Advanced settings for Microsoft Purview Information Protection client

This article contains the Security & Compliance PowerShell advanced settings that are supported by Microsoft Purview Information Protection client when you use the following cmdlets:

The advanced settings that are supported by sensitivity labels built into Microsoft 365 apps and services are included on the cmdlet page itself. You might also find useful PowerShell tips for specifying the advanced settings.

Advanced settings for labels Description
Color Specify a color for the label
DefaultSubLabelId Specify a default sublabel for a parent label
Advanced settings for label policies Description
AdditionalPPrefixExtensions Support for changing <EXT>.PFILE to P<EXT>
EnableAudit Prevent audit data from being sent to Microsoft Purview
EnableContainerSupport Enable removal of encryption from PST, rar, 7zip, and MSG files
EnableCustomPermissions Turn off custom permissions in File Explorer
EnableCustomPermissionsForCustomProtectedFiles For files encrypted with custom permissions, always display custom permissions to users in File Explorer
EnableGlobalization Turn on classification globalization features
JustificationTextForUserText Customize justification prompt texts for modified labels
LogMatchedContent Send information type matches to Microsoft Purview
OfficeContentExtractionTimeout Configure the auto-labeling timeout for Office files
PFileSupportedExtensions Change which file types to protect
ReportAnIssueLink Add "Report an Issue" for users
ScannerMaxCPU Limit CPU consumption
ScannerMinCPU Limit CPU consumption
ScannerConcurrencyLevel Limit the number of threads used by the scanner
ScannerFSAttributesToSkip Skip or ignore files during scans depending on file attributes)
SharepointWebRequestTimeout Configure SharePoint timeouts
SharepointFileWebRequestTimeout Configure SharePoint timeouts
UseCopyAndPreserveNTFSOwner Preserve NTFS owners during labeling

AdditionalPPrefixExtensions

This advanced property to change <EXT>.PFILE to P<EXT> is supported by File Explorer, PowerShell, and by the scanner. All apps have similar behavior.

  • Key: AdditionalPPrefixExtensions

  • Value: <string value>

Use the following table to identify the string value to specify:

String value Client and scanner
* All PFile extensions become P<EXT>
<null value> Default value behaves like the default encryption value.
ConvertTo-Json(".dwg", ".zip") In addition to the previous list, ".dwg" and ".zip" become P<EXT>

With this setting, the following extensions always become P<EXT>: ".txt", ".xml", ".bmp", ".jt", ".jpg", ".jpeg", ".jpe", ".jif", ".jfif", ".jfi", ".png", ".tif", ".tiff", ".gif"). Notable exclusion is that "ptxt" does not become "txt.pfile".

This setting requires the advanced setting PFileSupportedExtension to be enabled.

Example 1: PowerShell command to behave like the default behavior where Protect ".dwg" becomes ".dwg.pfile":

Set-LabelPolicy -AdvancedSettings @{ AdditionalPPrefixExtensions =""}

Example 2: PowerShell command to change all PFile extensions from generic encryption to native encryption when the files are labeled and encrypted:

Set-LabelPolicy -AdvancedSettings @{ AdditionalPPrefixExtensions ="*"}

Example 3: PowerShell command to change ".dwg" to ".pdwg" when using this service protect this file:

Set-LabelPolicy -AdvancedSettings @{ AdditionalPPrefixExtensions =ConvertTo-Json(".dwg")}

Color

Use this advanced setting to set a color for a label. To specify the color, enter a hex triplet code for the red, green, and blue (RGB) components of the color. For example, #40e0d0 is the RGB hex value for turquoise.

If you need a reference for these codes, you'll find a helpful table from the <color> page from the MSDN web docs. You also find these codes in many applications that let you edit pictures. For example, Microsoft Paint lets you choose a custom color from a palette and the RGB values are automatically displayed, which you can then copy.

