Office365 ProPlus can’t open files on SMB Share protected by WIP

Standard

The last 2 weeks I was working on an issue where users were unable to open Office files with Office365 ProPlus on SMB shares protected by Windows Information Protection. If the SMB share was part of the enterprise context the user was not able to open or change files with Office applications. Other applications which were part of the WIP configuration were able to open the same files without any issues. Together with Microsoft Support and the PG we’ve found a solution and a workaround (which I will describe in this blogpost). Unfortunately the root cause of the issue is not known at this moment. Not all of the users have this issue but the majority of the customers user population had the issue.

Let’s start once again with describing the issue including the error message and the what we’ve discovered during the troubleshooting:

Issue:

Users are unable to open office (Word,Excel, PowerPoint) files using Office365 ProPlus on SMB shares which are part of a Windows Information Protection Policy. Users receiving the following message when opening the file: Sorry, we couldn’t open <file>.

During the investigation of the issue together with Microsoft Premier Support we’ve discovered the following:

  • Issue is occurring on Windows 10 1703 version;
  • Issue is occurring in Office365 ProPlus version of the Deferred (1705) and Monthly Channel(1708);
  • The office files can be opened with other apps like Notepad and WordPad, with these apps you can use make changes to the file;
  • When the SMB share is not part of the WIP policy the user is able to open and change the files;
  • Issue is not related to an Antivirus solution, removing Antivirus is not solving the issue;
  • Issue is not related to the Internet Explorer configuration of Security Zones, adding to servers to a trusted or intranet zone will not solve the issue;
  • Office applications are part of the WIP policy and running in the correct WIP context (Exempt or Enlightened);
  • Not all users at the customer suffered this issue;

At this moment the root cause of the issue is still not known, especially the reason why some users have no issues at all. But the good news is, that together with Microsoft Support, we’ve identified a fix which is solving this issue for all users. This fix is already included in the Windows Insider build (1709 – Creator’s Update Fall). At this moment the fix is not available for Windows 10 1703. As soon as the fix becomes available I will update this blogpost with the CU in which the fix is included.

Workaround:

Since the hotfix is not yet available for the 1703 version of Windows 10 we needed to create a workaround so the users were able to files on SMB shares but still had an the Windows Information Protection active on their client. The workaround we implemented is the following:

  • Remove the File servers of the SMB shares from the WIP policy configuration;
  • Change the WIP mode to silent to reduce the number of messages for the users about switching contexts.

If you want to have more information about Windows Information Protection, please read this documentation. If you want to have more information on this issue you can always contact me or create a case through Microsoft Premier Support.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.