How to use Intune to enable sensitivity labels on PDF files

Let me show you how Intune can support my colleague Nikki Chapple’s post on how to use Purview sensitivity labels with your PDF files.

Using Microsoft Purview sensitivity labels, you can add a visible classification label, protect your PDF files with encryption and add visible marking such as headers, footers and watermarks. Your PDF files now respects any Data loss Prevention policies, such as blocking external sharing of confidential data. This will give your PDF files the same sensitivity labels as you use with your Word, PowerPoint and Excel files.

Read the blog post from Nikki Chapple to learn how this works from a users perspective:
How to use sensitivity labels with your PDF files (nikkichapple.com)

Table of Contents

Implement at scale with Intune

Nikki mentions the implementation steps necessary to get this functionality in place. I will now guide you through this implementation by use of Intune.

Enable Adobe Acrobat to work with Microsoft sensitivity labels

As Nikki describes, the functionality is enabled in Adobe Acrobat by adding three Windows Registry settings. This will enable the document message bar in Adobe Acrobat in addition to default and mandatory labelling upon saving files in Adobe Acrobat.

The tricky part with this configuration is the one setting that should be added to the HKEY_CURRENT_USER (HKCU) hive of the registry. This is because PowerShell scripts or Proactive Remediation scripts running as the logged-in user is blocked, and scripts running in the system context do not have direct access to HKCU.

I have found some inspiration in an old blog post from Rudy Ooms to target this challenge: Intune User / HKCU registry settings from system context (call4cloud.nl)

PowerShell Script

My code is available for download at my GitHub, and it looks like this.

<#
  .NOTES
  ===========================================================================
   Created on:   	20.12.2022
   Created by:   	Simon Skotheimsvik
   Filename:     	Win11-EnableAdobeAcrobatForMicrosoftSensitivityLabels.ps1
   Info:          https://skotheimsvik.no
  ===========================================================================
  
  .DESCRIPTION
    This script sets registry information in Windows10 and Windows11
    to enable Adobe Acrobat to work with Microsoft Sensitivity labels
    defined in Microsoft Purview as defined by Nikki Chapple in her blog
    https://nikkichapple.com/how-to-use-sensitivity-labels-with-your-pdf-files/
    
    The script can be assigned to users in Microsoft Endpoint Manager.
    
  .EXAMPLE
    Win11-EnableAdobeAcrobatForMicrosoftSensitivityLabels.ps1 
#>

#region - Get information about signed in user. 
# Routine inspired by Rudy Ooms: https://call4cloud.nl/2020/03/how-to-deploy-hkcu-changes-while-blocking-powershell/#part4

# Get information of current user
$currentUser = (Get-Process -IncludeUserName -Name explorer | Select-Object -First 1 | Select-Object -ExpandProperty UserName).Split("\")[1] 

$Data = $currentUser
$Keys = GCI "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\" -Recurse
Foreach ($Key in $Keys) {
  IF (($key.GetValueNames() | % { $key.GetValue($_) }) -match "\b$CurrentUser\b" ) { $sid = $key }
}

# Add SID of current user to a variable
$sid = $sid.pschildname

New-PSDrive HKU Registry HKEY_USERS | out-null
#endregion

#region Variables for sensitivity labels in Adobe Acrobat

$RegKeyPath1 = "HKLM:\SOFTWARE\WOW6432Node\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown"
$RegKeyPath2 = "HKU:\$sid\SOFTWARE\Adobe\Adobe Acrobat\DC\MicrosoftAIP"

$bMIPCheckPolicyOnDocSave = "bMIPCheckPolicyOnDocSave"
$bMIPCheckPolicyOnDocSaveValue = 1

$bMIPLabelling = "bMIPLabelling"
$bMIPLabellingValue = 1

$bShowDMB = "bShowDMB"
$bShowDMBValue = 1
#endregion

#region Implementation of registry settings
IF (!(Test-Path $RegKeyPath1)) {
  New-Item -Path $RegKeyPath1 -Force | Out-Null
}

IF (!(Test-Path $RegKeyPath2)) {
  New-Item -Path $RegKeyPath2 -Force | Out-Null
}

New-ItemProperty -Path $RegKeyPath1 -Name $bMIPCheckPolicyOnDocSave -Value $bMIPCheckPolicyOnDocSaveValue -PropertyType DWord -Force | Out-Null
New-ItemProperty -Path $RegKeyPath1 -Name $bMIPLabelling -Value $bMIPLabellingValue -PropertyType DWord -Force | Out-Null
New-ItemProperty -Path $RegKeyPath2 -Name $bShowDMB -Value $bShowDMBValue -PropertyType DWord -Force | Out-Null

# Clears the error log from powershell before exiting
$error.clear()

#endregion

The code has some in-place comments on vital locations to describe the flow and actions.

Intune Distribution

This script should now be published through Intune as a PowerShell script.

Give it a good name and description.

The PowerShell script will now be uploaded. Make sure it runs under system context, and not using the logged on credentials.

Assign the script to a group of users having Adobe Acrobat installed.

The script should now start to distribute in your environment.

You can check status on the implementation.

The devices will now have the functionality available in Adobe Acrobat as described in Nikki’s post.

Prerequisites

As Nikki mentions, there are some prerequisites for this to work as expected.

Adobe Acrobat version

To natively use Microsoft sensitivity labels in PDF files, you must install the latest version of Adobe Acrobat (Not Adobe Reader).

There are some options available to support you on this through Intune. I haven’t found Adobe Acrobat as part of the new Microsoft Store Experience. This gives you the following options for distributing and keeping Adobe Acrobat up to date:

• Follow Adobe’s instructions on how to deploy Adobe packages using Microsoft Intune and make sure you are distributing the latest version supporting the PDF labels.
  Deploy Adobe packages using Microsoft Intune
  
• Use third party tools like ScappMan or Patch My PC (which has joined forces recently) to keep third party applications up to date.

Remove previous MIP plug-ins

If you previously has used any Microsoft Information Protection MIP plug-ins for Adobe Acrobat, these are no longer needed and must be removed. If you distributed these through Intune from the downloadable MSI files, you should now remove these and use the built in functionality starting with the June 2022 release of Adobe Acrobat.