Just running the 'ComplianceUtility' tool without selecting any 'option' resolves an issue with built in sensitivity labels on Outlook Desktop

[vbakshi123]

Hello Team

This is weird one and my query is for an issue that the 'ComplianceUtility' tool actually resolves. But running the utility tool on everybody's machine while rolling out built-in sensitivity labels is not the most elegant way as one can imagine.

Built in sensitivity label works in Outlooks web app but not Outlook desktop app

We are currently using M365 Business Premium licence. We created an 'Internal' sensitivity label on compliance.microsoft.com, with "assign permissions now" configuration granting co-author access to all users and groups within the organisation . The label is working in the user's Outlook web app. However, when drafting a new email in Outlook desktop app, the option to select the label is there, but when we click on the label itself it reverts back to "no label".

All the users to which label policy is scoped can see the Label. but can't apply it. Some very important insights:

1. If I create a label with "Let users assign permission" configuration and then select the "Encrypt-Only" or "Do-Not-Forward" options. Then users can see that label and apply it in the Outlook desktop app and web.

2. If I create labels with "Assign Permission now" configuration, scope it to both file and email, grant co-author access to 'Authenticated Users', or 'all users and groups within the organisation', then users can select the label in Word/Excel etc, but not Outlook Desktop app. They can assign the same label in Outlook Web though.

We are on the latest - Microsoft® Outlook® for Microsoft 365 MSO (Version 2403 Build 16.0.17425.20176) 64-bit and on Windows 10 and Windows 11 machines. The issue has been there for a month now We use built-in labels by Office apps and never used AIP unified labelling client or the classic client.

After downloading the "ComplianceUtility" tool, installing and running it, we get presented with the options to reset, record problem, collect etc. I don't select anything from the list and just exit the program. Now strangeyl, I can select the 'Internal' sensitivity label in Outlook Desktop app.

May I please get some sort of hint as to what this tool does when executed first, without the user selecting any option ?

[schiroky]

Hello,

Thank you for using the 'Compliance Utility'. It's always nice to hear that 'Compliance Utility' has helped to solve a problem. However, I can say with certainty that in the case described it is impossible for it to have contributed to the solution.

The tool does not make any changes at startup and does not touch any settings that would affect sensitivity labeling or policy configuration - not at all.

When the tool starts, it only calls the fncInitialize function and then continues with the fncRemoveUnifiedLabelingSupportTool and fncValidateForActivatedLogging functions. None of the underlying codes have any point of contact with labels or policies.

So there must have been another scenario that solved the problem you described.

My guess would be that Outlook (desktop) was simply not fully bootstrapped for the label and policy configuration. If you see the label in the Outlook desktop UI but cannot apply it, I strongly assume it is a label that uses encryption. I'm assuming that applying a label that only uses classification (without encryption) would work as expected. Keep in mind that after you create a label policy that assigns new sensitivity labels to users and groups, users start to see those labels in their Office apps. Allow up to 24 hours for the latest changes to be replicated throughout your organization: https://learn.microsoft.com/en-us/purview/sensitivity-labels?view=o365-worldwide#what-label-policies-can-do

It sounds to me as if the bootstrap process was completed in the background at the same time as the 'Compliance Utility' was started.

[vbakshi123]

Hello,

Thank you for using the 'Compliance Utility'. It's always nice to hear that 'Compliance Utility' has helped to solve a problem. However, I can say with certainty that in the case described it is impossible for it to have contributed to the solution.

The tool does not make any changes at startup and does not touch any settings that would affect sensitivity labeling or policy configuration - not at all.

When the tool starts, it only calls the fncInitialize function and then continues with the fncRemoveUnifiedLabelingSupportTool and fncValidateForActivatedLogging functions. None of the underlying codes have any point of contact with labels or policies.

So there must have been another scenario that solved the problem you described.

My guess would be that Outlook (desktop) was simply not fully bootstrapped for the label and policy configuration. If you see the label in the Outlook desktop UI but cannot apply it, I strongly assume it is a label that uses encryption. I'm assuming that applying a label that only uses classification (without encryption) would work as expected. Keep in mind that after you create a label policy that assigns new sensitivity labels to users and groups, users start to see those labels in their Office apps. Allow up to 24 hours for the latest changes to be replicated throughout your organization: https://learn.microsoft.com/en-us/purview/sensitivity-labels?view=o365-worldwide#what-label-policies-can-do

It sounds to me as if the bootstrap process was completed in the background at the same time as the 'Compliance Utility' was started.

