管理员指南:Azure 信息保护客户端支持的文件类型Admin Guide: File types supported by the Azure Information Protection client

适用于: Active Directory Rights Management Services, Azure 信息保护,windows 10,Windows 8.1,windows 8,windows server 2019,windows server 2016,windows Server 2012 R2,windows server 2012Applies to: Active Directory Rights Management Services, Azure Information Protection, Windows 10, Windows 8.1, Windows 8, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

说明:适用于 Windows 的 Azure 信息保护客户端Instructions for: Azure Information Protection client for Windows

备注

为了提供统一、简化的客户体验,Azure 门户中的 Azure 信息保护客户端(经典)和标签管理将于 2021 年 3 月 31 日弃用。To provide a unified and streamlined customer experience, Azure Information Protection client (classic) and Label Management in the Azure Portal are being deprecated as of March 31, 2021. 在此时间框架内,所有 Azure 信息保护客户都可以使用 Microsoft 信息保护统一标记平台转换到我们的统一标记解决方案。This time-frame allows all current Azure Information Protection customers to transition to our unified labeling solution using the Microsoft Information Protection Unified Labeling platform. 有关详细信息,请参阅官方弃用通知Learn more in the official deprecation notice.

Azure 信息保护客户端可以将以下内容应用于文档和电子邮件:The Azure Information Protection client can apply the following to documents and emails:

  • 仅分类Classification only

  • 分类和保护Classification and protection

  • 仅保护Protection only

Azure 信息保护客户端还可以使用已知的敏感信息类型或用户定义的正则表达式来检查某些文件类型的内容。The Azure Information Protection client can also inspect the content of some file types using well-known sensitive information types or regular expressions that you define.

使用以下信息查看 Azure 信息保护客户端支持的文件类型,了解不同的保护级别、如何更改默认保护级别,以及如何确定哪些文件会自动从分类和保护中被排除(跳过)。Use the following information to check which file types the Azure Information Protection client supports, understand the different levels of protection and how to change the default protection level, and to identify which files are automatically excluded (skipped) from classification and protection.

对于列出的文件类型,WebDav 位置不受支持。For the listed file types, WebDav locations are not supported.

支持仅分类的文件类型File types supported for classification only

可对以下文件类型进行分类(即使在它们未受保护时也可)。The following file types can be classified even when they are not protected.

  • Adobe 可移植文档格式:pdfAdobe Portable Document Format: .pdf

  • Microsoft Project:.mpp、.mptMicrosoft Project: .mpp, .mpt

  • Microsoft Publisher:.pubMicrosoft Publisher: .pub

  • Microsoft XPS:.xps .oxpsMicrosoft XPS: .xps .oxps

  • 图像****:.jpg、.jpe、.jpeg、.jif、.jfif、.jfi、Images: .jpg, .jpe, .jpeg, .jif, .jfif, .jfi. .png、.tif、.tiffpng, .tif, .tiff

  • Autodesk Design Review 2013:.dwfxAutodesk Design Review 2013: .dwfx

  • Adobe Photoshop:.psdAdobe Photoshop: .psd

  • 数码底片:.dngDigital Negative: .dng

  • Microsoft Office:下表中的文件类型。Microsoft Office: File types in the following table.

    这些文件类型的受支持文件格式是以下 Office 程序的 97-2003 文件格式和 Office Open XML 格式:Word、Excel 和 PowerPoint。The supported file formats for these file types are the 97-2003 file formats and Office Open XML formats for the following Office programs: Word, Excel, and PowerPoint.

