Let me show you how Intune can support my colleague Nikki Chapple’s post on how to use Purview sensitivity labels with your PDF files.
Using Microsoft Purview sensitivity labels, you can add a visible classification label, protect your PDF files with encryption and add visible marking such as headers, footers and watermarks. Your PDF files now respects any Data loss Prevention policies, such as blocking external sharing of confidential data. This will give your PDF files the same sensitivity labels as you use with your Word, PowerPoint and Excel files.
Read the blog post from Nikki Chapple to learn how this works from a users perspective:
How to use sensitivity labels with your PDF files (nikkichapple.com)
Table of Contents
Implement at scale with Intune
Nikki mentions the implementation steps necessary to get this functionality in place. I will now guide you through this implementation by use of Intune.
Enable Adobe Acrobat to work with Microsoft sensitivity labels
As Nikki describes, the functionality is enabled in Adobe Acrobat by adding three Windows Registry settings. This will enable the document message bar in Adobe Acrobat in addition to default and mandatory labelling upon saving files in Adobe Acrobat.
The tricky part with this configuration is the one setting that should be added to the HKEY_CURRENT_USER (HKCU) hive of the registry. This is because PowerShell scripts or Proactive Remediation scripts running as the logged-in user is blocked, and scripts running in the system context do not have direct access to HKCU.
I have found some inspiration in an old blog post from Rudy Ooms to target this challenge: Intune User / HKCU registry settings from system context (call4cloud.nl)
My code is available for download at my GitHub, and it looks like this.
The code has some in-place comments on vital locations to describe the flow and actions.
This script should now be published through Intune as a PowerShell script.
Give it a good name and description.
The PowerShell script will now be uploaded. Make sure it runs under system context, and not using the logged on credentials.
Assign the script to a group of users having Adobe Acrobat installed.
The script should now start to distribute in your environment.
You can check status on the implementation.
The devices will now have the functionality available in Adobe Acrobat as described in Nikki’s post.
As Nikki mentions, there are some prerequisites for this to work as expected.
Adobe Acrobat version
To natively use Microsoft sensitivity labels in PDF files, you must install the latest version of Adobe Acrobat (Not Adobe Reader).
There are some options available to support you on this through Intune. I haven’t found Adobe Acrobat as part of the new Microsoft Store Experience. This gives you the following options for distributing and keeping Adobe Acrobat up to date:
- Follow Adobe’s instructions on how to deploy Adobe packages using Microsoft Intune and make sure you are distributing the latest version supporting the PDF labels.
Deploy Adobe packages using Microsoft Intune
- Use third party tools like ScappMan or Patch My PC (which has joined forces recently) to keep third party applications up to date.
Remove previous MIP plug-ins
If you previously has used any Microsoft Information Protection MIP plug-ins for Adobe Acrobat, these are no longer needed and must be removed. If you distributed these through Intune from the downloadable MSI files, you should now remove these and use the built in functionality starting with the June 2022 release of Adobe Acrobat.