Admin Guide: File types supported by the Azure Information Protection classic client

Applies to: Active Directory Rights Management Services, Azure Information Protection, Windows 10, Windows 8.1, Windows 8, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Relevant for: Azure Information Protection classic client for Windows. For the unified labeling client, see the unified labeling client admin guide.

Note

To provide a unified and streamlined customer experience, we are sunsetting the Azure Information Protection classic client and Label Management in the Azure Portal as of March 31, 2021. No further support is provided for the classic client and maintenance versions will no longer be released.

  • The classic client will be fully retired, and will stop functioning, on March 31, 2022.
  • As of March 18, 2022, we are also sunsetting the AIP audit log and analytics, with a full retirement date of September 31, 2022.

For more information, see Removed and retired services.

The Azure Information Protection classic client can apply the following to documents and emails:

  • Classification only

  • Classification and protection

  • Protection only

The Azure Information Protection client can also inspect the content of some file types using well-known sensitive information types or regular expressions that you define.

Use the following information to check which file types the Azure Information Protection client supports, understand the different levels of protection and how to change the default protection level, and to identify which files are automatically excluded (skipped) from classification and protection.

For the listed file types, WebDav locations are not supported.

File types supported for classification only

The following file types can be classified even when they are not protected.

  • Adobe Portable Document Format: .pdf

  • Microsoft Project: .mpp, .mpt

  • Microsoft Publisher: .pub

  • Microsoft XPS: .xps .oxps

  • Images: .jpg, .jpe, .jpeg, .jif, .jfif, .jfi. png, .tif, .tiff

  • Autodesk Design Review 2013: .dwfx

  • Adobe Photoshop: .psd

  • Digital Negative: .dng

  • Microsoft Office: File types in the following table.

    The supported file formats for these file types are the 97-2003 file formats and Office Open XML formats for the following Office programs: Word, Excel, and PowerPoint.

    Office file type Office file type
    .doc

    .docm

    .docx

    .dot

    .dotm

    .dotx

    .potm

    .potx

    .pps

    .ppsm

    .ppsx

    .ppt

    .pptm

    .pptx

    .vdw

    .vsd
    .vsdm

    .vsdx

    .vss

    .vssm

    .vst

    .vstm

    .vssx

    .vstx

    .xls

    .xlsb

    .xlt

    .xlsm

    .xlsx

    .xltm

    .xltx

Additional file types support classification when they are also protected. For these file types, see the Supported file types for classification and protection section.

For example, in the current default policy, the General label applies classification and does not apply protection. You could apply the General label to a file named sales.pdf but you could not apply this label to a file named sales.txt.

Also in the current default policy, the Confidential \ All Employees applies classification and protection. You could apply this label to a file named sales.pdf and a file named sales.txt. You could also apply just protection to these files, without classification.

File types supported for protection

The Azure Information Protection client supports protection at two different levels, as described in the following table.

Type of protection Native Generic
Description For text, image, Microsoft Office (Word, Excel, PowerPoint) files, .pdf files, and other application file types that support a Rights Management service, native protection provides a strong level of protection that includes both encryption and enforcement of rights (permissions). For other supported file types, generic protection provides a level of protection that includes both file encapsulation using the .pfile file type and authentication to verify if a user is authorized to open the file.
Protection Files protection is enforced in the following ways:

- Before protected content is rendered, successful authentication must occur for those who receive the file through email or are given access to it through file or share permissions.

- Additionally, usage rights and policy that were set by the content owner when the files were protected are enforced when the content is rendered in either the Azure Information Protection viewer (for protected text and image files) or the associated application (for all other supported file types).
File protection is enforced in the following ways:

- Before protected content is rendered, successful authentication must occur for people who are authorized to open the file and given access to it. If authorization fails, the file does not open.

- Usage rights and policy set by the content owner are displayed to inform authorized users of the intended usage policy.

- Audit logging of authorized users opening and accessing files occurs. However, usage rights are not enforced.
Default for file types This is the default level of protection for the following file types:

- Text and image files

- Microsoft Office (Word, Excel, PowerPoint) files

- Portable document format (.pdf)

For more information, see the following section, Supported file types for classification and protection.
This is the default protection for all other file types (such as .vsdx, .rtf, and so on) that are not supported by native protection.

You can change the default protection level that the Azure Information Protection client applies. You can change the default level of native to generic, from generic to native, and even prevent the Azure Information Protection client from applying protection. For more information, see the Changing the default protection level of files section in this article.

The data protection can be applied automatically when a user selects a label that an administrator has configured, or users can specify their own custom protection settings by using permission levels.

File sizes supported for protection

There are maximum file sizes that the Azure Information Protection client supports for protection.

