hello again, I would probably just compare the demo tenant settings with the production tenant settings to narrow it down as what's causing the issue. I suppose you've already done that. Have you also verified the distributionstatus, priority (and all other settings) using PowerShell?
Get-Label (ExchangePowerShell) | Microsoft Docs
Get-LabelPolicy (ExchangePowerShell) | Microsoft Docs
Other than that I would look at this too if you want to use built-in labeling?
Office built-in labeling client and the Azure Information Protection client
Difficult to help here really, you're probably better off creating a ticket with the official support having them look at some more details and logs.