    Office 文件类型Office file type Office 文件类型Office file type
    .doc.doc

    .docm.docm

    .docx.docx

    .dot.dot

    .dotm.dotm

    .dotx.dotx

    .potm.potm

    .potx.potx

    .pps.pps

    .ppsm.ppsm

    .ppsx.ppsx

    .ppt.ppt

    .pptm.pptm

    .pptx.pptx

    .vdw.vdw

    .vsd.vsd
    .vsdm.vsdm

    .vsdx.vsdx

    .vss.vss

    .vssm.vssm

    .vst.vst

    .vstm.vstm

    .vssx.vssx

    .vstx.vstx

    .xls.xls

    .xlsb.xlsb

    .xlt.xlt

    .xlsm.xlsm

    .xlsx.xlsx

    .xltm.xltm

    .xltx.xltx

其他文件类型在受保护时也支持分类。Additional file types support classification when they are also protected. 有关这些文件类型,请参阅支持分类和保护的文件类型部分。For these file types, see the Supported file types for classification and protection section.

例如,在当前默认策略中,“常规”**** 标签适用于分类,而不适用于保护。For example, in the current default policy, the General label applies classification and does not apply protection. 可以将“常规”**** 标签应用到名为 sales.pdf 的文件,但不可将该标签应用到名为 sales.txt 的文件。You could apply the General label to a file named sales.pdf but you could not apply this label to a file named sales.txt.

此外,在当前默认策略中,“机密\所有员工”**** 适用于分类和保护。Also in the current default policy, the Confidential \ All Employees applies classification and protection. 此标签可应用到名为 sales.pdf 和名为 sales.txt 的文件。You could apply this label to a file named sales.pdf and a file named sales.txt. 还可以只对这些文件应用保护,而不应用分类。You could also apply just protection to these files, without classification.

支持保护的文件类型File types supported for protection

Azure 信息保护客户端支持两个不同级别的保护,如下表中所述。The Azure Information Protection client supports protection at two different levels, as described in the following table.

保护类型Type of protection 本机Native 泛型Generic
说明Description 对于文本、图像、Microsoft Office(Word、Excel、PowerPoint)文件、pdf 文件和其他支持 Rights Management 服务的应用程序文件类型,本机保护提供了同时包括权限的加密和强制执行的强保护级别。For text, image, Microsoft Office (Word, Excel, PowerPoint) files, .pdf files, and other application file types that support a Rights Management service, native protection provides a strong level of protection that includes both encryption and enforcement of rights (permissions). 对于其他所有应用程序和文件类型,常规保护提供了一种保护级别,该保护级别既包括使用 .pfile 文件类型的文件封装,又包括用于验证用户是否有权打开该文件的身份验证。For all other applications and file types, generic protection provides a level of protection that includes both file encapsulation using the .pfile file type and authentication to verify if a user is authorized to open the file.
保护Protection 通过以下方式强制执行文件保护:Files protection is enforced in the following ways:

- 必须在通过电子邮件接收文件的用户或通过文件被授予访问权限或共享权限的用户成功通过身份验证之后,才能呈现受保护的内容。- Before protected content is rendered, successful authentication must occur for those who receive the file through email or are given access to it through file or share permissions.

- 此外,无论是使用 Azure 信息保护查看器(适用于受保护的文本和图像文件)还是使用关联的应用程序(适用于其他所有受支持的文件类型)呈现内容时,都会强制执行内容所有者在文件处于受保护状态时所设置的使用权限和策略。- Additionally, usage rights and policy that were set by the content owner when the files were protected are enforced when the content is rendered in either the Azure Information Protection viewer (for protected text and image files) or the associated application (for all other supported file types).
通过以下方式强制执行文件保护:File protection is enforced in the following ways:

- 必须在经授权可打开文件的人员以及被授予访问权限的人员成功通过身份验证之后才能呈现受保护的内容。- Before protected content is rendered, successful authentication must occur for people who are authorized to open the file and given access to it. 如果授权失败,则文件不会打开。If authorization fails, the file does not open.

- 将显示由内容所有者设置的使用权限和策略,以向授权用户通知预期使用策略。- Usage rights and policy set by the content owner are displayed to inform authorized users of the intended usage policy.

