Error when applying Sensitive Labels with Encryption

Occasional Contributor

Hi community,

I can see the sensitivity labels in my office apps correctly but when I select one label with encryption I get the following error:

MIP Error.png

 

I have configured the required sensitive labels, assigned the proper permissions, and published them as you can see.

 

Checking the MSIPC logs I can see the only templates it gets are the default and not the configured sensitivity labels.

 

[msipc]: ++++++++ INFORMATION: Adding template: ++++++++

Id: "{f148296a-9a9a-4764-a12f-44523fc0cebf}",

Name: "Confidencial \ Todos Los Empleados",

Description: "Datos confidenciales que requieren protección pero conceden todos los permisos a todos los empleados. Los propietarios de los datos pueden hacer un seguimiento del contenido y revocarlo.",

IssuerName: "Corporación S.A.".

 

}}{{[787][msipc]:[Info]:[704]:[2021-12-20 15:59:45.669]: win7ippstore.cpp:Microsoft::InformationProtection::TemplateManager::copyTemplateInfoToList:518

 

[msipc]: ++++++++ INFORMATION: Adding template: ++++++++

Id: "{d262518a-36de-4962-8b27-4966ca9416ed}",

Name: "Extremadamente Confidencial \ Todos Los Empleados",

Description: "Datos extremadamente confidenciales que conceden a los empleados los permisos de visualización, edición y respuesta en relación con el contenido. Los propietarios de los datos pueden hacer un seguimiento del contenido y revocarlo.",

IssuerName: "Corporación S.A.".

 

}}{{[788][msipc]:[Info]:[704]:[2021-12-20 15:59:45.669]: win7ippstore.cpp:Microsoft::InformationProtection::TemplateManager::GetTemplateList:196

 

++++++++ INFORMATION: Getting templates succeeded. ++++++++

 

Any ideas are welcome!

8 Replies
I hope my spanish works, confirm the license.

Verifique la licencia asignada al usuario. Confirme que la licencia de Protección de la informac
Hi Effjaay, you can answer in English...is fine..tks
The user has a M365 E5 license assigned. The same behavior with and without the AIP UL client installed.

"I have been able to recreate the problem from the customer in a Microsoft Demo Tenant."

In the MSIP Logs I can see the RAC and CLC is ok
***************************************************************
++++++++ INFORMATION: RAC details: ++++++++
User: "Email address removed",
User type: "Federation",
Issuer name: "Contoso",
Issuer Id: "{478b1d52-ca90-4b80-a56c-0719879f15b8}",
Intranet Certification Url: "https://dd8d01a3-db71-4562-8143-fd83cb5b54c1.rms.na.aadrm.com/_wmcs/certification",
Extranet Certification Url: "https://dd8d01a3-db71-4562-8143-fd83cb5b54c1.rms.na.aadrm.com/_wmcs/certification",
Valid Until: "01/27/2022 03:56:00.000".

}}{{[348][msipc]:[Info]:[7032]:[2021-12-28 13:59:26.030]: cclclicense.cpp:Microsoft::InformationProtection::CCLCLicense::LogCLC:218

++++++++ INFORMATION: CLC details: ++++++++
User: "Email address removed",
Issuer name: "Contoso",
Issuer Id: "{478b1d52-ca90-4b80-a56c-0719879f15b8}",
Intranet Licensing Url: "https://dd8d01a3-db71-4562-8143-fd83cb5b54c1.rms.na.aadrm.com/_wmcs/licensing",
Extranet Licensing Url: "https://dd8d01a3-db71-4562-8143-fd83cb5b54c1.rms.na.aadrm.com/_wmcs/licensing".

*********************************************************************************************
The templates only show the default (new tenant)
*********************************************************************************************

[msipc]: ++++++++ INFORMATION: Adding template: ++++++++
Id: "{01c77b23-fb7a-4cc4-bfbc-665a8698f1c1}",
Name: "$title",
Description: "$description",
IssuerName: "Contoso".

}}{{[621][msipc]:[Info]:[7032]:[2021-12-28 13:59:26.701]: win7ippstore.cpp:Microsoft::InformationProtection::TemplateManager::copyTemplateInfoToList:518

[msipc]: ++++++++ INFORMATION: Adding template: ++++++++
Id: "{5cf200d3-d62d-4590-bad8-f93ad50d9ecd}",
Name: "Confidential \ All Employees",
Description: "Confidential data that requires protection, which allows all employees full permissions. Data owners can track and revoke content.",
IssuerName: "Contoso".

