Forum Discussion
AIP client and WTS?
Hi. We have several customers using AIP in TS and Citrix environments. It works and is supported, but there are some restrictions customers have identified, I include their observations below:
Azure Information Protection in VDI deployments
Background
Azure Information Protection (AIP) is an Information protection software for labeling and protection of classified files, based on a central policy. This is a description of what to consider when deploying AIP in virtualized or remotely accessed environments (as RDP) AIP runs and is supported on virtual environments with no specific requirements by default.
AIP client software components
AIP client software is composed of Office Add-ons for Word, Excel, PowerPoint, and Outlook from an OS shell extension (provide a right click context menu), the AIP viewer and PowerShell modules. All software component is included in the AIP client software package. For installation instruction of the AIP client refer to the AIP Administrator guide
AIP Configuration
AIP configuration is retrieved along with the client policy and stored in %localAppData%/Microsoft/MSIP and %localAppData%/Microsoft/MSIPC in a non persistent VDI, the implication is a few seconds delay in the first run in which AIP retrieves the configuration and sets all requirements for normal operation, as long as the user is already logged in into Office 365, no user interaction is required.
AIP activity logs
AIP activity logs are stored under %localAppData%/Microsoft/MSIP/Logs and %localAppData%/Microsoft/MSIPC/Logs under the user profile and in the windows event logs. If you are required to store the logs between reboots make you can store the user profile in a persistent. The Activity logs are also collected under the windows event log.
Logs are also collected also in azure log analytics, which make them independent of the client machine.
Persistent vs Non persistent VDI
If you are running persistent VM’s AIP should just work, as on any normal workstation, and all controls and configurations are valid.
If you are running in a non-persistent environment you can still run AIP, as the client refreshes its policy on every login. However, there are a few recommendations that can minimize the configuration updates required during login to the VDI.
- Distribute the policy in you VDI image.
- Update Registry changes using GPO to make sure the are applied at login time
- If your VDI infrastructure permit, maintain the following locations persistent:
- %localAppData%/Microsoft/MSIP
- %localAppData%/Microsoft/MSIPC
- Roland_TaschlerAug 11, 2021Copper Contributor
Hello Enrique,
we a trying currently to implement AIP on TS. Aip is working fine exept for our non Persistent VDI. Windows Terminalserver Citrix MCS. When we try to open a protected file in excel, it states that the user is not allowed to open the file. The problem as far as i understand from the MSIPC Log files is that office (excel.exe) is calling Azure RMS without a token. However if i copy the protected file to my ondrive and open it with Excel online it works fine. did you ever expect such a behaviour. I arealdy spend several days to understand whats wrong. If i take the master image and try it on the masterimage it works fine. after VDA's are deployed from the master Image, the problem starts. we already checked that we do a dsregcmd /leave before deploying the VDA's. we saw that we have the same machineGuid on the vda's. also tried do delete machineguid, and restart. so machinguid is now different on our testserver, but still not working. Maybe do you have any Ideas?
Kind regards
Roland Taschler