系統管理員指南:Azure 資訊保護用戶端支援的檔案類型Admin Guide: File types supported by the Azure Information Protection client

適用于: Active Directory Rights Management Services、 Azure 資訊保護、windows 10、Windows 8.1、windows 8、windows 7 (含 SP1)、windows server 2019、windows server 2016、windows Server 2012 R2、windows server 2012、windows Server 2008 R2Applies to: Active Directory Rights Management Services, Azure Information Protection, Windows 10, Windows 8.1, Windows 8, Windows 7 with SP1, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2

的指示:適用于 Windows 的 Azure 資訊保護用戶端Instructions for: Azure Information Protection client for Windows

Azure 資訊保護用戶端可以對文件與電子郵件套用下列項目:The Azure Information Protection client can apply the following to documents and emails:

  • 僅分類Classification only

  • 分類和保護Classification and protection

  • 僅保護Protection only

Azure 資訊保護用戶端也可以使用您定義的已知敏感性資訊類型或規則運算式,檢查某些檔案類型的內容。The Azure Information Protection client can also inspect the content of some file types using well-known sensitive information types or regular expressions that you define.

使用下列資訊來檢查 Azure 資訊保護用戶端支援哪些檔案類型、了解不同的保護層級與如何變更預設保護層級,並識別哪些檔案會從分類和保護中自動排除 (略過)。Use the following information to check which file types the Azure Information Protection client supports, understand the different levels of protection and how to change the default protection level, and to identify which files are automatically excluded (skipped) from classification and protection.

針對列出的檔案類型,不支援 WebDav 位置。For the listed file types, WebDav locations are not supported.

僅支援分類的檔案類型File types supported for classification only

下列檔案類型即使未受保護也可以進行分類。The following file types can be classified even when they are not protected.

  • Adobe 可攜式文件格式:.pdfAdobe Portable Document Format: .pdf

  • Microsoft Project:.mpp、.mptMicrosoft Project: .mpp, .mpt

  • Microsoft Publisher:.pubMicrosoft Publisher: .pub

  • Microsoft XPS:.xps、.oxpsMicrosoft XPS: .xps .oxps

  • 影像:.jpg、.jpe、.jpeg、.jif、.jfif、.jfi。Images: .jpg, .jpe, .jpeg, .jif, .jfif, .jfi. png、.tif、.tiffpng, .tif, .tiff

  • Autodesk Design Review 2013:.dwfxAutodesk Design Review 2013: .dwfx

  • Adobe Photoshop:.psdAdobe Photoshop: .psd

  • Digital Negative:.dngDigital Negative: .dng

  • Microsoft Office:下表中的檔案類型。Microsoft Office: File types in the following table.

    針對這些檔案類型支援的檔案格式為下列 Office 程式的 97-2003 檔案格式與 Office Open XML 格式:Word、Excel 與 PowerPoint。The supported file formats for these file types are the 97-2003 file formats and Office Open XML formats for the following Office programs: Word, Excel, and PowerPoint.

    Office 檔案類型Office file type Office 檔案類型Office file type
    .doc.doc

    .docm.docm

    .docx.docx

    .dot.dot

    .dotm.dotm

    .dotx.dotx

    .potm.potm

    .potx.potx

    .pps.pps

    .ppsm.ppsm

    .ppsx.ppsx

    .ppt.ppt

    .pptm.pptm

    .pptx.pptx

    .vdw.vdw

    .vsd.vsd
    .vsdm.vsdm

    .vsdx.vsdx

    .vss.vss

    .vssm.vssm

    .vst.vst

    .vstm.vstm

    .vssx.vssx

    .vstx.vstx

    .xls.xls

    .xlsb.xlsb

    .xlt.xlt

    .xlsm.xlsm

    .xlsx.xlsx

    .xltm.xltm

    .xltx.xltx

其他檔案類型在受保護同時也支援分類。Additional file types support classification when they are also protected. 如需這些檔案類型,請參閱支援分類及保護的檔案類型一節。For these file types, see the Supported file types for classification and protection section.