- 将对已授权的用户打开和访问文件的操作执行审核日志记录。- Audit logging of authorized users opening and accessing files occurs. 但不强制执行使用权限。However, usage rights are not enforced.
文件类型默认值Default for file types 这是以下文件类型的默认保护级别:This is the default level of protection for the following file types:

- 文本和图像文件- Text and image files

- Microsoft Office(Word、Excel、PowerPoint)文件- Microsoft Office (Word, Excel, PowerPoint) files

- 可移植文档格式 (.pdf)- Portable document format (.pdf)

有关详细信息,请参阅以下部分:支持分类和保护的文件类型For more information, see the following section, Supported file types for classification and protection.
这是针对不受本机保护支持的其他所有文件类型(例如 .vsdx、.rtf 等)的默认保护。This is the default protection for all other file types (such as .vsdx, .rtf, and so on) that are not supported by native protection.

可以更改 Azure 信息保护客户端应用的默认保护级别。You can change the default protection level that the Azure Information Protection client applies. 可以将默认级别从本机更改为常规,从常规更改为本机,甚至可以禁止 Azure 信息保护客户端应用保护。You can change the default level of native to generic, from generic to native, and even prevent the Azure Information Protection client from applying protection. 有关详细信息,请参阅本文中的更改文件的默认保护级别部分。For more information, see the Changing the default protection level of files section in this article.

用户选择管理员配置的标签时,可以自动应用数据保护,也可以使用权限级别指定自己的自定义保护设置。The data protection can be applied automatically when a user selects a label that an administrator has configured, or users can specify their own custom protection settings by using permission levels.

支持保护的文件大小File sizes supported for protection

Azure 信息保护客户端支持保护的最大文件大小。There are maximum file sizes that the Azure Information Protection client supports for protection.

  • Office 文件:For Office files:

    Office 应用程序Office application 支持的最大文件大小Maximum file size supported
    Word 2007(仅受 AD RMS 支持)Word 2007 (supported by AD RMS only)

    Word 2010Word 2010

    Word 2013Word 2013

    Word 2016Word 2016
    32 位:512 MB32-bit: 512 MB

    64 位:512 MB64-bit: 512 MB
    Excel 2007(仅受 AD RMS 支持)Excel 2007 (supported by AD RMS only)

    Excel 2010Excel 2010

    Excel 2013Excel 2013

    Excel 2016Excel 2016
    32 位:2 GB32-bit: 2 GB

    64 位:仅受可用磁盘空间和内存限制64-bit: Limited only by available disk space and memory
    PowerPoint 2007(仅受 AD RMS 支持)PowerPoint 2007 (supported by AD RMS only)

    PowerPoint 2010PowerPoint 2010

    PowerPoint 2013PowerPoint 2013

    PowerPoint 2016PowerPoint 2016
    32 位:仅受可用磁盘空间和内存限制32-bit: Limited only by available disk space and memory

    64 位:仅受可用磁盘空间和内存限制64-bit: Limited only by available disk space and memory
  • 对于其他所有文件For all other files:

    • 若要保护其他文件类型,并在 Azure 信息保护查看器中打开这些文件类型:文件大小上限仅受可用磁盘空间和内存限制。To protect other file types, and to open these file types in the Azure Information Protection viewer: The maximum file size is limited only by available disk space and memory.

    • 若要使用 Unprotect-RMSFile cmdlet 取消保护文件:.pst 文件支持的文件大小上限为 5GB。To unprotect files by using the Unprotect-RMSFile cmdlet: The maximum file size supported for .pst files is 5 GB. 其他文件类型的文件大小上限仅受可用磁盘空间和内存限制Other file types are limited only by available disk space and memory

      提示:如果需要在大型 .pst 文件中搜索或恢复受保护的项目,请参阅使用 Unprotect-RMSFile 进行电子数据展示的指南Tip: If you need to search or recover protected items in large .pst files, see Guidance for using Unprotect-RMSFile for eDiscovery.

支持用于分类和保护的文件类型Supported file types for classification and protection

下表列出了文件类型的一个子集,这些文件类型支持 Azure 信息保护客户端提供的本机保护,并可进行分类。The following table lists a subset of file types that support native protection by the Azure Information Protection client, and that can also be classified.

