Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
General Availability of Adobe Acrobat Reader Integration with Microsoft Information Protection
Published Dec 11 2018 10:48 AM 82.4K Views

We would like to announce the general availability of Adobe Acrobat Reader integration with Microsoft Information Protection solutions – which we originally announced in September Your feedback during the development of this integration was both insight and useful.  You can download the new Adobe Acrobat Reader  that supports Microsoft Information Protection capabilities at the following location

 

Adobe GA Graphics (2).png

 

 

Figure 1: Page to download the Adobe integration Plug-in

Installation instructions

Prior to downloading the latest Adobe Acrobat, please make sure that your labels are visible in the Security and Compliance center UI @ https://protection.office.com . If the labels are visible and are published by a label policy from the Security and Compliance center, the Adobe Integration will function.  

 

Note: The instructions on how to replicate your existing AIP labels to Security and Compliance center is at the following link

 

After you have validated the label being visible in the Security and Compliance center, please proceed to download your Adobe Acrobat Reader from the Adobe site. Once you have installed the Reader then please proceed to the link and download the integration plug-in for installation.  Please make sure that you close the Adobe Acrobat solution prior to installing the plug-in, otherwise it will not work. 

 

If have an older installation then please make sure to read the general terms of use and uninstall any old Reader and plug-in installation before installing the new reader and the plug-in.  The integration works with the 2019.010.20064 version of Acrobat Reader DC and Acrobat DC. Please do not use the plug-in with an earlier version of Acrobat.

 

After you have installed the plug-in, please try to label and protect a PDF document using the Azure Information Protection client and then open with Adobe Acrobat Reader that has the integration enabled. 

 

Organizations with restrictive install permissions within their tenant

In case you receive the following error as shown in Figure 2, when opening the secure PDF document with Adobe, It is due to the fact that the tenant administrator in your organization does not want users to authorize applications within your organizations tenant .  This is an additional security measure that your tenant administrator might have enabled .

Adobe GA Admin Consent.png

 Figure 2: Admin Consent page that shows if you have not authorized the Adobe applications

 

In such cases, please have your tenant administrators consent to the Adobe Acrobat App-id which is as follows:

cad2910c-3b55-4610-ba7e-dda581063c91

 

Once the administrative consent happens, then you should be ready to consume protected PDF content via Adobe’s Acrobat Reader. If you would like to understand what consent flows are, please read the information at the following link:

 

https://techcommunity.microsoft.com/t5/Microsoft-Information-Protection/Consent-flows-for-applicatio...

 

 

 

Viewing the label ribbon when PDF is labeled or labeled and protected

 

 To view the label ribbon in Acrobat reader interface please update or create the following registry entry on your computer

 

Computer\HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\MicrosoftAIP

Create a DWORD value name called : bShowDMB with a Hexadecimal value of 1 

 

 

Label and Sublabel pic adobe.png

 Figure 3: Label banner on a PDF

 

 

  That will allow the ability to view the label ribbon within the Acrobat interface

 

Issues in viewing labels with Adobe Reader

Even after making the changes in registry you are not seeing the labels. Then the issue could be the following:

  • Have your labels been replicated from the AIP portal to Security and Compliance center?
  • Have you published your labels to the users in your tenant from the Security and Compliance center?

If your answer is no, to the above questions, then you will not see the labels. The Adobe integration is enabled with Microsoft Information Protection and the policies for those labels comes the Security and Compliance center at https://protection.office.com

 

Please check if your AIP labels manifest within Security and Compliance center and if they are visible then please make sure that your labels are published.

 

If you have done the above steps please make sure that the registry entry for the label banner is done as Adobe\Acrobat Reader\DC and not under Adobe\DC

Computer\HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\MicrosoftAIP

And the value is a DWORD not a QWORD

 

 

We at both Adobe and Microsoft look forward to your engagement and feedback to improve the product experience.

 

 

98 Comments
Steel Contributor

 

Answered my own question... Smiley Happy.

Copper Contributor

regedit.PNGadobe.PNG

 

The registry has been created but the ribbon doesn't exist. any additional step for this?

@Fazar Susanto Did you apply the label and protection using the AIP client and which version of the AIP client ? 

 

Adobe Release number.png

 

 

This is the version that you should have download and install the plug-in @Fazar Susanto

Copper Contributor

Hi @Kartik Kanakasabesan , yes I did. The AIP client version is 1.41.51.0.

Try rebooting the machine after the registry entry update 


.

 

 


 

Copper Contributor

adobeVersion.PNG

Adobe versions same like yours.

Already rebooting the machine and the result is same.

Copper Contributor

 

@Fazar Susanto could you please share the document if possible? That would help us debug the issue on our end. Please send the same to rkadian@adobe.com.

 

 

Copper Contributor

Hi @Rajjeet Kadian, sent!

Copper Contributor

Any update on the Adobe Pro ? To Edit PDF not only reading ?

Brass Contributor

Hi, any plans to support Windows Information Protection (EDP) - personal/work content separation in Adobe Reader? Is this something you are discussing with Adobe? This plugin only enables AIP labels which is nice improvement over the past but opening any PDF in an WIP unenlightened app (like Adobe Reader) give user a prompt/warning that the files are to be changed to work content every time. This is confusing/distracting for users. (I know we can use Edge for PDF viewing which is WIP enlightened but you know that’s not really a proper solution…)

 

(additionally, this AIP plugin only supports English version of Adobe Reader - I suppose this is just temporary)

@Pavel Otych  from RS5 onwards WIP (EDP) is MIP label aware and based on the MIP label applied WIP will also apply personal or work labels accordingly.  @Derek Adam from the WIP team can answer more on that.

@Ahmed Nabil both us and Adobe are looking at the Editing scenarios, we will be making regular updates and your request is on our mutual backlog of features we want to accomplish

Copper Contributor

Have the same problem as Fazar Susanto. I've added DWORD to the registry, reboot PC, but label ribbon not appearing.

Copper Contributor

Thanks Julian for reporting this. We are looking into this issue. Can you please share the following details on rkadian@adobe.com:

 

  • Protected Document
  • Is Label Info visible in the 'Security Settings' section within Adobe Acrobat Reader?  It is visible on the Left Hand Pane (when you click the 'lock' icon)
  • Is the label not shown on any document or only few documents?

We may request for more info to investigate the issue better.

Brass Contributor

@Kartik Kanakasabesan @Derek Adam Thanks for your reply. I'm aware that WIP in RS5 is MIP label aware. However, Adobe Reader isn’t WIP aware, it only decrypts AIP protection with the currently announced plugin, it doesn’t differentiate between personal/work files.

 

Therefore, the user sees a prompt/warning when he tries to open a PDF file coming from any external source (the prompt basically says "Hello user, Adobe Reader isn't WIP enlightened application but your admin says you can use it anyway, we will therefore automatically apply WIP protection for the document and you can’t remove the protection, do you agree?"). This prompt is problematic for our users and causes a lot of confusion, they don’t understand difference between AIP, WIP, MIP, whatever. They just want to open a PDF file.

 

If Adobe Reader had proper MIP + WIP support (=if it were WIP enlightened app like Office), the user wouldn’t see the prompt and Reader would differentiate between personal/work content.

@Pavel Otych Thanks for your feedback. @Derek Adam@Rajjeet Kadian, and I  will take your feedback on the matter.  The feature you requested is in our backlog. 

Copper Contributor

one issue, adobe/plugin is asking for our azure credentials twice !

Copper Contributor

 @Ahmed Nabil, can you send me the log file from $AppDataLocalLow\Microsoft\RMSLocalStorage\mip\logs\mip_sdk.miplog

@Ahmed Nabil@Pavel Otych@Freijul, and others, I have updated the blog to make sure your labels are visible in the security and compliance UI in addition to the AIP portal, only then will you see the labels 

Copper Contributor

I have an issue since I installed the new reader and the plugin I m facing 2 issues first it takes time to open second  when i open mre than a doc it hangs the system 

Brass Contributor

From what I understand of your previous announcement you need the Azure Information Protection client to protect a PDF file. I thought that the one benefit of Microsoft Information Protection was that it was integrated directly into Windows 10 and did not need any other software. Is that not the case with PDF?

Does Adobe Reader support reading encrypted files? If so, do you need the AIP client for that?

Copper Contributor

Consent to Adobe App failedmsmip.png

Copper Contributor

@Ahmed Nabil

 

Please can you confirm if this consent app window appears after email input . And the email id/domain being used.

Please share the following logs:

  • AppDataLocalLow\Microsoft\RMSLocalStorage\mip\logs\mip_sdk.miplog
  • Enable the below registry:

          HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\MicrosoftAIP

          “bEnableLogging”=dword:00000001

  • Repeat the same workflow and share the log generated at:

    $AppDataLocal\Microsoft\RMSLocalStorage\msrmsLog.txt 

         

 

Copper Contributor

@Chandrima_Das

 

Yes, I get directed to Microsoft, I pick my name (Corporate Admin), login then get Microsoft permissions needed (Checks) and when I click accept I get this error

 

Also one comment, it takes around 15-20 second (delay) for the protected PDF to open in Adobe Reader vs normal documents/PDF

 

Please find the log

 

RMSServices::CreateProtectionHandlerFromPublishingLicenseRemote
ProtectionAuthenticator::Authenticate
ProtectionAuthenticator::setAccessTokenFromCredentials
RMSServices::GetDocLabelMetadata
RMSServices::GetSensitivityLabelNameHierarchyFromLabelMetadataRemote
PolicyAuthenticator::Authenticate
PolicyAuthenticator::setAccessTokenFromCredentials
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DeleteProtectionHandlerDataInPIBroker
RMSServices::PerformPluginUnloadProcessing
RMSServices::CreateProtectionHandlerFromPublishingLicenseRemote
ProtectionAuthenticator::Authenticate
ProtectionAuthenticator::setAccessTokenFromCredentials
RMSServices::GetDocLabelMetadata
RMSServices::GetSensitivityLabelNameHierarchyFromLabelMetadataRemote
PolicyAuthenticator::Authenticate
PolicyAuthenticator::setAccessTokenFromCredentials
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DeleteProtectionHandlerDataInPIBroker
RMSServices::PerformPluginUnloadProcessing
RMSServices::CreateProtectionHandlerFromPublishingLicenseRemote
ProtectionAuthenticator::Authenticate
RMSServices::GetDocLabelMetadata
RMSServices::GetSensitivityLabelNameHierarchyFromLabelMetadataRemote
PolicyAuthenticator::Authenticate
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DecryptDataUsingProtectionHandlerRemote
RMSServices::DeleteProtectionHandlerDataInPIBroker
RMSServices::PerformPluginUnloadProcessing

Copper Contributor

@Ahmed Nabil, can you also please share the log from "C:\Users\<username>\AppData\LocalLow\Microsoft\RMSLocalStorage\mip\logs". We might also need fiddler or charles log to isolate the issue in you environment. Is this the only machine where you're facing the issue or are you facing this on every machine in your organization?

Copper Contributor

@Mohd_Kashif

 

  • yes the delay happen to all users
  • Can't attach files to this reply

 

 

Copper Contributor

@Ahmed Nabil, you can send the log file to me at kashif@adobe.com. Can you also please provide following info?

1) Do you see delay every time you open a file? If you open a file that you've opened at least once do you still face the delay issue?

2) I'm also concerned about the "consent to Adobe app" issue and need more info. Is it consistently reproducible in your environment? Were you on any kind of virtual environment when you faced this issue? Can you also please send me "C:\Users\<username>\AppData\LocalLow\Microsoft\RMSLocalStorage\mip\logs\mip_sdk.miplog" from the machine you faced consent app failure?

Copper Contributor

@Ahmed Nabil, you can send the log file to me at kashif@adobe.com. Can you also please provide following info?

 

1) Do you see delay every time you open a file? If you open a file that you've opened at least once do you still face the delay issue?

 

2) I'm also concerned about the "consent to Adobe app" issue and need more info. Is it consistently reproducible in your environment? Were you on any kind of virtual environment when you faced this issue? Can you also please send me "C:\Users\<username>\AppData\LocalLow\Microsoft\RMSLocalStorage\mip\logs\mip_sdk.miplog" from the machine you faced consent app failure?

Copper Contributor

@Ahmed Nabil

  • you can also try saving credentials to speed up file open.
  • is the consent issue reproducible on multiple machines? And on multiple physical machines?

Thanks.

 

Copper Contributor

@Ahmed Nabil

 

For the delay, usually AIP protected files open slower in Acrobat/Reader [for the first time ] compared to non protected files. But if you open the same file again there should not be significant delay unless the file is too large or contains complex objects like multiple annotations or signatures.

Please could you tell us the file size or send us an unprotected similar file if permitted[please mail to kashif@adobe.com] .

Deleted
Not applicable

@Chandrima_Das

 

File is one page (very small) and its 15-20 seconds delay even if opened before

Deleted
Not applicable

@Rajneesh_Chavli

 

Yes Consent is not working from any machine

 

First I was on a user logged with my account and when I opened the PDF for the first time I got the message to consent for all company and it didn't work (IP un reachable message) then I tried it from the portal.azure.com - enterprise applications -adobe and same failure (sent screen shot earlier)

Copper Contributor

@Deleted can you please let know

  • the exact workflow you're performing, i.e. if my following understanding is correct:
    • open a PDF (without saving credentials).
    • close the same PDF.
    • reopen the PDF (without closing Adobe Reader), and still it takes 15-20 seconds to open.
  • if saving credentials speeds-up file open? i.e.
    • open a PDF (and save credentials).
    • close the same PDF.
    • reopen the PDF (with/without closing Adobe Reader).
  • if the delay is seen even on saving credentials and performing the above workflow, is it file specific?

Also, if possible, kindly share the unprotected PDF (to rchavli@adobe.com, kashif@adobe.com). 

 

Thanks.

Copper Contributor

I had the same issue related to the delay of the PDF 

it delays first when open also when in the same session opening more than one protected PDF 

I have disabled the protected mode cause as I checked on adobe support website the protected mode cause I found more than one process in the background when opening the PDF 

 

all operations required by Acrobat Reader DC to display the PDF file are run in a restricted manner inside a confined environment, the “sandbox.” 

protected.pngI think this needs to be fixed by adobe 

 

 

 

what is Protected Mode?

Protected View feature for PDFs (Windows)

 

Copper Contributor

@Karim Zaki

Is the delay getting smaller with Protected Mode disabled? And as u confirmed that the files have delay in opening even if they have been opened before?

 

 

Copper Contributor

actually I was testing I wish I could confirm if that helps or not but I think it helped a little 

as first the adobe is opening in the background process then open the apps 

as you can see here protected.png

 

 

also I have windows defender 

I don't know if that helps in the case 

Copper Contributor

as you can see here it is using for every PD a separate background process also it is caching in a temp file first caching.png

background.png

Copper Contributor

@Mohd_Kashif

 

I sent you the logs on the mail

Copper Contributor

@karim zaki

I see multiple Reader process active in Task Manager. Please kill all the process. Restart Reader and launch AIP files.

There should be one "Adobe Acrobat Reader Dc" in Apps and maximum one or none "Adobe Acrobat Reader Dc" in Background process.

Please do not check for processes under Enhance or Update Service as they are not related to file launch.

And where do we look for caching in temp file?

Copper Contributor

I killed the background processes but that is the behavior when opening more than one file 

I m just explaining the behavior of ADOBE latency 

Copper Contributor

@Karim Zaki request you to kindly verify the following:

  • kill all Adobe Reader processes from task manager (if any).
  • launch Adobe Reader in Protected Mode, verify that that two Adobe Reader processes are seen in task manager (Details tab of task manager).
  • open a MIP-protected PDF, verify that there are still two Adobe Reader processes in task manager (Details tab of task manager).
  • open another MIP-protected PDF, verify that there are still two Adobe Reader processes in task manager (Details tab of task manager).
  • close Adobe Reader and (if needed wait for a few seconds and then) verify that Adobe Reader processes are gone from task manager (Details tab of task manager).
  • if you observe a behavior different than above:
    • kindly share screenshot(s) of the task manager after performing the above steps.
    • is the behavior seen on multiple machines?
    • is the behavior seen on virtual machines or multiple physical machines as well?

Thanks.

Copper Contributor

I did exactly what you told me and more 

first I just opened the reader protected mode with no files detailed tabdetailed tab

protected.png

now I opened PDF files 

morethanfile.gif

then I closed the PDF 

after closing PDFSafter closing PDFS

and yes this behavior for any machine

I sent you all details to help you so you can help me 

Copper Contributor

@Karim Zaki in the first screenshot in your last post there are three Adobe Reader (AcroRd32.exe) processes, so as mentioned in my last post kindly first kill all AcroRd32.exe processes from the details tab of task manager and verify that there isn't even one AcroRd32.exe process that is seen.

After the above is verified (i.e. no AcroRd32.exe process in task manager details tab), kindly perform the steps mentioned in my last post one-by-one and if the behavior is different after any step than what I've mentioned kindly share the screenshots for each such step.

Thanks for your help.

Copper Contributor

i did exactly what you told me 

1.gif

 

 

2.gif

Copper Contributor

@Karim Zaki requesting you to kindly share screenshots corresponding to each step outlined in my earlier post (https://techcommunity.microsoft.com/t5/Azure-Information-Protection/General-Availability-of-Adobe-Ac...) as that would help us in understanding the scenario better. Also, request you to restart your machine first or try the steps in another physical machine if possible.

Thanks for your patience and help.

Folks, if you are having problems admin consent dialog please follow the steps after figure 9 from the following blog 

https://techcommunity.microsoft.com/t5/Microsoft-Information-Protection/Consent-flows-for-applicatio...

Deleted
Not applicable

Hi, that is great news.

Only after installing it as per instructions, still does not work.
Still comes with "This PDF File is protected" message and fails to open.

Anyone else has the same problem?

Any fix?

Thanks.

RS

Copper Contributor

@Deleted can you please confirm that you've downloaded and installed both Adobe Reader as well as the Adobe MIP plugin?

Thanks.

Deleted
Not applicable

Hi @Rajneesh_Chavli and @Kartik Kanakasabesan,

We have installed the latest Adobe Reader (2019.010.20064) and the plugin, although the registry entries were not created as per post above, so I had to add the registry entries manually.

Also the labels were set up in Security and Compliance center UI.

Pls see attached screenshot of the message I receive in Adobe Acrobat reader.

PDF message.PNG

Please let me know if I need to upload any further info.

Thanks

Version history
Last update:
‎May 11 2021 02:05 PM
Updated by: