In some scenarios where a workstation is unable to connect to a parent server on its initial deployment, the Data Protection Outlook agent could tag mails as processed which prevents the Exchange Server Agent acting as a backstop. As a result some mails could be sent without the correct policy being applied.
One specific scenario arises when the CA Data Protection Agent is deployed as part of a virtual desktop image (VDI) and the parent gateway is not available. In this scenario the Outlook client add-in has started but cannot make its initial connected to the parent server and the infrastructure fails to start with an error like the one below:.
Mar 09, 2018 07:50:57 AM System E0028 Infrastructure failed to start correctly. (Unable to make initial login connection to parent server.)
Because the infrastructure has failed it to connect to its parent it cannot download the user policy. However the Outlook client add-in is loaded and tagging events as being processed. Consequently, if an Exchange Server Agent (ESA) is being deployed as a back stop for any "missed" mails, it will fail to process these Outlook mails as it believes that have already been processed by the client.
Note: That it is possible to use the "ReprocessClientEmails" registry option on the Exchange Server Agent (ESA) to overcome this issue however this can cause a lot of duplication and delays in processing.
CA Data Protection 15.0 with Microsoft Outlook
This fix should be deployed on the gold image/template from which the VDI's are created, otherwise a restart of the Data Protection services and Outlook will be needed for the fix to work.