{"id":855,"date":"2020-10-12T10:35:51","date_gmt":"2020-10-12T15:35:51","guid":{"rendered":"https:\/\/itblog.ldlnet.net\/?p=855"},"modified":"2021-03-15T15:54:58","modified_gmt":"2021-03-15T20:54:58","slug":"error-policy-is-missing-when-trying-to-load-and-run-an-aip-mip-ul-on-premises-content-scan","status":"publish","type":"post","link":"https:\/\/itblog.ldlnet.net\/index.php\/2020\/10\/12\/error-policy-is-missing-when-trying-to-load-and-run-an-aip-mip-ul-on-premises-content-scan\/","title":{"rendered":"Error: Policy Is Missing when trying to load and run an AIP\/MIP UL on-premises content scan"},"content":{"rendered":"\n

WORKAROUND UPDATE!
SEE AT END OF THIS POST!<\/a><\/h2>\n\n\n\n

There is a current BUG is has been filed with Microsoft that relates to AIP\/MIP Scanner and running a Unified Labeling content scan on premises. The main issue is with the Security and Compliance Center and it replicating the Policies that you create for your Sensitivity Labels in your M365 Tenant. <\/p>\n\n\n\n

Since these Policies will not replicate, your content scans will fail and you will see the following error within the Azure Portal under Azure Information Protection:<\/p>\n\n\n\n

\"\"
Error: Policy is missing in AIP<\/figcaption><\/figure>\n\n\n\n

You will be able to verify that the Policies are present in the Security and Compliance Center under the Information Protection page and the Policies Page in Azure Information Protection:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

NOTE: I had created my labels and label policies in Azure AIP and migrated them to Security and Compliance Center via the following LINK<\/a><\/em><\/strong><\/p>\n\n\n\n

What you will also notice, if you create a policy in SCC, it will NOT replicate to Azure.<\/p>\n\n\n\n

Next, I checked to see if the AIP Scanner Service Account has the policies applied to it as a member recipient of the policies. It needs to so that the account can apply labels to on premises accounts through the policy.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\n\n\n\n

Let’s continue troubleshooting…<\/h2>\n\n\n\n

The AIP Scanner account was a member of a defined policies in the Security & Compliance Center and you are still having issues:<\/p>\n\n\n\n

  1. Is the AIP Scanner service started?<\/li>
  2. If the answer is no, start it<\/li>
  3. From PowerShell run the following:<\/li><\/ol>\n\n\n
    Get-AIPScannerStatus | fl<\/pre>\n\n\n\n
    \"\"
    Sample Output<\/figcaption><\/figure><\/div>\n\n\n\n
    It says it is scanning, but you are not getting results AND you have that Error: Policy is missing<\/strong> statement in the Nodes Tab of AIP.<\/p>\n\n\n\n
    The next thing to verify this whether or not the policy is replicating from SCC to Azure. This is done through PowerShell by running the following:<\/p>\n\n\n\n
    Connect to SCC PowerShell<\/strong><\/p>\n\n\n
    $userCredential = get-credential\n\nWrite-Host \"Connecting to your Security and Compliance Center PowerShell Console\"\n\n$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https:\/\/ps.compliance.protection.outlook.com\/powershell-liveid\/ -Credential $UserCredential -Authentication Basic -AllowRedirection\n\nImport-PSSession $Session -DisableNameChecking\n<\/pre>\n\n\n\n
    Check the policy replication status<\/strong><\/p>\n\n\n
    Get-labelpolicy | select-object Name,DistributionStatus,WhenCreated,WhenChanged | FL\n\n<\/pre>\n\n\n\n
    \"\"
    Sample Output
    Distribution Status is in Pending<\/strong><\/figcaption><\/figure><\/div>\n\n\n\n
    Normal replication is up to 24 hours for a change or policy addition. So, if your WhenChanged or WhenCreated values are more than 24 hours old, then they are NOT replicating. You can further verify this by running the following:<\/p>\n\n\n
    get-labelpolicy -identity \"Name of your Policy\" | fl DistributionResults,LastStatusUpdateTime\n\n<\/pre>\n\n\n\n
    \"\"
    Sample Output
    Replication Taking Longer Than Expected Error<\/strong><\/figcaption><\/figure><\/div>\n\n\n\n
    \n\n\n\n
    What do I do next?<\/h3>\n\n\n\n
    If you have this error, it would be best to log a support call with Microsoft and explain that you have the AIP UL Policy Replication Error<\/strong>. From my sources they are saying this is a known issue with the SCC and Azure that will be remediated by the end of October. 

    So, in the meantime, I guess we will wait!<\/p>\n\n\n\n
    \n\n\n\n
    WORKAROUND<\/h2>\n\n\n\n
    After troubleshooting with this issue with some of my Microsoft Colleagues, I was able to get the Scanner to start scanning properly with out the error being listed in the Azure Portal. Here are the steps.<\/p>\n\n\n\n
    On the scanner node, right-click a file or folder and choose to protect it:<\/p>\n\n\n\n
    \"\"<\/figure><\/div>\n\n\n\n
    Next, within the AIP Application, choose Help and Feedback<\/strong><\/p>\n\n\n\n
    \"\"<\/figure><\/div>\n\n\n\n
    Next, choose Reset Settings<\/strong><\/p>\n\n\n\n
    \"\"<\/figure><\/div>\n\n\n\n
    Click Continue<\/strong><\/p>\n\n\n\n
    \"\"<\/figure><\/div>\n\n\n\n
    Once completed, click Close<\/strong>, then exit the AIP application. This clears all the registry settings within the scanner node.<\/p>\n\n\n\n
    Now you will want to reset all the local files for the scanner<\/strong><\/p>\n\n\n\n
    First, stop the scanner services for the scanner and network discovery<\/p>\n\n\n
    Stop-Service AIPScanner\n\nStop-Service AIPNetworkDiscovery\n<\/pre>\n\n\n\n
    Next, navigate to the following folder for the local account that is used for AIP scanner. Example – C:\\Users\\AIPScanner\\AppData\\Local\\Microsoft\\MSIP<\/em><\/strong>
    Rename or Delete<\/strong> the MIP folder in that MSIP directory. 
    (I renamed my folder to mip-old2)<\/p>\n\n\n\n
    \"\"
    Rename or Delete the mip<\/strong> folder<\/figcaption><\/figure>\n\n\n\n
    Restart the services you stopped<\/p>\n\n\n
    Start-Service AIPScanner\n\nStart-Service AIPNetworkDiscovery\n<\/pre>\n\n\n\n
    You should now see the scanner as Running and Working within the Azure Portal. No more errors should be listed.<\/p>\n\n\n\n
    \"\"<\/figure><\/div>\n\n\n\n
    Thanks to Angel Marroquin at Microsoft for the assistance on this workaround!<\/p>\n\n\n\n
    \n\n\n\n
    THANKS FOR VIEWING!<\/strong>
    KEEP THE COMMENTS FLOWING!<\/h2>\n\n\n\n
    REFERENCES:<\/em><\/strong>
    Migrate AIP Policies<\/a>
    AIP FAQ<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
    WORKAROUND UPDATE!SEE AT END OF THIS POST! There is a current BUG is has been filed with Microsoft that relates to AIP\/MIP<\/p>\n
    Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":782,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[195,267,265,194,3,266],"tags":[270,90,272,192,177,239,94],"class_list":["post-855","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure","category-azure-active-directory","category-microsoft365","category-office365","category-powershell","category-security-and-compliance","tag-aip","tag-azure","tag-azure-information-protection","tag-azure-portal","tag-microsoft-365","tag-microsoft365","tag-security-and-compliance","odd"],"_links":{"self":[{"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/posts\/855","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/comments?post=855"}],"version-history":[{"count":7,"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/posts\/855\/revisions"}],"predecessor-version":[{"id":916,"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/posts\/855\/revisions\/916"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/media\/782"}],"wp:attachment":[{"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/media?parent=855"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/categories?post=855"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/tags?post=855"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}