例如,在目前預設原則中,[一般] 標籤會套用分類,但不會套用保護。For example, in the current default policy, the General label applies classification and does not apply protection. 您可以將 [一般] 標籤套用至名為 sales.pdf 的檔案,但無法將此標籤套用至名為 sales.txt 的檔案。You could apply the General label to a file named sales.pdf but you could not apply this label to a file named sales.txt.

而且,在目前預設原則中,[機密\所有員工] 會套用分類和保護。Also in the current default policy, the Confidential \ All Employees applies classification and protection. 您可以將此標籤套用至名為 sales.pdf 的檔案和名為 sales.txt 的檔案。You could apply this label to a file named sales.pdf and a file named sales.txt. 您也可以只將保護套用至這些檔案,而不進行分類。You could also apply just protection to these files, without classification.

支援保護的檔案類型File types supported for protection

Azure 資訊保護用戶端支援兩個不同層級的保護,如下表所述。The Azure Information Protection client supports protection at two different levels, as described in the following table.

保護類型Type of protection 原生Native 一般Generic
DescriptionDescription 針對文字、影像、Microsoft Office (Word、Excel、PowerPoint) 檔案、.pdf 檔案與其他支援 Rights Management 服務的應用程式檔案類型,原生保護提供了包含加密和強制執行權限的強力層級保護。For text, image, Microsoft Office (Word, Excel, PowerPoint) files, .pdf files, and other application file types that support a Rights Management service, native protection provides a strong level of protection that includes both encryption and enforcement of rights (permissions). 對於其他所有應用程式和檔案類型,一般保護所提供的保護層級同時包含使用 .pfile 檔案類型的檔案封裝和驗證,以確認是否授權使用者開啟檔案。For all other applications and file types, generic protection provides a level of protection that includes both file encapsulation using the .pfile file type and authentication to verify if a user is authorized to open the file.
ProtectionProtection 檔案保護的強制執行方式如下:Files protection is enforced in the following ways:

受保護的內容轉譯之前,透過電子郵件收到檔案或是透過檔案或共用權限存取檔案的人,必須成功通過驗證。- Before protected content is rendered, successful authentication must occur for those who receive the file through email or are given access to it through file or share permissions.

- 此外,當檔案受到保護時,若要在 Azure 資訊保護檢視器中 (對於受保護的文字與影像檔) 或已建立關聯的應用程式中 (對於所有其他支援的檔案類型) 轉譯內容時,將強制執行內容擁有者所設定的使用權限與原則。- Additionally, usage rights and policy that were set by the content owner when the files were protected are enforced when the content is rendered in either the Azure Information Protection viewer (for protected text and image files) or the associated application (for all other supported file types).
檔案保護會以下列方式強制執行:File protection is enforced in the following ways:

- 受保護的內容在轉譯之前,獲得開啟檔案授權和獲得檔案存取權的人員,必須成功通過驗證。- Before protected content is rendered, successful authentication must occur for people who are authorized to open the file and given access to it. 如果授權失敗,則檔案無法開啟。If authorization fails, the file does not open.

系統會顯示內容擁有者所設定的使用權限與原則,以通知授權使用者其預定使用原則。- Usage rights and policy set by the content owner are displayed to inform authorized users of the intended usage policy.

- 授權使用者開啟及存取檔案時,即進行稽核記錄。- Audit logging of authorized users opening and accessing files occurs. 不過,不會強制使用權限。However, usage rights are not enforced.
檔案類型的預設值Default for file types 這是下列檔案類型的預設保護層級:This is the default level of protection for the following file types:

- 文字和影像檔案- Text and image files

- Microsoft Office (Word、Excel、PowerPoint) 檔案- Microsoft Office (Word, Excel, PowerPoint) files

- 可攜式文件格式 (.pdf)- Portable document format (.pdf)

如需詳細資訊,請參閱下一節支援分類及保護的檔案類型For more information, see the following section, Supported file types for classification and protection.
這是為原生保護不支援的其他所有檔案類型 (如 .vsdx、.rtf 等等) 而提供的預設保護。This is the default protection for all other file types (such as .vsdx, .rtf, and so on) that are not supported by native protection.

您可以變更 Azure 資訊保護用戶端套用的預設保護層級。You can change the default protection level that the Azure Information Protection client applies. 您可以將預設的原生層級變更為一般、從一般變更為原生,甚至阻止 Azure 資訊保護用戶端套用保護。You can change the default level of native to generic, from generic to native, and even prevent the Azure Information Protection client from applying protection. 如需詳細資訊,請參閱本文章中的變更檔案的預設保護層級一節。For more information, see the Changing the default protection level of files section in this article.

當使用者選取系統管理員已設定的標籤時,會自動套用資料保護,或使用者可以使用權限層級來指定自己的自訂保護設定。The data protection can be applied automatically when a user selects a label that an administrator has configured, or users can specify their own custom protection settings by using permission levels.

支援保護的檔案大小File sizes supported for protection

Azure 資訊保護用戶端支援保護的檔案大小上限。There are maximum file sizes that the Azure Information Protection client supports for protection.

  • 對於 Office 檔案:For Office files:

    Office 應用程式Office application 支援的檔案大小上限Maximum file size supported
    Word 2007 (僅 AD RMS 支援)Word 2007 (supported by AD RMS only)

    Word 2010Word 2010

    Word 2013Word 2013

    Word 2016Word 2016
    32 位元:512 MB32-bit: 512 MB

    64 位元:512 MB64-bit: 512 MB
    Excel 2007 (僅 AD RMS 支援)Excel 2007 (supported by AD RMS only)

    Excel 2010Excel 2010

    Excel 2013Excel 2013

    Excel 2016Excel 2016
    32 位元:2 GB32-bit: 2 GB

    64 位元:只受限於可用磁碟空間和記憶體64-bit: Limited only by available disk space and memory
    PowerPoint 2007 (僅 AD RMS 支援)PowerPoint 2007 (supported by AD RMS only)

    PowerPoint 2010PowerPoint 2010

    PowerPoint 2013PowerPoint 2013

    PowerPoint 2016PowerPoint 2016
    32 位元:只受限於可用磁碟空間和記憶體32-bit: Limited only by available disk space and memory

    64 位元:只受限於可用磁碟空間和記憶體64-bit: Limited only by available disk space and memory
  • 對於所有其他檔案For all other files:

    • 若要保護其他檔案類型,而且想要在 Azure 資訊保護檢視器中開啟這些檔案類型:檔案大小上限僅受限於可用磁碟空間與記憶體。To protect other file types, and to open these file types in the Azure Information Protection viewer: The maximum file size is limited only by available disk space and memory.

    • 若要使用 Unprotect-RMSFile Cmdlet 來解除保護檔案:支援的 .pst 檔案大小上限為 5 GB。To unprotect files by using the Unprotect-RMSFile cmdlet: The maximum file size supported for .pst files is 5 GB. 其他檔案類型只受限於可用磁碟空間與記憶體Other file types are limited only by available disk space and memory

      提示:若您需要搜尋或復原大型 .pst 檔案中的受保護項目,請參閱針對 eDiscovery 使用未受保護 RMSFile 的指導Tip: If you need to search or recover protected items in large .pst files, see Guidance for using Unprotect-RMSFile for eDiscovery.

支援分類及保護的檔案類型Supported file types for classification and protection

下表列出一組支援 Azure 資訊保護用戶端進行原生保護、而且可以分類的檔案類型。The following table lists a subset of file types that support native protection by the Azure Information Protection client, and that can also be classified.

由於這些檔案類型在受原生保護時,原始副檔名會變更,而這些檔案會變成唯讀,因此類型會分別識別。These file types are identified separately because when they are natively protected, the original file name extension is changed, and these files become read-only. 請注意,當檔案受到一般保護時,原始副檔名一律會變更為 .pfile。Note that when files are generically protected, the original file name extension is always changed to .pfile.

警告

如果您有防火牆、Web proxy 或會檢查並根據副檔名採取動作的安全性軟體,可能需要重新設定這些網路裝置及軟體以支援這些新的副檔名。If you have firewalls, web proxies, or security software that inspect and take action according to file name extensions, you might need to reconfigure these network devices and software to support these new file name extensions.

原始副檔名Original file name extension 受保護的副檔名Protected file name extension
。txt.txt .ptxt.ptxt
。xml.xml .pxml.pxml
.jpg.jpg .pjpg.pjpg
.jpeg.jpeg .pjpeg.pjpeg
.pdf.pdf .ppdf [1].ppdf [1]
.png.png .ppng.ppng
.tif.tif .ptif.ptif
.tiff.tiff .ptiff.ptiff
.bmp.bmp .pbmp.pbmp
。gif.gif .pgif.pgif
.jpe.jpe .pjpe.pjpe
.jfif.jfif .pjfif.pjfif
.jt.jt .pjt.pjt
註腳 1Footnote 1

使用最新版本的 Azure 資訊保護用戶端時,根據預設,受保護 PDF 文件的副檔名依然是 .pdf。With the latest version of the Azure Information Protection client, by default, the file name extension of the protected PDF document remains as .pdf.

下表列出其餘支援 Azure 資訊保護用戶端進行原生保護、而且可以分類的檔案類型。The next table lists the remaining file types that support native protection by the Azure Information Protection client, and that can also be classified. 您會發現這些檔案類型用於 Microsoft Office 應用程式。You will recognize these as file types for Microsoft Office apps. 針對這些檔案類型支援的檔案格式為下列 Office 程式的 97-2003 檔案格式與 Office Open XML 格式:Word、Excel 與 PowerPoint。The supported file formats for these file types are the 97-2003 file formats and Office Open XML formats for the following Office programs: Word, Excel, and PowerPoint.

這些檔案受 Rights Management Service 保護後副檔名維持不變。For these files, the file name extension remains the same after the file is protected by a Rights Management service.

Office 支援的檔案類型File types supported by Office Office 支援的檔案類型File types supported by Office
.doc.doc

.docm.docm

.docx.docx

.dot.dot

.dotm.dotm

.dotx.dotx

.potm.potm

.potx.potx

.pps.pps

.ppsm.ppsm

.ppsx.ppsx

.ppt.ppt

.pptm.pptm

.pptx.pptx

.vsdm.vsdm
.vsdx.vsdx

.vssm.vssm

.vssx.vssx

.vstm.vstm

.vstx.vstx

.xla.xla

.xlam.xlam

.xls.xls

.xlsb.xlsb

.xlt.xlt

.xlsm.xlsm

.xlsx.xlsx

.xltm.xltm

.xltx.xltx

。xps.xps

變更檔案的預設保護層級Changing the default protection level of files

您可以編輯登錄來變更 Azure 資訊保護用戶端對檔案的保護方式。You can change how the Azure Information Protection client protects files by editing the registry. 例如,您可以強制讓 Azure 資訊保護用戶端以一般保護方式來保護支援原生保護的檔案。For example, you can force files that support native protection to be generically protected by the Azure Information Protection client.

您可能會這麼做的原因:Reasons for why you might want to do this:

  • 確保所有使用者在沒有支援原生保護的應用程式時可以開啟檔案。To ensure that all users can open the file if they don’t have an application that supports native protection.

  • 配合依據檔案的副檔名而採取動作,並且可針對原生保護而重新設定為配合 .pfile 副檔名,但無法重新設定為配合多個副檔名的安全性系統。To accommodate security systems that take action on files by their file name extension and can be reconfigured to accommodate the .pfile file name extension but cannot be reconfigured to accommodate multiple file name extensions for native protection.

同樣地,您可以強制 Azure 資訊保護用戶端對預設會套用一般保護的檔案套用原生保護。Similarly, you can force the Azure Information Protection client to apply native protection to files that by default, would have generic protection applied. 如果您有支援 RMS API 的應用程式,就適合執行這個動作。This action might be appropriate if you have an application that supports the RMS APIs. 例如,內部開發人員撰寫的企業營運應用程式或向獨立軟體廠商 (ISV) 購買的應用程式。For example, a line-of-business application written by your internal developers or an application purchased from an independent software vendor (ISV).

您也可以強制 Azure 資訊保護用戶端封鎖檔案的保護 (不套用原生保護或一般保護)。You can also force the Azure Information Protection client to block the protection of files (not apply native protection or generic protection). 例如,當您有必須能夠開啟特定檔案來處理其內容的自動化應用程式或服務時,可能必須執行這個動作。For example, this action might be required if you have an automated application or service that must be able to open a specific file to process its contents. 當您封鎖某個檔案類型的保護時,使用者無法使用 Azure 資訊保護用戶端來保護該檔案類型的檔案。When you block protection for a file type, users cannot use the Azure Information Protection client to protect a file that has that file type. 當使用者嘗試這麼做時,會看到一個系統管理員已防止保護的訊息,而且他們必須取消其保護檔案的動作。When they try, they see a message that the administrator has prevented protection and they must cancel their action to protect the file.

若要設定 Azure 資訊保護用戶端對預設會套用原生保護的所有檔案套用一般保護,請進行以下登錄編輯。To configure the Azure Information Protection client to apply generic protection to all files that by default, would have native protection applied, make the following registry edits. 請注意,如果 FileProtection 機碼不存在,您必須手動建立它。Note if the FileProtection key does not exist, you must manually create it.

  1. 為下列登錄路徑建立名為 * 的新機碼,其代表具有任何副檔名的檔案︰Create a new key named * for the following registry path, which denotes files with any file name extension:

    • 若為 32 位元版本的 Windows:HKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\FileProtectionFor 32-bit version of Windows: HKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\FileProtection

    • 64位版本的 Windows: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\MSIPC\FileProtectionHKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\FileProtectionFor 64-bit version of Windows: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\MSIPC\FileProtection and HKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\FileProtection

  2. 在新增的機碼中 (例如 HKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\FileProtection\*),建立名為 Encryption 的新字串值 (REG_SZ),並將其資料值定為 PfileIn the newly added key (for example, HKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\FileProtection\*), create a new string value (REG_SZ) named Encryption that has the data value of Pfile.

    此設定會使 Azure 資訊保護用戶端套用一般保護。This setting results in the Azure Information Protection client applying generic protection.

這兩個設定會使 Azure 資訊保護用戶端將一般保護套用至具有副檔名的所有檔案。These two settings result in the Azure Information Protection client applying generic protection to all files that have a file name extension. 如果這是您的目標,則不需要進一步的設定。If this is your goal, no further configuration is required. 不過,您可以針對特定檔案類型定義例外狀況,讓它們仍然受到原生保護。However, you can define exceptions for specific file types, so that they are still natively protected. 若要這樣做,您必須為每種檔案類型進行 3 個 (針對 32 位元 Windows) 或 6 個 (針對 64 位元 Windows) 額外的登錄編輯:To do this, you must make three (for 32-bit Windows) or 6 (for 64-bit Windows) additional registry edits for each file type:

  1. 針對HKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\FileProtectionHKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\MSIPC\FileProtection (如果適用):加入具有副檔名名稱的新機碼(不含先前的期間)。For HKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\FileProtection and HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\MSIPC\FileProtection (if applicable): Add a new key that has the name of the file name extension (without the preceding period).

    例如,為副檔名為 .docx 的檔案建立 DOCX機碼。For example, for files that have a .docx file name extension, create a key named DOCX.

  2. 在新增的檔案類型機碼 (例如,HKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\FileProtection\DOCX) 中,建立名為 AllowPFILEEncryption 的新 DWORD 值,並將其值設定為 0In the newly added file type key (for example, HKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\FileProtection\DOCX), create a new DWORD Value named AllowPFILEEncryption that has a value of 0.

  3. 在新增的檔案類型機碼 (例如,HKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\FileProtection\DOCX) 中,建立名為 Encryption 的新字串值,並將其值設定為 NativeIn the newly added file type key (for example, HKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\FileProtection\DOCX), create a new String Value named Encryption that has a value of Native.

進行這些設定後,所有檔案都會受到一般保護,但副檔名為 .docx 的檔案除外。As a result of these settings, all files are generically protected except files that have a .docx file name extension. 這些檔案會受到 Azure 資訊保護用戶端的原生保護。These files are natively protected by the Azure Information Protection client.

針對您想要定義為例外的其他檔案類型重複這三個步驟,因為它們支援原生保護,而您不要它們受 Azure 資訊保護用戶端的一般保護。Repeat these three steps for other file types that you want to define as exceptions because they support native protection and you do not want them to be generically protected by the Azure Information Protection client.

您可以變更 Encryption 字串的值,為其他案例進行類似登錄編輯,此字串支援下列值:You can make similar registry edits for other scenarios by changing the value of the Encryption string that supports the following values:

  • Pfile:一般保護Pfile: Generic protection

  • Native:原生保護Native: Native protection

  • Off:封鎖保護Off: Block protection

變更這些登錄之後,不需要重新啟動電腦。After making these registry changes, there's no need to restart the computer. 不過,若您使用 PowerShell 命令來保護檔案,您必須啟動新的 PowerShell 工作階段,變更才會生效。However, if you're using PowerShell commands to protect files, you must start a new PowerShell session for the changes to take effect.

如需有關編輯登錄以變更預設檔案保護層級的詳細資訊,請參閱開發人員指南中的檔案 API 設定For more information about editing the registry to change the default protection level of files, see File API configuration from the developer guidance. 在適用於開發人員的此文件中,一般保護稱為 "PFile"。In this documentation for developers, generic protection is referred to as "PFile".

從分類和保護中排除的檔案類型File types that are excluded from classification and protection

為了協助防止使用者變更對電腦作業而言非常重要的檔案,系統會自動將某些檔案類型和資料夾從分類和保護中排除。To help prevent users from changing files that are critical for computer operations, some file types and folders are automatically excluded from classification and protection. 如果使用者嘗試透過使用 Azure 資訊保護用戶端分類或保護這些檔案,他們會看到指出已排除那些檔案的訊息。If users try to classify or protect these files by using the Azure Information Protection client, they see a message that they are excluded.

  • 已排除的檔案類型:.lnk、.exe、.com、.cmd、.bat、.dll、.ini、.pst、.sca、.drm、.sys、.cpl、.inf、.drv、.dat、.tmp、.msg、.msp、.msi、.pdb、.jarExcluded file types: .lnk, .exe, .com, .cmd, .bat, .dll, .ini, .pst, .sca, .drm, .sys, .cpl, .inf, .drv, .dat, .tmp, .msg,.msp, .msi, .pdb, .jar

  • 已排除的資料夾Excluded folders:

    • 訊息Windows
    • Program Files (\Program Files 和 \Program Files (x86))Program Files (\Program Files and \Program Files (x86))
    • \ProgramData\ProgramData
    • \AppData (對於所有使用者)\AppData (for all users)

從 Azure 資訊保護掃描器的分類和保護中排除的檔案類型File types that are excluded from classification and protection by the Azure Information Protection scanner

根據預設,掃描器還會排除與 Azure 資訊保護用戶端相同的檔案類型,除了下列例外:By default, the scanner also excludes the same file types as the Azure Information Protection client with the following exceptions:

  • 也會排除 .rtf 與 .rar.rtf, and .rar, are also excluded

您可以變更掃描器進行檔案檢查時所包含或排除的檔案類型:You can change the file types included or excluded for file inspection by the scanner:

注意

如果您包含 .rtf 檔案以進行掃描,請小心監視掃描器。If you include .rtf files for scanning, carefully monitor the scanner. 掃描器無法成功檢查某些 .rtf 檔案,對於這些檔案來說,檢查並未完成,因此必須重新啟動服務。Some .rtf files cannot be successfully inspected by the scanner and for these files, the inspection doesn't complete and the service must be restarted.

根據預設,掃描器只會保護 Office 檔案類型,以及使用 ISO 標準進行 PDF 加密而受到保護的 PDF 檔案。By default, the scanner protects only Office file types, and PDF files when they are protected by using the ISO standard for PDF encryption. 若要變更掃描器的此行為,請編輯登錄,並指定您想要保護的其他檔案類型。To change this behavior for the scanner, edit the registry and specify the additional file types that you want to be protected. 如需指示,請參閱登錄編輯以變更哪些檔案類型會受到掃描器部署指示保護。For instructions, see Registry edits to change which file types are protected from the scanner deployment instructions.

檔案依預設不受保護Files that cannot be protected by default

受密碼保護的任何檔案都無法由 Azure 資訊保護用戶端原生地保護,除非檔案目前在套用保護的應用程式中開啟。Any file that is password-protected cannot be natively protected by the Azure Information Protection client unless the file is currently open in the application that applies the protection. 您最常看到的是受密碼保護的 PDF 檔案,但其他應用程式,例如 Office 應用程式,也提供這項功能。You most often see PDF files that are password-protected but other applications, such as Office apps, also offer this functionality.

若您變更 Azure 資訊保護用戶端的預設行為使其以 .ppdf 副檔名的方式保護 PDF 檔案,用戶端在下列任一狀況中無法以原生方式保護或取消保護PDF 檔案:If you change the default behavior of the Azure Information Protection client so that it protects PDF files with a .ppdf file name extension, the client cannot natively protect or unprotect PDF files in either of the following circumstances:

  • 以表單為基礎的 PDF 檔案。A PDF file that is form-based.

  • 副檔名為 .pdf 的受保護 PDF 檔案。A protected PDF file that has a .pdf file name extension.

    Azure 資訊保護用戶端可以保護未受保護的 PDF 檔案,以及取消保護並重新保護副檔名為 .ppdf 的受保護 PDF 檔案。The Azure Information Protection client can protect an unprotected PDF file, and it can unprotect and reprotect a protected PDF file when it has a .ppdf file name extension.

容器檔案的限制 (例如 .zip 檔案)Limitations for container files, such as .zip files

容器檔案是包含其他檔案的檔案,常見範例是包含壓縮檔的 .zip 檔案。Container files are files that include other files, with a typical example being .zip files that contain compressed files. 其他範例包括 .rar、.7z、.msg 檔案,以及包含附件的 PDF 文件。Other examples include .rar, .7z, .msg files, and PDF documents that include attachments.

您可以分類和保護這些容器檔案,但不會將分類和保護套用至容器內的每個檔案。You can classify and protect these container files, but the classification and protection is not applied to each file inside the container.

如果您的容器檔案包含已分類和受保護檔案,則您必須先解壓縮檔案,以變更其分類或保護設定。If you have a container file that includes classified and protected files, you must first extract the files to change their classification or protection settings. 不過,您可以使用 Unprotect-RMSFile Cmdlet 移除所支援容器檔案中所有檔案的保護。However, you can remove the protection for all files in supported container files by using the Unprotect-RMSFile cmdlet.

Azure 資訊保護檢視器無法開啟受保護 PDF 文件中的附件。The Azure Information Protection viewer cannot open attachments in a protected PDF document. 在此案例中,當文件在檢視器中開啟時,附件為不可見的。In this scenario, when the document is opened in the viewer, the attachments are not visible.

支援檢查的檔案類型File types supported for inspection

無須進行任何額外設定,Azure 資訊保護用戶端就會使用 Windows IFilter 檢查文件內容。Without any additional configuration, the Azure Information Protection client uses Windows IFilter to inspect the contents of documents. Windows Search 會使用 Windows IFilter 編製索引。Windows IFilter is used by Windows Search for indexing. 如此一來,當使用 Azure 資訊保護掃描器Set-AIPFileClassification PowerShell 命令時,就可檢查以下檔案類型。As a result, the following file types can be inspected when you use the Azure Information Protection scanner, or the Set-AIPFileClassification PowerShell command.

應用程式類型Application type 檔案類型File type
WordWord 首.docx;. docm; .dot; normal.dotm;. dotx.doc; docx; .docm; .dot; .dotm; .dotx
ExcelExcel .xls; .xlt; .xlsx; .xltx; .xltm; .xlsm; .xlsb.xls; .xlt; .xlsx; .xltx; .xltm; .xlsm; .xlsb
PowerPointPowerPoint .ppt; .pps; .pot; .pptx; .ppsx; .pptm; .ppsm; .potx; .potm.ppt; .pps; .pot; .pptx; .ppsx; .pptm; .ppsm; .potx; .potm
PDFPDF .pdf.pdf
TextText .txt; .xml; .csv.txt; .xml; .csv

進行其他設定後,即可檢查其他檔案類型。With additional configuration, other file types can also be inspected. 例如,您可登錄自訂副檔名,以對文字檔使用現有的 Windows 篩選處理常式,也可以安裝軟體廠商提供的其他篩選。For example, you can register a custom file name extension to use the existing Windows filter handler for text files, and you can install additional filters from software vendors.