这些文件类型单独进行标识,因为它们受到本机保护时,原始文件扩展名将更改,这些文件将变为只读。These file types are identified separately because when they are natively protected, the original file name extension is changed, and these files become read-only. 请注意,以常规形式保护文件时,原始文件扩展名将始终更改为 .pfile。Note that when files are generically protected, the original file name extension is always changed to .pfile.

警告

如果拥有可根据文件扩展名进行检查并采取操作的防火墙、Web 代理或者安全软件,你可能需要重新配置这些网络设备和软件以支持这些新的文件扩展名。If you have firewalls, web proxies, or security software that inspect and take action according to file name extensions, you might need to reconfigure these network devices and software to support these new file name extensions.

原始文件扩展名Original file name extension 受保护的文件扩展名Protected file name extension
.txt.txt .ptxt.ptxt
.xml.xml .pxml.pxml
.jpg.jpg .pjpg.pjpg
.jpeg.jpeg .pjpeg.pjpeg
.pdf.pdf .ppdf [1].ppdf [1]
.png.png .ppng.ppng
.tif.tif .ptif.ptif
.tiff.tiff .ptiff.ptiff
.bmp.bmp .pbmp.pbmp
.gif.gif .pgif.pgif
.jpe.jpe .pjpe.pjpe
.jfif.jfif .pjfif.pjfif
.jt.jt .pjt.pjt
脚注 1Footnote 1

使用 Azure 信息保护客户端的最新版本时,在默认情况下,受保护 PDF 文档的文件扩展名仍为 .pdf。With the latest version of the Azure Information Protection client, by default, the file name extension of the protected PDF document remains as .pdf.

下一个表列出了其余的文件类型,这些文件类型通过 Azure 信息保护客户端支持本机保护,并且还可进行分类。The next table lists the remaining file types that support native protection by the Azure Information Protection client, and that can also be classified. 会将它们识别为用于 Microsoft Office 应用的文件类型。You will recognize these as file types for Microsoft Office apps. 这些文件类型的受支持文件格式是以下 Office 程序的 97-2003 文件格式和 Office Open XML 格式:Word、Excel 和 PowerPoint。The supported file formats for these file types are the 97-2003 file formats and Office Open XML formats for the following Office programs: Word, Excel, and PowerPoint.

对于这些文件,在文件受 Rights Management 服务保护后,文件扩展名仍保持不变。For these files, the file name extension remains the same after the file is protected by a Rights Management service.

Office 支持的文件类型File types supported by Office Office 支持的文件类型File types supported by Office
.doc.doc

.docm.docm

.docx.docx

.dot.dot

.dotm.dotm

.dotx.dotx

.potm.potm

.potx.potx

.pps.pps

.ppsm.ppsm

.ppsx.ppsx

.ppt.ppt

.pptm.pptm

.pptx.pptx

.vsdm.vsdm
.vsdx.vsdx

.vssm.vssm

.vssx.vssx

.vstm.vstm

.vstx.vstx

.xla.xla

.xlam.xlam

.xls.xls

.xlsb.xlsb

.xlt.xlt

.xlsm.xlsm

.xlsx.xlsx

.xltm.xltm

.xltx.xltx

.xps.xps

更改文件的默认保护级别Changing the default protection level of files

你可以通过编辑注册表来更改 Azure 信息保护客户端保护文件的方式。You can change how the Azure Information Protection client protects files by editing the registry. 例如,可以强制 Azure 信息保护客户端向支持本机保护的文件提供常规保护。For example, you can force files that support native protection to be generically protected by the Azure Information Protection client.

可能要执行此操作的原因是:Reasons for why you might want to do this:

  • 如果用户没有支持本机保护的应用程序,请确保所有用户都可以打开该文件。To ensure that all users can open the file if they don't have an application that supports native protection.

  • 为了适应根据文件扩展名对文件采取操作的安全系统,可将其重新配置为适应 .pfile 文件扩展名,但无法将其重新配置为适应已应用本机保护的多个文件扩展名。To accommodate security systems that take action on files by their file name extension and can be reconfigured to accommodate the .pfile file name extension but cannot be reconfigured to accommodate multiple file name extensions for native protection.