}}{{[628][msipc]:[Info]:[7032]:[2021-12-28 13:59:26.701]: win7ippstore.cpp:Microsoft::InformationProtection::TemplateManager::copyTemplateInfoToList:518

[msipc]: ++++++++ INFORMATION: Adding template: ++++++++
Id: "{75714ede-b62a-4d55-b2ed-2ba727ec6940}",
Name: "Highly Confidential \ All Employees",
Description: "Highly confidential data that allows all employees view, edit, and reply permissions to this content. Data owners can track and revoke content.",
IssuerName: "Contoso".

}}{{[629][msipc]:[Info]:[7032]:[2021-12-28 13:59:26.701]: win7ippstore.cpp:Microsoft::InformationProtection::TemplateManager::GetTemplateList:196

++++++++ INFORMATION: Getting templates succeeded. ++++++++

}}{{[630][msipc]:[Info]:[7032]:[2021-12-28 13:59:26.701]: ippapi.cpp:IpcGetTemplateListInternal:2577

-------- Done getting templates -------

@Arnold Martinez V Hi, I just recently got the above message and it's simply the propagation time. At least it was for me. I bet it works now as your post has been here for a while?

Hi @ChristianJBergstrom, tks for your response.

 

Indeed in my Demo Tenant, I am able to apply Sensitive Labels with encryption, as you said it seems it was a matter of "a lot of time for propagation", but on the production tenant we are still getting the same error and the tenant was configured with templates about 15 days ago. 

 

From the PC:
1- The Internet has no restrictions.

2- We have tried with the three client versions: https://www.microsoft.com/en-us/download/details.aspx?id=53018

3- We have tried with users with and without local admin permissions.

4- We have cleaned up the Client folders to reset client config

4- We have tried with different PCs and Users

 

From the Tenant (MIP Config):
1- Sensitivity Labels are configured with the correct permissions (Including users for testing)

2- Label Policies correctly configured for end-user visibility

3- More than 10 days for label propagation.

 

Any other idea is really appreciated!

 

@Arnold Martinez V Hello again, I would probably just compare the demo tenant settings with the production tenant settings to narrow it down as what's causing the issue. I suppose you've already done that. Have you also verified the distributionstatus, priority (and all other settings) using PowerShell?

 

Get-Label (ExchangePowerShell) | Microsoft Docs

Get-LabelPolicy (ExchangePowerShell) | Microsoft Docs

 

Other than that I would look at this too if you want to use built-in labeling?

Office built-in labeling client and the Azure Information Protection client

 

Difficult to help here really, you're probably better off creating a ticket with the official support having them look at some more details and logs.

Hello @Arnold Martinez V

I had the same problem. For me it was the Protection Template which holds the status 'Archived' and never gets 'Published', when Encryption was applied to a new created Label. So with status 'Archived' the Information Protection Template is never stored on the client.

A possible workaround for me was, setting the AIPServiceTemplate manually to published, using the following script.
------------------------------------------------------
Set-ExecutionPolicy Bypass
Install-Module AIPService
Import-Module AIPService
Connect-AIPService

Get-AipServiceTemplate | FL
Get-AipServiceTemplateProperty -TemplateId <xxxxxxxx> -Status <--- this reports the custom label is at "Archived" state by default, why??

To fix it:-
Set-AipServiceTemplateProperty -TemplateId <xxxxxx> -Status Published
------------------------------------------------------

Don't forget to reset settings in the ULC, so templates can be fetched again.

Hi @ChristianJBergstrom ,

 

So after 11 days since sensitivity labels were created...end-users communicate they are now able to apply all the labels including the ones that apply encryption. It is kind of concerning the time it takes to propagate the labels within the tenant. 

 

I also had to open a support case with Microsoft, I have not received a response yet but in the meantime and after a lot of waiting (11 days) finally, labels are available. Other configurations like Coauthoring and enabling labels for Teams, Sharepoint, and M365 Groups also take a lot of time.

 

Hopefully, Microsoft improves the time it takes to speed up all of these configurations.

 

Have a good one all of you. I will post again if another roadblock is found.