As of October 12th, 2018, our Information Protection customers can use Adobe Acrobat Reader on Windows to open-labeled and protected PDFs. This reflects a fundamental change in the ability to enforce labels and encryption on PDFs – up until this announcement, PDFs protected by Azure Information Protection were renamed with the .pPDF file extension and could only be opened using the Azure Information Protection viewer. For more information about the new PDF protection standard, see section 7.6 Encryption from the document that is derived from ISO 32000-1 and published by Adobe Systems Incorporated.


In this blog we will cover the complete end-to-end configuration and deployment that allows your company to be able to label & protect PDFs in the new format, in addition to be able to consume them easily. We will also discuss how to enforce automatic classification on PDFs using the Azure Information Protection scanner. Lastly, we will provide a short script that will migrate an already labeled file in the pPDF format and will “re-label” it as the new PDF format.



  • Azure Information Protection client installed – version 1.37 and newer (versions 1.xx only).
  • Adobe Acrobat Reader and Azure Information Protection plugin installed, which can be downloaded from here
  • Windows 10 and previous versions through Windows 7 Service Pack 1

Service Configuration

With the current Azure Information Protection client version 1.41 and newer, by default AIP is configured to protect PDF's with the new format. In case you use version 1.37 then by default, PDFs are protected in the Pfile format and the extension is renamed to pPDF. As the new PDF format feature is in private preview, the Information Protection admin needs to opt-in his company to be able to protect in the new format.

1. If you haven't already done so, in a new browser window, sign in to the Azure portal, and then navigate to the Azure Information Protection blade.


2. From the Classifications > Labels menu option: Select Policies.


3. On the Azure Information Protection - Policies blade, select the context menu (...) next to the policy, then select Advanced settings. You can configure advanced settings for the Global policy, as well as for scoped policies.


4. On the Advanced settings blade, type the following advanced setting name and value, and then select Save and close.


Key: EnablePDFv2Protection

Value: True



Client configuration

Adobe Acrobat Reader and the Azure Information Protection plugin that goes with it can be downloaded from here

The installation procedure is straight-forward; no special configuration is required


Initial labeling & protection of a PDF file

1. Select a PDF file that you would like to label with protection

2. Right-click the file and select “Classify and protect”


3. Select a label that applies for protection on the PDF file


4. Click “Apply” and notice that once the process completes, the PDF file extension remain the same and doesn’t change.


Initial open and view of protected PDF file

1. Double click on the protected PDF file to open it in Adobe Acrobat Reader

2. Initially, when you open the protected PDF file you will be prompted for your Microsoft account credentials. After successful authentication you will be prompt if you to stay “sign in” to avoid re-authentication process when the next file is opened:


3. Once the protected file is consumed you will be able to see the small “lock” icon on the left pane, this indicate the file is protected.


4. Clicking on this Icon will show the protection information on the current consumed PDF.


5. Clicking on “Permission Detail” will open the “Document Properties” window that will show more information on the protection rights.


Viewing the label ribbon when PDF is labeled or labeled and protected

To view the label ribbon in Acrobat reader interface please update or create the following registry entry on your computer


Computer\HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\MicrosoftAIP

Create a DWORD value name called : bShowDMB with a Hexadecimal value of 1 

 Sample document.pdf (SECURED) - Adobe Acrobat Reader DC.pngFigure 3: Label Banner in the Adobe Reader after the Registry update


 That will allow the ability to view the label ribbon within the Acrobat interface



Apply automatic labels and protection on PDF files

Now, once your policy and your scanner is configured to properly protect PDFs using the new native Adobe format, all that you need to do is to apply your policy labels to your files. You can do that either manually or automatically. Yes, PDFs (which contain text that is not an image) can be inspected and labeled automatically based on the conditions that are configured in your policy.


You can perform the inspection manually by using the Set-AIPFileClassification cmdlet or by running the Azure Information Protection scanner with -enforce on parameter. The PDF extension will remain the same and will be available in the new format.



Additional Information


Leave a comment with any thoughts or feedback!




Senior Member

thanks for this post I have a question 

some users when I try to open protected PDF with the new plugin it isn't asking them for any credential so the document will not be opened 

I m using Azure information protection 

please advice 


 @Karim Zaki - Please raise a support ticket from Azure Portal to get this one investigated

Occasional Contributor

I've set EnablePDFv2Protection to True in the Global Policy, and I have confirmed the setting is being used according to the following log file:



When I use the GUI to "Classify and Protect" a PDF file the .pdf extension is retained - good!

However, when I use the Protect-RMSFile command to protect a file the v2 protection is not used and the extension is changed to .ppdf (bad):

PS C:\Temp> Protect-RMSFile -File "C:\Temp\test.pdf" -TemplateID "[GUID of Template]" -InPlace

InputFile EncryptedFile 
--------- ------------- 
C:\Temp\test.pdf C:\Temp\test.ppdf


Have I missed something?



@Stephen Crowther - This functionality is available today using AIP cmdlets like - "Set-AIPFileLabel"

Occasional Contributor

@Nir Hendler- So the section in the script included in the article above, commented with "#reprotect if file is not labeled" does not remove .ppdf protection to replace it with .pdf ISO standard? Rather, it just uses the same protection? That script section is using Protect-RMSFile not Set-AIPFileLabel.


@Stephen Crowther - thank you for the comment. After re-verifying the script it is required for the file to be labeled and doing this using the "Set-AIPFileLabel" cmdlet. therefor, I had decided to remove this section as there is only one way to perform this which is to remove the label and re-apply it.

Occasional Contributor

@Nir Hendler- thank you for the confirmation, I'm now re-working my scripting to use labels instead of protection templates.

Occasional Contributor

@Nir Hendler- thank you for your responses, unfortunately I'm not able to get custom labels which use protection to work reliably, and I will have to keep using protection templates and the Protect-RMSFile cmdlet without support for Adobe Acrobat Reader. The error "Protection template not found" occurs consistently when protection is used with labels, either via PowerShell or using the AIP client directly. Applying custom labels without protection works flawlessly. I hope I can use this option in the future, our users would much prefer to use Adobe Acrobat Reader to view our encrypted files.



Senior Member



I'm having same issue as Stephen.  I'm using client, EnablePDFv2Protection is set to True in the global policy.  When I right click > classify and protect > click the label this keeps the file as .pdf and works in Adobe Reader.  If I try to protect using PowerShell cmdlet Protect-RMSFile or Set-AIPFileLabel they both result in the file being converted to a .ppdf file which can't be opened by Adobe.


Unfortunately we need it work in Adobe Reader because we are trying to create a file share that users can drop files into that will automatically protect the document.


Any ideas what could be causing this issue?






@Tim_Lehman - Set-AIPFileLabel by default work with the new PDFv2. no need to enable "EnablePDFv2Protection =true" for this one. Please verify you don't have any scoped policy for the user that has "EnablePDFv2Protection=false" configured. if not then this is an unexpected behavior and I recommend you to raise a support ticket to get this investigated.

Senior Member

@Nir Hendler 


Edit: So works fine in regular PowerShell.  When ran in ISE it converts it to a .ppdf.  I think it will be fine when the script actual runs it will call  PowerShell.  Any idea what would cause this behavior though?


We only have the global policy at the moment.  It appears to be working today?   I removed the EnablePDFv2Protection = True setting, tried the command again and is working as intended now.  Not sure what happened, EnablePDFv2Protection wasn't there to begin with and didn't work so I don't know if adding then removing caused some sort of sync?  Anyway working now appreciate the help.