To configure the advanced setting for a label's color, enter the following strings for the selected label:

  • Key: color

  • Value: <RGB hex value>

Example PowerShell command, where your label is named "Public":

Set-Label -Identity Public -AdvancedSettings @{color="#40e0d0"}

DefaultSubLabelId

When you add a sublabel to a label, users can no longer apply the parent label to a document or email. By default, users select the parent label to see the sublabels that they can apply, and then select one of those sublabels. If you configure this advanced setting, when users select the parent label, a sublabel is automatically selected and applied for them:

  • Key: DefaultSubLabelId

  • Value: <sublabel GUID>

Example PowerShell command, where your parent label is named "Confidential" and the "All Employees" sublabel has a GUID of 8faca7b8-8d20-48a3-8ea2-0f96310a848e:

Set-Label -Identity "Confidential" -AdvancedSettings @{DefaultSubLabelId="8faca7b8-8d20-48a3-8ea2-0f96310a848e"}

EnableAudit

By default, the information protection client sends audit data to Microsoft Purview where you can view this data in activity explorer.

To change this behavior, use the following advanced setting:

  • Key: EnableAudit

  • Value: False

For example, if your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{EnableAudit="False"}

Then on local computers that run the information protection client, delete the following folder: %localappdata%\Microsoft\MSIP\mip

To enable the client to send audit log data again, change the advanced setting value to True. You do not need to manually create the %localappdata%\Microsoft\MSIP\mip folder again on your client computers.

EnableContainerSupport

This setting enables the information protection client to remove encryption from PST, rar, and 7zip files.

  • Key: EnableContainerSupport

  • Value: True

For example, if your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{EnableContainerSupport="True"}

EnableCustomPermissions

By default, users see an option named Protect with custom permissions when they right-click in File Explorer with the file labeler. This option lets them set their own encryption settings that can override any encryption settings that you might have included with a label configuration. Users can also see an option to remove encryption. When you configure this setting, users do not see these options.

Use the following setting so users don't see these options:

  • Key: EnableCustomPermissions

  • Value: False

Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{EnableCustomPermissions="False"}

EnableCustomPermissionsForCustomProtectedFiles

When you configure the advanced client setting EnableCustomPermissions to turn off custom permissions in File Explorer, by default, users are not able to see or change custom permissions that are already set in an encrypted document.

However, there's another advanced client setting that you can specify so that in this scenario, users can see and change custom permissions for an encrypted document when they use File Explorer and right-click the file.

  • Key: EnableCustomPermissionsForCustomProtectedFiles

  • Value: True

Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{EnableCustomPermissionsForCustomProtectedFiles="True"}

EnableGlobalization

Classification globalization features including increased accuracy for East Asian languages and support for double-byte characters. These enhancements are provided only for 64-bit processes, and are turned off by default.

Turn on these features for your policy specify the following strings:

  • Key: EnableGlobalization

  • Value: True

Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{EnableGlobalization="True"}

To turn off support again and revert to the default, set the EnableGlobalization advanced setting to an empty string.

JustificationTextForUserText

Customize the justification prompts that are displayed when end users change sensitivity labels on files.

For example, as an administrator, you might want to remind your users not to add any customer identifying information into this field.

To modify the default Other option that users can select in the dialog box, use the JustificationTextForUserText advanced setting. Set the value to the text you want to use instead.

Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{JustificationTextForUserText="Other (please explain) - Do not enter sensitive info"}

LogMatchedContent

By default, the information protection client doesn't send content matches for sensitive info types to Microsoft Purview, which can then be displayed in activity explorer. The scanner always sends this information. For more information about this additional information that can be sent, see Content matches for deeper analysis.

To send content matches when sensitive information types are sent, use the following advanced setting in a label policy:

  • Key: LogMatchedContent

  • Value: True

Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{LogMatchedContent="True"}

OfficeContentExtractionTimeout

By default, the scanner's auto-labeling timeout on Office files is 3 seconds.

If you have a complex Excel file with many sheets or rows, 3 seconds might not be enough to automatically apply labels. To increase this timeout for the selected label policy, specify the following strings:

  • Key: OfficeContentExtractionTimeout

  • Value: Seconds, in the following format: hh:mm:ss.

Important

We recommend that you don't raise this timeout to higher than 15 seconds.

Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{OfficeContentExtractionTimeout="00:00:15"}

The updated timeout applies to auto-labeling on all Office files.

PFileSupportedExtensions

With this setting, you can change which file types are encrypted but you cannot change the default encryption level from native to generic. For example, for users running the file labeler, you can change the default setting so that only Office files and PDF files are encrypted instead of all file types. But you cannot change these file types to be generically encrypted with a .pfile file name extension.

  • Key: PFileSupportedExtensions

  • Value: <string value>

Use the following table to identify the string value to specify:

String value Client Scanner
* Default value: Apply encryption to all file types Apply encryption to all file types
ConvertTo-Json(".jpg", ".png") In addition to Office file types and PDF files, apply encryption to the specified file name extensions In addition to Office file types and PDF files, apply encryption to the specified file name extensions

Example 1: PowerShell command for the scanner to encrypt all file types, where your label policy is named "Scanner":

Set-LabelPolicy -Identity Scanner -AdvancedSettings @{PFileSupportedExtensions="*"}

Example 2: PowerShell command for the scanner to encrypt .txt files and .csv files in addition to Office files and PDF files, where your label policy is named "Scanner":

Set-LabelPolicy -Identity Scanner -AdvancedSettings @{PFileSupportedExtensions=ConvertTo-Json(".txt", ".csv")}

When you specify the following advanced client setting, users see a Report an Issue option that they can select from the Help and Feedback client dialog box in the file labeler. Specify an HTTP string for the link. For example, a customized web page that you have for users to report issues, or an email address that goes to your help desk.

To configure this advanced setting, enter the following strings for the selected label policy:

  • Key: ReportAnIssueLink

  • Value: <HTTP string>

Example value for a website: https://support.contoso.com

Example value for an email address: mailto:[email protected]

Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{ReportAnIssueLink="mailto:[email protected]"}

ScannerMaxCPU

Important

We recommend limiting CPU consumption by using the advanced settings ScannerMaxCPU and ScannerMinCPU instead of ScannerConcurrencyLevel that's supported for backwards compatibility.

If the older advanced setting is specified,ScannerMaxCPU and ScannerMinCPU advanced settings are ignored.

Use this advanced setting in conjunction with ScannerMinCPU to limit CPU consumption on the scanner computer.

  • Key: ScannerMaxCPU

  • Value: <number>**

The value is set to 100 by default, which means there is no limit of maximum CPU consumption. In this case, the scanner process will try to use all available CPU time to maximize your scan rates.

If you set ScannerMaxCPU to less than 100, the scanner will monitor the CPU consumption over the last 30 minutes. If the average CPU crossed the limit you set, it will start to reduce the number of threads allocated for new files.

The limit on the number of threads will continue as long as CPU consumption is higher than the limit set for ScannerMaxCPU.

ScannerMinCPU

Important

We recommend limiting CPU consumption by using the advanced settings ScannerMaxCPU and ScannerMinCPU instead of ScannerConcurrencyLevel that's supported for backwards compatibility.

If the older advanced setting is specified,ScannerMaxCPU and ScannerMinCPU advanced settings are ignored.

Used only if ScannerMaxCPU is not equal to 100, and cannot be set to a number that is higher than the ScannerMaxCPU value.

We recommend keeping ScannerMinCPU set at least 15 points lower than the value of ScannerMaxCPU.

The value is set to 50 by default, which means that if CPU consumption in the last 30 minutes when lower than this value, the scanner will start adding new threads to scan more files in parallel, until the CPU consumption reaches the level you have set for ScannerMaxCPU-15.

ScannerConcurrencyLevel

Important

We recommend limiting CPU consumption by using the advanced settings ScannerMaxCPU and ScannerMinCPU instead of ScannerConcurrencyLevel that's supported for backwards compatibility.

When this older advanced setting is specified,ScannerMaxCPU and ScannerMinCPU advanced settings are ignored.

By default, the scanner uses all available processor resources on the computer running the scanner service. If you need to limit the CPU consumption while this service is scanning, specify the number of concurrent threads that the scanner can run in parallel. The scanner uses a separate thread for each file that it scans, so this throttling configuration also defines the number of files that can be scanned in parallel.

When you first configure the value for testing, we recommend you specify 2 per core, and then monitor the results. For example, if you run the scanner on a computer that has 4 cores, first set the value to 8. If necessary, increase or decrease that number, according to the resulting performance you require for the scanner computer and your scanning rates.

  • Key: ScannerConcurrencyLevel

  • Value: <number of concurrent threads>

Example PowerShell command, where your label policy is named "Scanner":

Set-LabelPolicy -Identity Scanner -AdvancedSettings @{ScannerConcurrencyLevel="8"}

ScannerFSAttributesToSkip

By default, the information protection scanner scans all relevant files. However, you might want to define specific files to be skipped, such as for archived files or files that have been moved.

Enable the scanner to skip specific files based on their file attributes by using the ScannerFSAttributesToSkip advanced setting. In the setting value, list the file attributes that will enable the file to be skipped when they are all set to true. This list of file attributes uses the AND logic.

Example PowerShell commands, where your label policy is named "Global".

Skip files that are both read-only and archived

Set-LabelPolicy -Identity Global -AdvancedSettings @{ ScannerFSAttributesToSkip =" FILE_ATTRIBUTE_READONLY, FILE_ATTRIBUTE_ARCHIVE"}

Skip files that are either read-only or archived

To use an OR logic, run the same property multiple times. For example:

Set-LabelPolicy -Identity Global -AdvancedSettings @{ ScannerFSAttributesToSkip =" FILE_ATTRIBUTE_READONLY"}
Set-LabelPolicy -Identity Global -AdvancedSettings @{ ScannerFSAttributesToSkip =" FILE_ATTRIBUTE_ARCHIVE"}

Tip

We recommend that you consider enabling the scanner to skip files with the following attributes:

  • FILE_ATTRIBUTE_SYSTEM
  • FILE_ATTRIBUTE_HIDDEN
  • FILE_ATTRIBUTE_DEVICE
  • FILE_ATTRIBUTE_OFFLINE
  • FILE_ATTRIBUTE_RECALL_ON_DATA_ACCESS
  • FILE_ATTRIBUTE_RECALL_ON_OPEN
  • FILE_ATTRIBUTE_TEMPORARY

For a list of all file attributes that can be defined in the ScannerFSAttributesToSkip advanced setting, see the Win32 File Attribute Constants

SharepointWebRequestTimeout

By default, the timeout for SharePoint interactions is two minutes, after which the attempted information protection client operation fails. Control this timeout using the SharepointWebRequestTimeout and SharepointFileWebRequestTimeout advanced settings, using an hh:mm:ss syntax to define the timeouts.

Specify a value to determine the timeout for all information protection client web requests to SharePoint. The default is minutes.

For example, if your policy is named Global, the following sample PowerShell command updates the web request timeout to 5 minutes.

Set-LabelPolicy -Identity Global -AdvancedSettings @{SharepointWebRequestTimeout="00:05:00"}

SharepointFileWebRequestTimeout

By default, the timeout for SharePoint interactions is two minutes, after which the attempted information protection client operation fails. Control this timeout using the SharepointWebRequestTimeout and SharepointFileWebRequestTimeout advanced settings, using an hh:mm:ss syntax to define the timeouts.

Specify the timeout value for SharePoint files via information protection client web requests. The default is 15 minutes.

For example, if your policy is named Global, the following sample PowerShell command updates the file web request timeout to 10 minutes.

Set-LabelPolicy -Identity Global -AdvancedSettings @{SharepointFileWebRequestTimeout="00:10:00"}

UseCopyAndPreserveNTFSOwner

Note

This feature is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

By default, the information protection client doesn't preserve the NTFS owner that was defined before applying a sensitivity label.

To ensure that the NTFS owner value is preserved, set the UseCopyAndPreserveNTFSOwner advanced setting to true for the selected label policy.

Caution

For the scanner: Define this advanced setting only when you can ensure a low-latency, reliable network connection between the scanner and the scanned repository. A network failure during the automatic labeling process can cause the file to be lost.

Example PowerShell command, where your label policy is named "Global"

Set-LabelPolicy -Identity Global -AdvancedSettings @{UseCopyAndPreserveNTFSOwner ="true"}