Thank you for the response. If you create a label now in compliance.microsoft.com and select the option 'Control access' which automatically encrypts as per MS documentation. The permissions assigned is all internal users and groups within the organisation using "Assign Permission now" configuration. If I select "Let users assign permission" configuration and then select the "Encrypt-Only" or "Do-Not-Forward" options, it works on Outlook Desktop.

Would it change your mind if I said that every time I push a new label with the "Assign Permission now" configuration and permission "all internal users and groups within the organisation", and then run the ComplianceUtility, it works. Sometimes, while I am trying to "Record" the problem using ComplianceUtility, the problem gets resolved while I am recording, i.e. I can select the new labels and they stay resolved even after I close the Compliance Utility. Doesn't it arise any suspicion as to what it might be ding to resolve this issue for me every single time for every new label for every user ?

[schiroky]

If you say that using the RECORD PROBLEM function sometimes solves the problem, this cannot be influenced by the tool. Otherwise, it would deliver the same result or solution every time, just not sometimes. This is not the case here. Furthermore, the problem cannot be reproduced from scratch with the steps you have given. This is just further proof that the tool has no influence here. And more importantly, RECORD PROBLEM does not modify or change any label or policy configuration in your scenario either - fact. You can view the source code of the tool to verify this. The only function that touches the label and policy configuration is the RESET function.

[vbakshi123]

If you say that using the RECORD PROBLEM function sometimes solves the problem, this cannot be influenced by the tool. Otherwise, it would deliver the same result or solution every time, just not sometimes. This is not the case here. Furthermore, the problem cannot be reproduced from scratch with the steps you have given. This is just further proof that the tool has no influence here. And more importantly, RECORD PROBLEM does not modify or change any label or policy configuration in your scenario either - fact. You can view the source code of the tool to verify this. The only function that touches the label and policy configuration is the RESET function.

Thank you for the quick response. I am sorry, I used "sometimes" wrong. Initially when I experienced the problem and ran the tool using RECORD, it resolved the issue everytime. Then I discovered that the issue gets resolved everytime even when I do not RECORD, but just launch the tool. So it resolves the issue everytime for every user for every new label configured with "Assign Permissions now" , everytime I just launch the tool.

I will go through the source code and try to make some sense out of it, But just to let you know, I know a 100% that this tool is doing something while it launches everytime, could be a reg key, could be a folder delete, could be a cacche, I don't know. Please also do note that after pushing the label policy, the issue persists for weeks, so way more than 48 hours. The moment I launch the tool, the issue gets resolved

[abh-enph]

Hi All, Did you find any solution? We have the exact problem. Point no. 2 mentioned by @vbakshi123 is exactly what we are experiencing.

If I create labels with "Assign Permission now" configuration, scope it to both file and email, grant co-author access to 'Authenticated Users', or 'all users and groups within the organisation', then users can select the label in Word/Excel etc, but not Outlook Desktop app. They can assign the same label in Outlook Web though.

[vbakshi123]

Hi All, Did you find any solution? We have the exact problem. Point no. 2 mentioned by @vbakshi123 is exactly what we are experiencing.

If I create labels with "Assign Permission now" configuration, scope it to both file and email, grant co-author access to 'Authenticated Users', or 'all users and groups within the organisation', then users can select the label in Word/Excel etc, but not Outlook Desktop app. They can assign the same label in Outlook Web though.

We were able to fix it by deleting the mip folder in Outlook so it pulls the new template down. That being said, it still affects new users and it is not feasible to continually delete this folder for each user. The mip folder is: %LOCALAPPDATA%\Microsoft\Outlook\MIPSDK\mip

This is occurring for Exchange Online and seems to only affect the newer versions of Office (i.e. Semi Annual does not have this issue).

[abh-enph]

ok, thanks. I just tried and it worked for me too. I am on current channel. I agree, it is not feasible to do on each Machine. @schiroky , would you have any inputs on the same?

[opeenitan]

Hi @vbakshi123, have you been able to find a work around for this without having to delete folder for each user? I am encountering the same issue. Additionally, can i contact you for an issue with labels that enforce restrictions (do not forward)?