同样,也可以强制 Azure 信息保护客户端将本机保护应用到已默认应用常规保护的文件。Similarly, you can force the Azure Information Protection client to apply native protection to files that by default, would have generic protection applied. 如果你拥有支持 RMS API 的应用程序,则可能适合采取此操作。This action might be appropriate if you have an application that supports the RMS APIs. 例如,由内部开发人员编写的业务线应用程序或从独立软件供应商 (ISV) 处购买的应用程序。For example, a line-of-business application written by your internal developers or an application purchased from an independent software vendor (ISV).

也可以强制 Azure 信息保护客户端阻止文件保护(而不是应用本机保护或常规保护)。You can also force the Azure Information Protection client to block the protection of files (not apply native protection or generic protection). 例如,如果你拥有一个必须能够打开特定文件才能处理其内容的自动应用程序或服务,则可能需要采取此操作。For example, this action might be required if you have an automated application or service that must be able to open a specific file to process its contents. 当阻止保护某一文件类型时,用户无法使用 Azure 信息保护客户端保护具有该文件类型的文件。When you block protection for a file type, users cannot use the Azure Information Protection client to protect a file that has that file type. 他们将在尝试保护此类文件时看到一条消息,提示管理员已阻止保护,并且他们必须取消保护该文件的操作。When they try, they see a message that the administrator has prevented protection and they must cancel their action to protect the file.

若要将 Azure 信息保护客户端配置为将常规保护应用于已默认应用本机保护的所有文件,请对注册表进行以下编辑。To configure the Azure Information Protection client to apply generic protection to all files that by default, would have native protection applied, make the following registry edits. 请注意,如果不存在 FileProtection 项,则必须手动创建。Note if the FileProtection key does not exist, you must manually create it.

  1. 为以下注册表路径创建名为 * 的新项,该项使用文件扩展名表示文件:Create a new key named * for the following registry path, which denotes files with any file name extension:

    • 对于 32 位版本 Windows:HKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\FileProtection****For 32-bit version of Windows: HKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\FileProtection

    • 对于64位版本的 Windows: HKEY_LOCAL_MACHINE \software\wow6432node\microsoft\msipc\fileprotectionHKEY_LOCAL_MACHINE \software\microsoft\msipc\fileprotectionFor 64-bit version of Windows: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\MSIPC\FileProtection and HKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\FileProtection

  2. 在新添加的项(例如 HKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\FileProtection\*)中,创建一个名为“Encryption”****、数据值为 Pfile **** 的新字符串值 (REG_SZ)。In the newly added key (for example, HKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\FileProtection\*), create a new string value (REG_SZ) named Encryption that has the data value of Pfile.

    此设置将导致 Azure 信息保护客户端应用常规保护。This setting results in the Azure Information Protection client applying generic protection.

这两个设置会导致 Azure 信息保护客户端将常规保护应用于具有某一文件扩展名的所有文件。These two settings result in the Azure Information Protection client applying generic protection to all files that have a file name extension. 如果这是你的目标,则无需进行任何进一步的配置。If this is your goal, no further configuration is required. 但是,你可以为特定文件类型定义例外,以便它们仍受本机保护。However, you can define exceptions for specific file types, so that they are still natively protected. 为此,你必须针对每个文件类型对注册表执行三个(针对 32 位 Windows)或六个(针对 64 位 Windows)额外的编辑操作:To do this, you must make three (for 32-bit Windows) or 6 (for 64-bit Windows) additional registry edits for each file type:

  1. 对于HKEY_LOCAL_MACHINE \software\microsoft\msipc\fileprotectionHKEY_LOCAL_MACHINE \software\wow6432node\microsoft\msipc\fileprotection (如果适用):添加一个具有该文件扩展名的新项(不带前面的句点)。For HKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\FileProtection and HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\MSIPC\FileProtection (if applicable): Add a new key that has the name of the file name extension (without the preceding period).

    例如,对于文件扩展名为 .docx 的文件,创建一个名为 DOCX 的项。For example, for files that have a .docx file name extension, create a key named DOCX.

  2. 在新添加的文件类型项(例如 HKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\FileProtection\DOCX)中,创建一个名为 AllowPFILEEncryption、值为 0 的新 DWORD 值。In the newly added file type key (for example, HKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\FileProtection\DOCX), create a new DWORD Value named AllowPFILEEncryption that has a value of 0.

  3. 在新添加的文件类型项(例如 HKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\FileProtection\DOCX)中,创建一个名为 Encryption、值为 Native 的新字符串值。In the newly added file type key (for example, HKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\FileProtection\DOCX), create a new String Value named Encryption that has a value of Native.

应用这些设置后,所有文件均会受到常规保护,但文件扩展名为 .docx 的文件除外。As a result of these settings, all files are generically protected except files that have a .docx file name extension. 这些文件受到 Azure 信息保护客户端的本机保护。These files are natively protected by the Azure Information Protection client.

对于要将其定义为例外的其他文件类型重复这三个步骤,因为它们支持本机保护,而你不希望它们由 Azure 信息保护客户端进行常规保护。Repeat these three steps for other file types that you want to define as exceptions because they support native protection and you do not want them to be generically protected by the Azure Information Protection client.

通过更改支持以下值的 Encryption 字符串的值,你可以在其他情况下进行类似的注册表编辑:You can make similar registry edits for other scenarios by changing the value of the Encryption string that supports the following values:

  • Pfile:一般性保护Pfile: Generic protection

  • Native:本机保护Native: Native protection

  • Off:阻止保护Off: Block protection

进行这些注册表更改后,无需重启计算机。After making these registry changes, there's no need to restart the computer. 不过,如果使用 PowerShell 命令来保护文件,必须启动新的 PowerShell 会话,这样更改才能生效。However, if you're using PowerShell commands to protect files, you must start a new PowerShell session for the changes to take effect.

若要详细了解如何通过编辑注册表来更改文件的默认保护级别,请参阅开发人员指南中的文件 API 配置For more information about editing the registry to change the default protection level of files, see File API configuration from the developer guidance. 对于本文档中的开发人员,常规保护被称为“PFile”。In this documentation for developers, generic protection is referred to as "PFile".

从分类和保护中排除的文件类型File types that are excluded from classification and protection

为了帮助阻止用户更改对计算机操作至关重要的文件,某些文件类型和文件夹会自动从分类和保护中排除。To help prevent users from changing files that are critical for computer operations, some file types and folders are automatically excluded from classification and protection. 如果用户尝试使用 Azure 信息保护客户端对这些文件进行分类或保护,则会看到一条消息,显示这些文件被排除。If users try to classify or protect these files by using the Azure Information Protection client, they see a message that they are excluded.

  • 排除的文件类型****:.lnk、.exe、.com、.cmd、.bat、.dll、.ini、.pst、.sca、.drm、.sys、.cpl、.inf、.drv、.dat、.tmp、.msg、.msp、.msi、.pdb、.jarExcluded file types: .lnk, .exe, .com, .cmd, .bat, .dll, .ini, .pst, .sca, .drm, .sys, .cpl, .inf, .drv, .dat, .tmp, .msg,.msp, .msi, .pdb, .jar

  • 排除的文件夹Excluded folders:

    • WindowsWindows
    • Program Files(\Program Files 和 \Program Files (x86))Program Files (\Program Files and \Program Files (x86))
    • \ProgramData\ProgramData
    • \AppData(适用于所有用户)\AppData (for all users)

Azure 信息保护扫描程序从分类和保护中排除的文件类型File types that are excluded from classification and protection by the Azure Information Protection scanner

默认情况下,扫描程序还会排除 Azure 信息保护客户端支持的相同文件类型,要排除的例外情况如下:By default, the scanner also excludes the same file types as the Azure Information Protection client with the following exceptions:

  • .rtf 和 .rar 也会被排除在外.rtf, and .rar, are also excluded

可更改扫描程序检查文件时包含或排除的文件类型:You can change the file types included or excluded for file inspection by the scanner:

备注

如果在扫描时包含 .rtf 文件,请仔细监视扫描程序。If you include .rtf files for scanning, carefully monitor the scanner. 扫描程序无法成功检查某些 .rtf 文件,对于这些文件,未完成检查,必须重启服务。Some .rtf files cannot be successfully inspected by the scanner and for these files, the inspection doesn't complete and the service must be restarted.