若要檢查安裝了哪些篩選,請參閱 Windows Search 開發人員指南的 Finding a Filter Handler for a Given File Extension (尋找指定副檔名的篩選處理常式) 一節。To check what filters are installed, see the Finding a Filter Handler for a Given File Extension section from the Windows Search Developer's Guide.

以下章節有檢查 .zip 檔案及 .tiff 檔案的設定指示。The following sections have configuration instructions to inspect .zip files, and .tiff files.

檢查 .zip 檔案To inspect .zip files

當您遵循以下指示時,Azure 資訊保護掃描器及 Set-AIPFileClassification PowerShell 命令就可以檢查 .zip 檔案:The Azure Information Protection scanner and the Set-AIPFileClassification PowerShell command can inspect .zip files when you follow these instructions:

  1. 若為執行掃描器或 PowerShell 工作階段的電腦,請安裝 Office 2010 Filter Pack SP2For the computer running the scanner or the PowerShell session, install the Office 2010 Filter Pack SP2.

  2. 掃描器:在尋找機密資訊之後,如果 .zip 檔案應該以標籤分類並受到保護,請為此副檔名新增登錄專案以具有一般保護(pfile),如變更哪些檔案類型所述。會受到掃描器部署指示的保護。For the scanner: After finding sensitive information, if the .zip file should be classified and protected with a label, add a registry entry for this file name extension to have generic protection (pfile), as described in Registry edits to change which file types are protected from the scanner deployment instructions.

執行這些步驟後的範例案例:Example scenario after doing these steps:

名為 accounts.zip 的檔案包含內有信用卡號碼的 Excel 試算表。A file named accounts.zip contains Excel spreadsheets with credit card numbers. 您的 Azure 資訊保護原則具有名為 Confidential \ Finance 的標籤,其已設為探索信用卡號碼,並自動套用具備保護的標籤,限制存取 Finance 群組。Your Azure Information Protection policy has a label named Confidential \ Finance, which is configured to discover credit card numbers, and automatically apply the label with protection that restricts access to the Finance group.

在檢查完檔案後,掃描器會將檔案分類為 Confidential \ Finance,將一般保護套用到檔案,僅限 Finance 群組的成員才能解壓縮它,並將檔案重新命名為 accounts.zip.pfileAfter inspecting the file, the scanner classifies this file as Confidential \ Finance, applies generic protection to the file so that only members of the Finance groups can unzip it, and renames the file accounts.zip.pfile.

使用 OCR 檢查 .tiff 檔案To inspect .tiff files by using OCR

在您安裝了 Windows TIFF IFilter 功能,然後在執行掃描器或 PowerShell 工作階段的電腦上進行 Windows TIFF IFilter 設定後,Azure 資訊保護掃描器及 Set-AIPFileClassiciation PowerShell 指令就可以使用光學字元辨識 (OCR) 檢查具有 .tiff 副檔名的 TIFF 影像。The Azure Information Protection scanner and the Set-AIPFileClassiciation PowerShell command can use optical character recognition (OCR) to inspect TIFF images with a .tiff file name extension when you install the Windows TIFF IFilter feature, and then configure Windows TIFF IFilter Settings on the computer running the scanner or the PowerShell session.

掃描器:尋找機密資訊之後,如果應該使用標籤將 tiff 檔案分類並加以保護,請新增此副檔名的登錄專案以具有原生保護,如變更哪些檔案類型的登錄編輯中所述受到掃描器部署指示的保護。For the scanner: After finding sensitive information, if the .tiff file should be classified and protected with a label, add a registry entry for this file name extension to have native protection, as described in Registry edits to change which file types are protected from the scanner deployment instructions.

接下來的步驟Next steps

現在您已經辨別了 Azure 資訊保護用戶端支援的檔案類型,請參閱下列資源以了解要支援此用戶端可能需要的其他資訊:Now that you've identified the file types supported by the Azure Information Protection client, see the following resources for additional information that you might need to support this client: