EnablePolicyDownload=0 is easily overridden if an end user chooses to login
We are looking at deploying AIP and will have a hybrid solution, AIP as well with AD RMS. We need to for non AIP licensed users to not see the label bar and they will continue to leverage RMS for protection. We have noticed with this key being set to 0, if a user chooses help, there is an option to login to AIP. Which in turn changes the key to 1, which downloads the templates and displays the label bar. Now if a user decides to try and click on a label, they of course get an error message that the client is not configured. Even with us setting back the key to 0, the client needs to be manually reset or we need to delete the templates out of the %localappdata% folder to get the bar to go away. Not a good end user experience and this key should not be overridden by the end user.
This can be also configured in the AIP policy with the PullPolicy = false advanced property. As of that, there is no need to configure it via registry.
The policy need to be distributed manually one this property is set.
Keith Adley commented
100% agree with this one. I have been asking for this for my organisation since the first day I tried the product. I'm having to resort to building SCCM compliance Baseline functions to monitor and fix users who have clicked "sign in". Now looking at forcing the policy file to be read only with ACL protection to stop AIP client from deleting it. This still does not prevent the sign in prompt from appearing every time the user starts Office app but it does prevent the potential damage from an invalid policy file.