  • For Office files:

    Office application Maximum file size supported
    Word 2007 (supported by AD RMS only)

    Word 2010

    Word 2013

    Word 2016
    32-bit: 512 MB

    64-bit: 512 MB
    Excel 2007 (supported by AD RMS only)

    Excel 2010

    Excel 2013

    Excel 2016
    32-bit: 2 GB

    64-bit: Limited only by available disk space and memory
    PowerPoint 2007 (supported by AD RMS only)

    PowerPoint 2010

    PowerPoint 2013

    PowerPoint 2016
    32-bit: Limited only by available disk space and memory

    64-bit: Limited only by available disk space and memory
  • For all other files:

    • To protect other file types, and to open these file types in the Azure Information Protection viewer: The maximum file size is limited only by available disk space and memory.

    • To unprotect files by using the Unprotect-RMSFile cmdlet: The maximum file size supported for .pst files is 5 GB. Other file types are limited only by available disk space and memory

      Tip

      If you need to search or recover protected items in large .pst files, see Removing protection on PST files.

Supported file types for classification and protection

The following table lists a subset of file types that support native protection by the Azure Information Protection client, and that can also be classified.

These file types are identified separately because when they are natively protected, the original file name extension is changed, and these files become read-only. Note that when files are generically protected, the original file name extension is always changed to .pfile.

Warning

If you have firewalls, web proxies, or security software that inspect and take action according to file name extensions, you might need to reconfigure these network devices and software to support these new file name extensions.

Original file name extension Protected file name extension
.txt .ptxt
.xml .pxml
.jpg .pjpg
.jpeg .pjpeg
.pdf .ppdf [1]
.png .ppng
.tif .ptif
.tiff .ptiff
.bmp .pbmp
.gif .pgif
.jpe .pjpe
.jfif .pjfif
.jt .pjt
Footnote 1

With the latest version of the Azure Information Protection client, by default, the file name extension of the protected PDF document remains as .pdf.

The next table lists the remaining file types that support native protection by the Azure Information Protection client, and that can also be classified. You will recognize these as file types for Microsoft Office apps. The supported file formats for these file types are the 97-2003 file formats and Office Open XML formats for the following Office programs: Word, Excel, and PowerPoint.

For these files, the file name extension remains the same after the file is protected by a Rights Management service.

File types supported by Office File types supported by Office
.doc

.docm

.docx

.dot

.dotm

.dotx

.potm

.potx

.pps

.ppsm

.ppsx

.ppt

.pptm

.pptx

.vsdm
.vsdx

.vssm

.vssx

.vstm

.vstx

.xla

.xlam

.xls

.xlsb

.xlt

.xlsm

.xlsx

.xltm

.xltx

.xps

Changing the default protection level of files

You can change how the Azure Information Protection client protects files by editing the registry. For example, you can force files that support native protection to be generically protected by the Azure Information Protection client.

Reasons for why you might want to do this:

  • To ensure that all users can open the file if they don't have an application that supports native protection.

  • To accommodate security systems that take action on files by their file name extension and can be reconfigured to accommodate the .pfile file name extension but cannot be reconfigured to accommodate multiple file name extensions for native protection.

Similarly, you can force the Azure Information Protection client to apply native protection to files that by default, would have generic protection applied. This action might be appropriate if you have an application that supports the RMS APIs. For example, a line-of-business application written by your internal developers or an application purchased from an independent software vendor (ISV).

You can also force the Azure Information Protection client to block the protection of files (not apply native protection or generic protection). For example, this action might be required if you have an automated application or service that must be able to open a specific file to process its contents. When you block protection for a file type, users cannot use the Azure Information Protection client to protect a file that has that file type. When they try, they see a message that the administrator has prevented protection and they must cancel their action to protect the file.

To configure the Azure Information Protection client to apply generic protection to all files that by default, would have native protection applied, make the following registry edits. Note if the FileProtection key does not exist, you must manually create it.

  1. Create a new key named * for the following registry path, which denotes files with any file name extension:

    • For 32-bit version of Windows: HKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\FileProtection

    • For 64-bit version of Windows: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\MSIPC\FileProtection and HKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\FileProtection

  2. In the newly added key (for example, HKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\FileProtection\*), create a new string value (REG_SZ) named Encryption that has the data value of Pfile.

    This setting results in the Azure Information Protection client applying generic protection.

These two settings result in the Azure Information Protection client applying generic protection to all files that have a file name extension. If this is your goal, no further configuration is required. However, you can define exceptions for specific file types, so that they are still natively protected. To do this, you must make three (for 32-bit Windows) or 6 (for 64-bit Windows) additional registry edits for each file type:

  1. For HKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\FileProtection and HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\MSIPC\FileProtection (if applicable): Add a new key that has the name of the file name extension (without the preceding period).

    For example, for files that have a .docx file name extension, create a key named DOCX.

  2. In the newly added file type key (for example, HKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\FileProtection\DOCX), create a new DWORD Value named AllowPFILEEncryption that has a value of 0.

  3. In the newly added file type key (for example, HKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\FileProtection\DOCX), create a new String Value named Encryption that has a value of Native.

As a result of these settings, all files are generically protected except files that have a .docx file name extension. These files are natively protected by the Azure Information Protection client.

Repeat these three steps for other file types that you want to define as exceptions because they support native protection and you do not want them to be generically protected by the Azure Information Protection client.