默认情况下,扫描程序仅保护 Office 文件类型,以及 PDF 文件(使用 ISO PDF 加密标准进行保护时)。By default, the scanner protects only Office file types, and PDF files when they are protected by using the ISO standard for PDF encryption. 若要更改扫描程序的这一行为,请编辑注册表并指定想要得到保护的其他文件类型。To change this behavior for the scanner, edit the registry and specify the additional file types that you want to be protected. 有关说明,请参阅使用注册表更改从扫描程序部署说明中保护的文件类型For instructions, see Use the registry to change which file types are protected from the scanner deployment instructions.

默认不受保护的文件Files that cannot be protected by default

受密码保护的任何文件都不能由 Azure 信息保护客户端本机保护,除非该文件当前在应用保护的应用程序中打开。Any file that is password-protected cannot be natively protected by the Azure Information Protection client unless the file is currently open in the application that applies the protection. 最常看到的是受密码保护的 PDF 文件,但 Office 应用等其他应用程序也提供此功能。You most often see PDF files that are password-protected but other applications, such as Office apps, also offer this functionality.

通过更改 Azure 信息保护客户端的默认行为,来使其使用 .ppdf 文件扩展名保护 PDF 文件时,客户端无法对以下任一情况下的 PDF 文件进行本机保护或取消保护:If you change the default behavior of the Azure Information Protection client so that it protects PDF files with a .ppdf file name extension, the client cannot natively protect or unprotect PDF files in either of the following circumstances:

  • 基于窗体的 PDF 文件。A PDF file that is form-based.

  • 文件扩展名为 .pdf 的受保护 PDF 文件。A protected PDF file that has a .pdf file name extension.

    Azure 信息保护客户端可以保护不受保护的 PDF 文件,并且可取消保护和重新保护扩展名为 .ppdf 的受保护 PDF 文件。The Azure Information Protection client can protect an unprotected PDF file, and it can unprotect and reprotect a protected PDF file when it has a .ppdf file name extension.

容器文件(如 .zip 文件)的限制Limitations for container files, such as .zip files

有关详细信息,请参阅Azure 信息保护限制的集合For more information, see the collection of Azure Information Protection limitations.

支持检查的文件类型File types supported for inspection

无需任何额外配置,Azure 信息保护客户端即可使用 Windows IFilter 来检查文档内容。Without any additional configuration, the Azure Information Protection client uses Windows IFilter to inspect the contents of documents. Windows Search 使用 Windows IFilter 来编制索引。Windows IFilter is used by Windows Search for indexing. 因此,使用 Azure 信息保护扫描程序Set-AIPFileClassification PowerShell 命令时,可以检查下列文件类型。As a result, the following file types can be inspected when you use the Azure Information Protection scanner, or the Set-AIPFileClassification PowerShell command.

应用程序类型Application type 文件类型File type
WordWord 文档.docx; docm; .dot; normal.dotm;. dotx.doc; docx; .docm; .dot; .dotm; .dotx
ExcelExcel .xls; .xlt; .xlsx; .xltx; .xltm; .xlsm; .xlsb.xls; .xlt; .xlsx; .xltx; .xltm; .xlsm; .xlsb
PowerPointPowerPoint .ppt; .pps; .pot; .pptx; .ppsx; .pptm; .ppsm; .potx; .potm.ppt; .pps; .pot; .pptx; .ppsx; .pptm; .ppsm; .potx; .potm
PDFPDF .pdf.pdf
TextText .txt; .xml; .csv.txt; .xml; .csv

通过进行额外配置,还可以检查其他文件类型。With additional configuration, other file types can also be inspected. 例如,可以注册自定义文件扩展名,使用现有 Windows 筛选器处理程序处理文本文件,还可以安装软件供应商提供的其他筛选器。For example, you can register a custom file name extension to use the existing Windows filter handler for text files, and you can install additional filters from software vendors.

若要检查安装了哪些筛选器,请参阅 Windows Search 开发人员指南中的查找给定文件扩展名的筛选器处理程序一节。To check what filters are installed, see the Finding a Filter Handler for a Given File Extension section from the Windows Search Developer's Guide.

以下各节提供了检查 .zip 文件和 .tiff 文件的配置说明。The following sections have configuration instructions to inspect .zip files, and .tiff files.

检查 .zip 文件To inspect .zip files

请按照以下说明操作,使用 Azure 信息保护扫描程序和 Set-AIPFileClassification PowerShell 命令检查 .zip 文件:The Azure Information Protection scanner and the Set-AIPFileClassification PowerShell command can inspect .zip files when you follow these instructions:

  1. 对于运行扫描程序或 PowerShell 会话的计算机,请安装 Office 2010 Filter Pack SP2For the computer running the scanner or the PowerShell session, install the Office 2010 Filter Pack SP2.

  2. 对于扫描仪:查找敏感信息后,如果要使用标签对 .zip 文件进行分类和保护,请添加此文件扩展名的注册表项以具有通用保护(.pfile),如使用注册表更改通过扫描程序部署说明保护的文件类型中所述。For the scanner: After finding sensitive information, if the .zip file should be classified and protected with a label, add a registry entry for this file name extension to have generic protection (pfile), as described in Use the registry to change which file types are protected from the scanner deployment instructions.

执行这些步骤后的示例方案:Example scenario after doing these steps:

名为“accounts.zip”的文件包含带有信用卡号的 Excel 电子表格****。A file named accounts.zip contains Excel spreadsheets with credit card numbers. Azure 信息保护策略具有名为“机密\财务”的标签,该标签配置为发现信用卡号,并自动应用带有保护的标签,以限制对财务组进行访问****。Your Azure Information Protection policy has a label named Confidential \ Finance, which is configured to discover credit card numbers, and automatically apply the label with protection that restricts access to the Finance group.

检查文件后,扫描程序将此文件归类为“机密\财务”,对文件应用通用保护,以便只有财务组的成员可以解压缩它,并重命名文件“accounts.zip.pfile”********。After inspecting the file, the scanner classifies this file as Confidential \ Finance, applies generic protection to the file so that only members of the Finance groups can unzip it, and renames the file accounts.zip.pfile.

使用 OCR 检查 .tiff 文件To inspect .tiff files by using OCR

如果运行扫描程序或 PowerShell 会话的计算机上安装 Windows TIFF IFilter 功能并配置 Windows TIFF IFilter 设置,Azure 信息保护扫描程序和 Set-AIPFileClassiciation PowerShell 命令可以使用光学字符识别 (OCR) 来检查文件扩展名为 .tiff 的 TIFF 图像。The Azure Information Protection scanner and the Set-AIPFileClassiciation PowerShell command can use optical character recognition (OCR) to inspect TIFF images with a .tiff file name extension when you install the Windows TIFF IFilter feature, and then configure Windows TIFF IFilter Settings on the computer running the scanner or the PowerShell session.

对于扫描仪:查找敏感信息后,如果应使用标签对 tiff 文件进行分类和保护,请添加此文件扩展名的注册表项以具有本机保护,如使用注册表更改通过扫描程序部署说明保护的文件类型中所述。For the scanner: After finding sensitive information, if the .tiff file should be classified and protected with a label, add a registry entry for this file name extension to have native protection, as described in Use the registry to change which file types are protected from the scanner deployment instructions.

后续步骤Next steps

现在你已识别了 Azure 信息保护客户端支持的文件类型,若要了解支持此客户端所需的其他信息,请参阅以下资源:Now that you've identified the file types supported by the Azure Information Protection client, see the following resources for additional information that you might need to support this client: