已知問題 - Azure 資訊保護Known issues - Azure Information Protection

*適用於:*Azure 資訊保護*Applies to: Azure Information Protection*

*相關AIP 統一標籤用戶端和傳統用戶端**Relevant for: AIP unified labeling client and classic client*

注意

為了提供統一且流暢的客戶體驗,自 2021 年 3 月 31 日 起,Azure 入口網站將 淘汰 Azure 資訊保護傳統用戶端標籤管理To provide a unified and streamlined customer experience, Azure Information Protection classic client and Label Management in the Azure Portal are being deprecated as of March 31, 2021. 此時間範圍可讓所有目前的 Azure 資訊保護客戶使用 Microsoft 資訊保護統一標籤平台轉換至我們統一的標籤解決方案。This time-frame allows all current Azure Information Protection customers to transition to our unified labeling solution using the Microsoft Information Protection Unified Labeling platform. 在正式的淘汰通知 (英文) 中深入了解。Learn more in the official deprecation notice.

您可以使用下列清單和表格,來尋找與 Azure 資訊保護功能相關的已知問題和限制的詳細資料。Use the lists and tables below to find details about known issues and limitations related to Azure Information Protection features.

容器檔案的用戶端支援,例如 .zip 檔Client support for container files, such as .zip files

容器檔案是包含其他檔案的檔案,常見範例是包含壓縮檔的 .zip 檔案。Container files are files that include other files, with a typical example being .zip files that contain compressed files. 其他範例包括 .rar、.7z、.msg 檔案,以及包含附件的 PDF 文件。Other examples include .rar, .7z, .msg files, and PDF documents that include attachments.

您可以分類和保護這些容器檔案,但不會將分類和保護套用至容器內的每個檔案。You can classify and protect these container files, but the classification and protection is not applied to each file inside the container.

如果您的容器檔案包含已分類和受保護檔案,則您必須先解壓縮檔案,以變更其分類或保護設定。If you have a container file that includes classified and protected files, you must first extract the files to change their classification or protection settings. 不過,您可以使用 Unprotect-RMSFile Cmdlet 移除所支援容器檔案中所有檔案的保護。However, you can remove the protection for all files in supported container files by using the Unprotect-RMSFile cmdlet.

Azure 資訊保護檢視器無法開啟受保護 PDF 文件中的附件。The Azure Information Protection viewer cannot open attachments in a protected PDF document. 在此案例中,當文件在檢視器中開啟時,附件為不可見的。In this scenario, when the document is opened in the viewer, the attachments are not visible.

如需詳細資訊,請參閱系統 管理指南: Azure 資訊保護用戶端支援的檔案類型For more information, see Admin Guide: File types supported by the Azure Information Protection client.

AIP 和惡意探索保護的已知問題Known issues for AIP and Exploit Protection

在具有 .NET 2 或3且已啟用 惡意探索保護 的電腦上,不支援 Azure 資訊保護用戶端,而且會導致 Office 應用程式非預期地運作。The Azure Information Protection client is not supported on machines that have .NET 2 or 3, where Exploit protection is enabled, and will cause Office apps to behave unexpectedly.

在這種情況下,我們建議您升級 .NET 版本。In such cases, we recommend that you upgrade your .NET version. 如需詳細資訊,請參閱 Microsoft .NET Framework 需求For more information, see Microsoft .NET Framework requirements.

如果您必須保留 .NET 第2版或第3版,請務必先停用惡意探索保護,再安裝 AIP。If you must keep your .NET version 2 or 3, make sure to disable Exploit protection before installing AIP.

若要透過 PowerShell 停用惡意探索保護,請執行下列動作:To disable Exploit protection via PowerShell, run the following:

Set-ProcessMitigation -Name "OUTLOOK.EXE" -Disable EnableExportAddressFilterPlus, EnableExportAddressFilter, EnableImportAddressFilter

Azure 資訊保護用戶端的 PowerShell 支援PowerShell support for the Azure Information Protection client

與 Azure 資訊保護用戶端一起安裝的 AzureInformationProtection PowerShell 模組目前版本具有下列已知問題:The current release of the AzureInformationProtection PowerShell module that's installed with the Azure Information Protection client has the following known issues:

  • *Outlook 個人 資料夾 (.pst * files) * *。*Outlook personal folders (.pst* files)**. 使用 AzureInformationProtection 模組時,不支援以原生方式保護 .pst 檔案。Natively protecting .pst files is not supported using the AzureInformationProtection module.

  • Outlook 受保護的電子郵件訊息 ( .rpmsg 檔案)Outlook protected email messages (.rpmsg files). 只有當 AzureInformationProtection 模組位於 outlook 個人資料夾 () .pst 檔案時,才會支援取消保護 outlook 受保護的電子郵件訊息。Unprotecting Outlook protected email messages is supported by the AzureInformationProtection module only if they are inside an Outlook personal folder (.pst file).

    不支援取消保護 .pst 檔以外的電子郵件訊息。Unprotecting email messages outside of a .pst file is not supported.

如需詳細資訊,請參閱系統 管理指南:使用 PowerShell 搭配 Azure 資訊保護用戶端For more information, see Admin Guide: Using PowerShell with the Azure Information Protection client.

在 Office 應用程式中 AIP 已知問題AIP known issues in Office applications

功能Feature 已知問題Known issues
多個 Office 版本Multiple versions of Office Azure 資訊保護用戶端 (包括傳統與統一標籤) 不支援同一部電腦上的多個 Office 版本,或在 Office 中切換使用者帳戶。The Azure Information Protection clients, including both classic and unified labeling, do not support multiple versions of Office on the same computer, or switching user accounts in Office.
多個顯示器Multiple displays 如果您是使用多個顯示器,並開啟 Office 應用程式:If you're using multiple displays and have an Office application open:

-您可能會在 Office 應用程式中遇到效能問題。- You may experience performance issues in your Office apps.
-Azure 資訊保護列可能會在 Office 畫面中間的一或兩個顯示器上顯示為浮動- The Azure Information Protection bar may appear to float in the middle of the Office screen, on one or both displays

若要確保一致的效能,並將橫條保持在正確的位置,請開啟 Office 應用程式的 [ 選項 ] 對話方塊,並在 [一般] 底下選取 [ 優化相容性 ],而不是 [ 優化為最佳外觀]。To ensure consistent performance, and that the bar remains in the correct location, open the Options dialog for your Office application, and under General, select Optimize for compatibility instead of Optimize for best appearance.
Office 2016 中的 IRM 支援IRM support in Office 2016 Azure 資訊保護標籤不支援 DRMEncryptProperty 登錄設定,此設定會控制 Office 2016 中的元資料加密。The DRMEncryptProperty registry setting, which controls metadata encryption in Office 2016, is not supported for Azure Information Protection labels.
Outlook 物件模型存取Outlook object model access - PromptOOMAddressBookAccess 登錄設定,可控制透過 Outlook 物件模型存取通訊錄時所顯示的提示,Azure 資訊保護標籤不支援。- The PromptOOMAddressBookAccess registry setting, which controls the prompts that display when address books are accessed via the Outlook object model, is not supported with Azure Information Protection labels.

- PromptOOMAddressInformationAccess 登錄設定,可控制當程式讀取位址資訊時所顯示的提示,Azure 資訊保護標籤不支援。- The PromptOOMAddressInformationAccess registry setting, which controls the prompts that displays when a program reads address information, is not supported for Azure Information Protection labels.
Word 中的內容標記Content markings in Word 當相同的頁首或頁尾也包含資料表時,可能會不正確地將 Microsoft Word 頁首或頁尾中的 AIP 內容標記 放在不正確的位置,或可能完全隱藏。AIP content markings in Microsoft Word headers or footers may be offset or placed incorrectly, or may be hidden entirely, when that same header or footer also contains a table.

如需詳細資訊,請參閱套用 視覺標記的時機。For more information, see When visual markings are applied.
附加至電子郵件的檔案Files attached to emails 由於最新的 Windows 更新有限制,當 Microsoft Outlook 受到 Azure Rights Management 的保護時,附加至電子郵件的檔案在開啟檔案之後可能會遭到鎖定。Due to a limitation in recent Windows updates, when Microsoft Outlook is protected by Azure Rights Management, files attached to emails may be locked after opening the file.
合併列印Mail merge 所有 Azure 資訊保護功能都不支援 Office 合併列印功能。The Office mail merge feature is not supported with any Azure Information Protection feature.
S/MIME 電子郵件S/MIME emails 開啟 Outlook 讀取窗格中的 S/MIME 電子郵件可能會導致效能問題。Opening S/MIME emails in Outlook's Reading Pane may cause performance issues.

若要避免發生 S/MIME 電子郵件的效能問題,請啟用 OutlookSkipSmimeOnReadingPaneEnabled advanced 屬性。To prevent performance issues with S/MIME emails, enable the OutlookSkipSmimeOnReadingPaneEnabled advanced property.

注意:啟用此屬性可防止在 Outlook 的 [閱讀] 窗格中顯示 AIP 列或電子郵件分類。Note: Enabling this property prevents the AIP bar or the email classification from being displayed in Outlook's Reading Pane.
傳送至檔案總管選項Send to File Explorer option 如果您選擇在檔案總管中的任何檔案上按一下滑鼠右鍵,然後選取 [ 傳送至 > Mail 收件 者],則會以附加檔案開啟的 Outlook 訊息可能不會顯示 [AIP] 工具列。If you choose to right-click on any file in the File Explorer and select Send to > Mail recipient, the Outlook message that opens with the file attached may not display the AIP toolbar.

如果發生這種情況,而且您需要使用 [AIP] 工具列選項,請從 Outlook 內啟動您的電子郵件,然後流覽並附加您要傳送的檔案。If this occurs and you need to use the AIP toolbar options, start your email from within Outlook and then browse to and attach the file you want to send.

原則中的已知問題Known issues in policies

發佈原則最多可能需要24小時的時間。Publishing policies may take up to 24 hours.

檔案大小上限Maximum file sizes

支援超過 2 GB 的檔案進行保護,但不支援解密。Files of over 2 GB are supported for protection, but not decryption.

AIP 檢視器的已知問題Known issues for the AIP viewer

AIP 檢視器會在直向模式中顯示影像,而某些寬的橫向影像可能會顯示為已伸展。The AIP viewer displays images in portrait mode, and some wide, landscape-view images may appear to be stretched.

例如,原始影像會顯示在左側的下方,並在右側的 AIP 檢視器中顯示延展的直向版本。For example, an original image is shown below on the left, with a stretched, portrait version in the AIP viewer on the right.

用戶端檢視器中的延伸影像

如需詳細資訊,請參閱:For more information, see:

追蹤和撤銷功能 (公開預覽的已知問題) Known issues for track and revoke features (Public preview)

使用統一標籤用戶端追蹤和撤銷檔存取有下列已知問題:Tracking and revoking document access using the unified labeling client has the following known issues:

如需詳細資訊,請參閱 系統管理員指南:使用 Azure 資訊保護和使用者手冊來追蹤和撤銷檔存取 :使用 Azure 資訊保護撤銷檔存取權For more information, see Administrator Guide: Track and revoke document access with Azure Information Protection and User Guide: Revoke document access with Azure Information Protection.

受保護的電子郵件中有多個附件Multiple attachments in a protected email

如果您將多份檔附加到電子郵件,然後保護電子郵件並傳送,則每個附件都會取得相同的 ContentID 值。If you attach multiple documents to an email, and then protect the email and send it, each of the attachments get the same ContentID value.

只有第一個開啟的檔案才會傳回這個 ContentID 值。This ContentID value will be returned only with the first file that had been opened. 搜尋其他附件不會傳回取得追蹤資料所需的 ContentID 值。Searching for the other attachments will not return the ContentID value required to get tracking data.

此外,撤銷其中一個附件的存取權也會撤銷相同受保護電子郵件中其他附件的存取權。Additionally, revoking access for one of the attachments also revokes access for the other attachments in the same protected email.

透過 SharePoint 存取的檔Documents accessed via SharePoint

  • 上傳至 SharePoint 的受保護檔會遺失其 ContentID 值,且無法追蹤或撤銷存取權。Protected documents that are uploaded to SharePoint lose their ContentID value, and access cannot be track or revoked.

  • 如果使用者從 SharePoint 下載檔案,並從其本機電腦進行存取,則會在檔于本機開啟時,將新的 ContentID 套用至檔。If a user downloads the file from SharePoint and accesses it from their local machine, a new ContentID is applied to the document when they open it locally.