You can make similar registry edits for other scenarios by changing the value of the Encryption string that supports the following values:

  • Pfile: Generic protection

  • Native: Native protection

  • Off: Block protection

After making these registry changes, there's no need to restart the computer. However, if you're using PowerShell commands to protect files, you must start a new PowerShell session for the changes to take effect.

In this documentation for developers, generic protection is referred to as "PFile".

File types that are excluded from classification and protection

To help prevent users from changing files that are critical for computer operations, some file types and folders are automatically excluded from classification and protection. If users try to classify or protect these files by using the Azure Information Protection client, they see a message that they are excluded.

  • Excluded file types: .lnk, .exe, .com, .cmd, .bat, .dll, .ini, .pst, .sca, .drm, .sys, .cpl, .inf, .drv, .dat, .tmp, .msg,.msp, .msi, .pdb, .jar

  • Excluded folders:

    • Windows
    • Program Files (\Program Files and \Program Files (x86))
    • \ProgramData
    • \AppData (for all users)

File types that are excluded from classification and protection by the Azure Information Protection scanner

By default, the scanner also excludes the same file types as the Azure Information Protection client with the following exceptions:

  • .rtf, and .rar, are also excluded

You can change the file types included or excluded for file inspection by the scanner:

Note

If you include .rtf files for scanning, carefully monitor the scanner. Some .rtf files cannot be successfully inspected by the scanner and for these files, the inspection doesn't complete and the service must be restarted.

By default, the scanner protects only Office file types, and PDF files when they are protected by using the ISO standard for PDF encryption. To change this behavior for the scanner, edit the registry and specify the additional file types that you want to be protected. For instructions, see Use the registry to change which file types are protected from the scanner deployment instructions.

Files that cannot be protected by default

Any file that is password-protected cannot be natively protected by the Azure Information Protection client unless the file is currently open in the application that applies the protection. You most often see PDF files that are password-protected but other applications, such as Office apps, also offer this functionality.

If you change the default behavior of the Azure Information Protection client so that it protects PDF files with a .ppdf file name extension, the client cannot natively protect or unprotect PDF files in either of the following circumstances:

  • A PDF file that is form-based.

  • A protected PDF file that has a .pdf file name extension.

    The Azure Information Protection client can protect an unprotected PDF file, and it can unprotect and reprotect a protected PDF file when it has a .ppdf file name extension.

Limitations for container files, such as .zip files

For more information, see the collection of Azure Information Protection limitations.

File types supported for inspection

Without any additional configuration, the Azure Information Protection client uses Windows IFilter to inspect the contents of documents. Windows IFilter is used by Windows Search for indexing. As a result, the following file types can be inspected when you use the Azure Information Protection scanner, or the Set-AIPFileClassification PowerShell command.

Application type File type
Word .doc; docx; .docm; .dot; .dotm; .dotx
Excel .xls; .xlt; .xlsx; .xltx; .xltm; .xlsm; .xlsb
PowerPoint .ppt; .pps; .pot; .pptx; .ppsx; .pptm; .ppsm; .potx; .potm
PDF .pdf
Text .txt; .xml; .csv

With additional configuration, other file types can also be inspected. For example, you can register a custom file name extension to use the existing Windows filter handler for text files, and you can install additional filters from software vendors.

To check what filters are installed, see the Finding a Filter Handler for a Given File Extension section from the Windows Search Developer's Guide.

The following sections have configuration instructions to inspect .zip files, and .tiff files.

To inspect .zip files

The Azure Information Protection scanner and the Set-AIPFileClassification PowerShell command can inspect .zip files when you follow these instructions:

  1. For the computer running the scanner or the PowerShell session, install the Office 2010 Filter Pack SP2.

  2. For the scanner: After finding sensitive information, if the .zip file should be classified and protected with a label, add a registry entry for this file name extension to have generic protection (pfile), as described in Use the registry to change which file types are protected from the scanner deployment instructions.

Example scenario after doing these steps:

A file named accounts.zip contains Excel spreadsheets with credit card numbers. Your Azure Information Protection policy has a label named Confidential \ Finance, which is configured to discover credit card numbers, and automatically apply the label with protection that restricts access to the Finance group.

After inspecting the file, the scanner classifies this file as Confidential \ Finance, applies generic protection to the file so that only members of the Finance groups can unzip it, and renames the file accounts.zip.pfile.

To inspect .tiff files by using OCR

The Azure Information Protection scanner and the Set-AIPFileClassiciation PowerShell command can use optical character recognition (OCR) to inspect TIFF images with a .tiff file name extension when you install the Windows TIFF IFilter feature, and then configure Windows TIFF IFilter Settings on the computer running the scanner or the PowerShell session.

For the scanner: After finding sensitive information, if the .tiff file should be classified and protected with a label, add a registry entry for this file name extension to have native protection, as described in Use the registry to change which file types are protected from the scanner deployment instructions.

Next steps

Now that you've identified the file types supported by the Azure Information Protection client, see the following resources for additional information that you might need to support this client: