We recently encountered an issue with Windows Information Protection:
Users attempting to open Office 2016 C2R document such as a Word or Excel file would receive a prompt “How do you want to open this work file”, no matter how many times the checkbox “Always use this app to open …” was selected it would always prompt.
The system was prompting due to the user attempting to open a “Work Protected” document with an application that was not in the WIP Approved list. The document could be saved locally and ownership changed to personal – in this scenario doc would open without the prompt. The ownership is then changed back to work where the prompt re-appears.
But wait!!! I’m confident that I’ve included Office C2R in my WIP allowed applications list so why are apps like Word and Excel not showing as allowed apps?
If you have configured Office 2016 C2R as per the Microsoft documentation its likely you added the “Allow and Exempt AppLocker policy files (.zip files)” to turn the suite on for WIP. In Version 1808 of Office C2R Microsoft changed the product name of Office from “Microsoft Office 2016” to “Microsoft Office”, the AppLocker XML currently (Oct 2018) contains references to “Microsoft Office 2016” and actually blocks “Microsoft Office”. To sort this out we modified the XML to change the “Microsoft Office 2016” values to “”Microsoft Office” and removed the block rule. We found the easiest way to do this is:
Run secpol.msc as Administrator, expand Application Control Policies, Right Click “AppLocker” > Import Policy, Select the downloaded “O365 ProPlus – WIPMode-Allow – Enterprise AppLocker Policy File.xml” file. You may get prompted to overwrite existing rules, WIP configures these slightly different than traditional AppLocker so its likely you have 0 anyway – Just accept. You should now see the rule set, simply go through all the rules referencing “Microsoft Office 2016” and simply remove 2016, next find the deny rule for “Microsoft Office” and remove it. When done right Click AppLocker > Export Policy, save locally. You can now import the policy to Windows Information Protection. With Intune you simply need to sync and the policy should pull down to the EUD and the prompts will be no more. (Restart not Required)
Useful tips:
You can actually find the WIP AppLocker ruleset in “C:\Windows\System32\AppLocker\MDM\” navigate through some GUID’s and you will find the EXE folder within “EnterpriseDataProtection” which contains a policy.xml.
When opening an unknown filetype you will get prompted “How do you want to open this file”, under each application it lists whether it can open work or personal files (In our case Office Apps said nothing)
You can use the “Get-AppLockerFileInformation” PowerShell CMDlet to view details like Product Name, Publisher etc.