    使用原始的 ContentID 值來追蹤資料,將不會包含針對使用者下載檔案所執行的任何存取。Using the original ContentID value to track data will not include any access performed for the user's downloaded file. 此外,根據原始 ContentID 值撤銷存取權,將不會撤銷任何已下載檔案的存取權。Additionally, revoking access based on the original ContentID value will not revoke access for any of the downloaded files.

    在這種情況下,系統管理員可以使用 PowerShell 找出所下載的檔案,以尋找新的 ContentID 值來追蹤或撤銷存取權。In such cases, administrators may be able to locate the downloaded files using PowerShell to find the new ContentID values to track or revoke access.

Knowns AIP 用戶端和 OneDrive 的問題Knowns issues for the AIP client and OneDrive

如果您在已套用敏感度標籤的 OneDrive 中儲存了檔,而系統管理員變更標籤原則中的標籤以新增保護,則新套用的保護不會自動套用至加上標籤的檔。If you have documents stored in OneDrive with a sensitivity label applied, and an administrator changes the label in the labeling policy to add protection, the newly applied protection is not automatically applied to the labeled document.

在這種情況下,請視需要手動重新標記檔以套用保護。In such cases, re-label the document manually to apply the protection as needed.

AIP 和舊版 Windows 和 Office 版本AIP and legacy Windows and Office versions

  • Windows 7 延伸支援于2020年1月14日結束Windows 7 extended supported ended on January 14, 2020.

    強烈建議您升級至較新版本的 Windows 10。We strongly encourage you to upgrade to a newer version of Windows 10.

    但是,如果您有延伸安全性更新 (ESU) 和支援合約,則可以使用 AIP 支援服務,繼續保持 Windows 7 系統的安全。However, if you have Extended Security Updates (ESU) and a support contract, AIP support is available to continue keeping your Windows 7 systems secure.

    如需詳細資訊,請洽詢您的支援連絡人。For more information, check with your support contact.

  • Office 2010 延伸支援已于2020年10月13日結束Office 2010 extended support ended on October 13, 2020.

    此支援將不會延伸,且不會提供 Office 2010 的 ESU。This support will not be extended, and ESU will not be offered for Office 2010.

    強烈建議您升級至較新版本的 Office 365。We strongly encourage you to upgrade to a newer version of Office 365.

    如需詳細資訊,請洽詢您的支援連絡人。For more information, check with your support contact.

以 AIP 為基礎的條件式存取原則AIP-based Conditional Access policies

接收受 條件式存取原則 保護之內容的外部使用者必須有 Azure Active Directory (Azure AD) 企業對企業 (B2B) 共同作業來賓使用者帳戶,才能查看內容。External users who receive content protected by Conditional Access policies must have an Azure Active Directory (Azure AD) business-to-business (B2B) collaboration guest user account in order to view the content.

雖然您可以邀請外部使用者啟動來賓使用者帳戶,讓他們可以驗證和傳遞條件式存取需求,但很難確保所有需要的外部使用者都會發生這種情況。While you can invite external users to activate a guest user account, allowing them to authenticate and pass the conditional access requirements, it may be difficult to ensure that this occurs for all external users required.

建議您僅針對內部使用者啟用以 AIP 為基礎的條件式存取原則。We recommend enabling AIP-based conditional access policies for your internal users only.

僅針對內部使用者啟用適用于 AIP 的條件式存取原則Enable conditional access policies for AIP for internal users only:

  1. 在 Azure 入口網站中,流覽至 條件式存取 分頁,然後選取您想要修改的條件式存取原則。In the Azure portal, navigate to the Conditional Access blade, and select the conditional access policy you wish to modify.
  2. 在 [ 指派] 底下,選取 [ 使用者和群組],然後選取 [ 所有使用者]。Under Assignments, select Users and groups, and then select All users. 請確定 選取 [所有來賓和外部使用者] 選項。Make sure that the All guest and external users option is not selected.
  3. 儲存您的變更。Save your changes.

如果您的組織不需要此功能,您也可以完全停用 Azure 資訊保護內的 CA,以避免發生此潛在問題。You can also entirely disable CA within Azure Information Protection if the functionality is not required for your organization, in order to avoid this potential issue.

如需詳細資訊,請參閱 條件式存取檔For more information, see the Conditional Access documentation.

詳細資訊More information

下列其他文章可能有助於回答 Azure 資訊保護已知問題的相關問題:The following additional articles may be helpful in answering questions about known issues in Azure Information Protection: