Azure information protection custom policies not working

Ion Zubia  and other in this thread

I have been following the entire thread and some of these solutions may not work. I found a solution that always works and I have tested all of the scenarios as follows:

• Improper installation of AIP Unified Labeling Client
• Improper upgrade of AIP Unified Labeling Client
• UL Client was unable to download protection template from RMS Service due to network issue
• UL Client unable to update stale protection template tokens cache stored locally in user profile

Check the following before proceeding

• User has AIP P1/P2 license
• User is logged into office App with correct account. If multiple account is used to login, please log out from all other account except the account that is supposed to use the AIP Protection.
• Ensure that there are no additional Work Account added to windows 10 other than the account using AIP Protection.

Solution 1: - Delete Crypto Keys from the effected user profile

• Close all the office apps. Word, Outlook, Excel and PowerPoint.
• On file explorer navigated to the folder "%APPDATA%\Microsoft\Crypto\" in there please rename the folder Keys to any name.
• Open Word and click on Sensitivity Icon -> Help and Feedback -> Reset Settings.
• Close Word and re-open, give couple of minutes for the UL client to retrieve labels and your Client will re-build the protection template cache too.

I've got same problem with you today.

I created a label and a label policy in M365 Security Center (I'm using Unified Labeling client as required)

But it doesn't work well.

After hours of troubleshooting and found that I've met all of those requirements mentioned in technet docs.

But, a strange default "Archived" state of the label (template) caused my custom label to stop working.

You can try using the following commands to troubleshoot:-

Set-ExecutionPolicy Bypass
Install-Module AIPService

Import-Module AIPService

Connect-AIPService

Get-AipServiceTemplate | FL

Get-AipServiceTemplateProperty -TemplateId <xxxxxxxx> -Status  <--- this reports the custom label is at "Archived" state by default, what the hell.

To fix it:-

Set-AipServiceTemplateProperty -TemplateId <xxxxxx> -Status Published

After these, I can now apply the label in either Office apps or File Explorer

This link helped me in troubleshooting

https://docs.microsoft.com/en-us/azure/information-protection/configure-policy-templates#considerations-for-templates-in-the-azure-portal

Ion Zubia 

One thing that worked for me after getting this error message was to go to a random Word document saved anywhere on your computer. In File Explorer, right-click the Word document and click Classify and protect to open the AIP Client. 

Next, select one of your custom labels, it shouldn't matter which one and click apply. This forces the custom label in a way that you can't do in Word. After that I was able to assign custom labels within Word after that with no issues. Hope that helps.