Let’s say you have a bright and shiny Microsoft 365 Business tenant that you have configured out of the box. This means you have set up the default policies, assigned licenses and installed the software for users.
Your user now receives an email like the above with a PDF attachment. The system has Adobe Acrobat reader set as the default PDF reader.
The user selects to open the attachment.
Adobe Acrobat launches as expected but you receive the above error:
There was an error opening this document. Access denied.
Instead, the user downloads the file to a local drive and then tries to upload it into a SharePoint Document Library as shown above.
They are greeted by another error:
Can’t use work content here.
Your organization doesn’t allow you to use work content here.
What’s going on? Why can’t users save files? In short, the reason is Windows Information Protection (AIP). You can read more about what WIP is here:
Protect your enterprise data using Windows Information Protection (WIP)
By default Microsoft 365 Business has WIP enabled. This means there is now a distinction between ‘corporate’ and ‘personal’ data. Corporate data is data that is created using pre-defined ‘corporate’ apps like Word, Excel, PowerPoint etc. Personal data is EVERYTHING else i.e. PDFs, files from network shares, local files. Why? Because these files were NOT created by the apps authorised by the WIP policy that has been enacted by Microsoft 365 Business.
Is there are correct way to se up WIP so you don’t get these hassles? Yes, there sure is but in this article let’s keep it simple and cover off how to disable WIP for the time being so users can get on with their work.
Locate the Microsoft 365 admin center and then select the Device Policies tile as shown above.
You should then see a list of policies as shown above. In this case, I have two Application Policies for Windows 10 (one for enrolled devices and another for non-enrolled devices).
If you have multiple Application Policies for Windows 10 you’ll need to take the following actions on each policy.
Select the policy to edit it. Details of the policy you select should appear on the right as shown above.
Locate the Restrict copying of company data line. Here you’ll see the Setting is ON, thus WIP is enabled. To change this setting, select the Edit hyperlink to the right as shown.
You should that that Prevent users from copying company data to personal files is ON as shown.
Change this setting to Off as shown and then select Save.
While you wait for that to sync to the Windows 10 desktops (which should only take a few moments) let’s go into the back end of Intune and see where this setting actually is.
Navigate to Intune in the Azure portal and select Client apps from the main menu as shown above.
On the blade that appears, select App protection policies as shown.
This should display the application policies with the same names as you see in the Microsoft 365 admin center. Here are only application policies, device policies are elsewhere in Intune.
Select your Application policy for Windows 10.
From the blade that appears select Required settings as shown. On the right will be displayed the state of Windows Information Protection.
If WIP is enabled, the option here will be Block.
However, now you have changed the policy via the Microsoft 365 admin center the setting should be Off as shown above.
This confirms that WIP is now disabled in our environment.
If you now return to SharePoint on the workstation, and assuming the policy has synced to the desktop, the upload of the file should work.
Along with everything else that was blocked, including viewing PDFs.
Thus, to overcome the WIP issues with Microsoft 365 Business out of the box, you will probably need to change the Application Policy for Windows 10 as shown above.
How do you correctly configure WIP for your environment to take advantage of all the protection it offers? Stay tuned for an upcoming article on just that.