How Working with Protected PDFs in Microsoft 365 is Becoming Easier

The Long Road to Progress

Sensitivity labels do an excellent job of protecting Office documents, largely because the applications include the necessary code to apply and access encrypted documents. The situation is less successful when dealing with other common business file formats (like protected PDFs). The now-almost obsolete unified labeling client contains an Explorer extension that allows users to Classify and protect files. This approach works for some file types (like the MP4 files generated by Teams meeting recordings), but needs to be tested to ensure that it works and is usable for other kinds of files.

Things would be much better if maintainers of file types incorporated code from the Microsoft Information Protection (MIP) SDK into their products. For example, Adobe PDF is a very common file format used for business purposes. In December 2018, Adobe and Microsoft announced the availability of an integration of MIP with Adobe Acrobat Reader. Essentially, Adobe added code to support the opening of protected PDFs using a plug-in created by Microsoft.

Edge and Protected PDFs

In 2020, Microsoft upgraded the Edge browser to open protected PDFs. This made life easier because Edge can use cached credentials (from accessing other Microsoft 365 apps like OWA or OneDrive for Business) to validate a user’s identity and establish their rights to access protected content.

One issue that continues with Edge is that although it displays a banner to inform the user that they’re accessing a protected PDF, it doesn’t reveal the name of the sensitivity label (Figure 1). By comparison, Adobe Acrobat Reader DC displays the label when it opens a protected PDF (Figure 2).

Edge doesn't display the sensitivity label name used for a protected PDF
Figure 1: Edge doesn’t display the sensitivity label name used for a protected PDF

Acrobat Reader DC displays the name of the sensitivity label used for a protected PDF
Figure 2: Acrobat Reader DC displays the name of the sensitivity label used for a protected PDF

Considering their tendency to throw the kitchen sink into Edge in terms of new features, it’s a curious omission on the part of the Edge developers.

On small point: since the launch of the MIP plug-in for Adobe, a registry value controls the display of the information bar for sensitivity labels. Originally, it was necessary to have a single DWORD value called bShowDMB set to 1 at HKEY_CURRENT_USER\SOFTWARE\Adobe\Acrobat Reader\DC\MicrosoftAIP to expose the information bar.

For whatever reason, with the latest update, Adobe appears to have moved the value to HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\MicrosoftAIP. Or maybe the value needs to exist in both locations. My PC currently only has bShowDMB set at Adobe Acrobat\DC\MicrosoftAIP and everything is working.

Issues with Protected PDFs

Although it became less difficult to open protected PDFs, two issues remained:

  • Microsoft deprecated the unified labeling client. Its strategy is to build native MIP support into applications instead of depending on a separate client. The unified labeling client is now in maintenance mode.
  • Having to download and install a separate MIP plug-in for Adobe Acrobat is a separate administrative operation that users often overlook. This leads to frustration when they can’t access protected PDFs.

Another issue is that you can’t apply sensitivity labels to items stored in SharePoint Online or OneDrive for Business through the browser GUIs. This doesn’t matter so much for Office documents because sensitivity label support is available in the application. However, it means that if you want to protect PDFs, you must apply sensitivity labels using the unified labeling client before uploading the PDFs to Office 365. This action requires users to have Azure Information Protection licenses.

Improving Sensitivity Label Support for PDFs

Help is on the horizon. Three developments are coming together to make protected PDFs easier to generate and use.

  • The latest Office Insider build includes the ability to output protected PDFs when saving, exporting, or sharing Office documents with sensitivity labels. The output PDFs inherit the same protection as applied to the source documents. Some gotchas exist, like the need for developers of PDF add-ins to potentially update their code and the inability to retain protection when printing to PDF. Even so, this is a big step forward because it removes the need to use the unified labeling client to apply a sensitivity label to protect PDFs.
  • The latest version of Adobe Acrobat Reader DC (version 22.001.20142 and later) bundles the MIP plug-in with its installer, removing the need for a separate installation. The benefit of hindsight is that bundling the plug-in is something that Adobe probably should have done sooner.
  • Microsoft 365 roadmap item 93331 (due in preview in June with general availability in October 2022) describes an integration with Adobe Acrobat to allow users to apply sensitivity labels within the application on Windows and macOS. Apparently, this covers the paid-for versions of Acrobat rather than the free reader, but it’s still an improvement. (update: the integration is now available)

While the Office update is the most important, collectively, these changes will make it much easier to create protected PDFs.


Keep up to date with developments like changes in sensitivity labels and Office by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers understand the most important changes happening across Office 365.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.