Azure Information Protection client: Version release history and support policy

Applies to: Active Directory Rights Management Services, Azure Information Protection, Windows 10, Windows 8.1, Windows 8, Windows 7 with SP1, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2

Instructions for: Azure Information Protection client for Windows

The Azure Information Protection team regularly updates the Azure Information Protection client for fixes and new functionality.

You can download the latest general availability release version and the current preview version (if available) from the Microsoft Download Center.

After a short delay of typically a couple of weeks, the latest general availability version is also included in the Microsoft Update Catalog with a product name of Microsoft Azure Information Protection > Microsoft Azure Information Protection Client, and the classification of Updates. This inclusion in the catalog means that you can upgrade the client by using WSUS or Configuration Manager, or other software deployment mechanisms that use Microsoft Update.

For more information, see Upgrading and maintaining the Azure Information Protection client.


Interested in using the Azure Information Protection unified labeling client because your labels are published from the Office 365 Security & Compliance Center, Microsoft 365 security center, or Microsoft 365 compliance center? When you download and then install the unified labeling client from the Microsoft Download Center, you can upgrade your Azure Information Protection client to this unified labeling client.

Servicing information and timelines

Each general availability (GA) version of the Azure Information Protection client is supported for up to six months after the release of the subsequent GA version. With the exception of this section, the documentation does not include information about unsupported versions of the client. Fixes and new functionality are always applied to the latest GA version and will not be applied to older GA versions.

Preview versions should not be deployed for end users on production networks. Instead, use the latest preview version to see and try new functionality or fixes that are coming in the next GA version. Preview versions that are not current are not supported.

General availability versions that are no longer supported:
Client version Date released 11/27/2018 09/17/2018 06/26/2018 05/30/2018 04/17/2018 09/18/2017 06/06/2017 03/15/2017 02/08/2017 10/27/2016 10/01/2016

The date format used on this page is month/day/year.

Starting 6/2/2019, the labeling service for Azure Information Protection requires connections that use TLS 1.2.

All client versions from released 03/15/2017 support TLS 1.2. Client versions,, and do not use TLS 1.2 and therefore can no longer download the Azure Information Protection policy.

Release history

Use the following information to see what’s new or changed for a supported release of the Azure Information Protection client for Windows. The most current release is listed first.


Minor fixes are not listed so if you experience a problem with the Azure Information Protection client, we recommend that you check whether it is fixed with the latest GA release. If the problem remains, check the current preview version (if available).

For technical support, see the Support options and community resources information. We also invite you to engage with the Azure Information Protection team, on their Yammer site.


Released: 10/23/2019

This version includes the MSIPC version 1.0.4008.0813 of the RMS client.

This release has general fixes for stability and performance.


Released: 07/15/2019

Supported through 04/23/2020

This version includes the MSIPC version 1.0.3889.0419 of the RMS client.

New features:

  • New advanced client setting to exempt Outlook messages from the policy setting All documents and emails must have a label. More information

  • New advanced client setting to further customize settings that implement pop-up messages in Outlook that warn, justify, or block emails being sent. With this new advanced setting, you can set a different action for email messages without attachments. More information


  • When you use File Explorer, right-click to label a file that has protection applied independently from a label, that protection is preserved. For example, a user applied custom permissions to a file.

  • When you replace the Do Not Forward option on an email thread with a label that's configured for user-defined permissions and Do Not Forward, original recipients can still open the email message.

  • In the following scenario a user no longer sees in the label tooltip that the label was automatically set by them: A user receives a protected email with a document attached that isn't labeled, but automatically protected. When the user from the same organization as the sender opens the document, the corresponding label for the protection settings is applied to the document.

  • The minimum usage right to run the Unprotect-RMSFile cmdlet is now Save As, Export (EXPORT) rather than Copy (EXTRACT).


Released: 04/16/2019

Supported through 01/15/2020

This version includes the MSIPC version 1.0.3592.627 of the RMS client.

New features:

  • The Azure Information Protection scanner is now configured from the Azure portal, rather than by using PowerShell.

    If you are upgrading from a general availability version of the scanner, the upgrade process is different from previous versions, so be sure to read Upgrading the Azure Information Protection scanner.

  • The scanner now supports multiple configuration databases on the same SQL server instance when you specify a profile name.

  • Support for the following sensitive information types that help to identify credentials in documents and emails:

    • Azure Service Bus Connection String
    • Azure IoT Connection String
    • Azure Storage Account
    • Azure IAAS Database Connection String and Azure SQL Connection String
    • Azure Redis Cache Connection String
    • Azure SAS
    • SQL Server Connection String
    • Azure DocumentDB Auth Key
    • Azure Publish Setting Password
    • Azure Storage Account Key (Generic)
  • Endpoint discovery support for Azure Information Protection analytics, to report sensitive information found when users first save an Office document (using desktop apps for Word, Excel, and PowerPoint):

    • To discover this information, the documents do not need to be labeled.
    • Sensitive information is identified by predefined and custom information types.
    • If you don't want the sensitive information types found to be sent to Azure Information Protection analytics, you can disable endpoint discovery with an advanced client setting.
  • New advanced client settings that implement pop-up messages in Outlook that can warn, justify, or block emails being sent. More information

    Note that if you configured the advanced client property of OutlookCollaborationTrustedDomains for the preview version, this setting is now replaced by three new settings, so that domains can be exempt per action: OutlookWarnTrustedDomains, OutlookJustifyTrustedDomains, and OutlookBlockTrustedDomains.

  • If you label and protect files by using the Set-AIPFileLabel cmdlet, you can use the EnableTracking parameter to register the file with the document tracking site. More information

  • A new advanced client setting for Azure Information Protection analytics, to prevent sending information type matches for a subset of users when you have selected the checkbox in the Azure portal that enables deeper analytics into your sensitive data. This setting is applicable to the client and the scanner. More information

  • New advanced client setting that's applicable only when you configure the policy setting to not display custom permissions: When there's a file that's protected with custom permissions, display the custom permissions option in File Explorer so that users can see and change them (if they have permissions to change the protection settings). More information


  • Paths and file names do not display question marks (?) instead of non-ASCII characters in Azure Information Protection analytics when the sending operating system locale is English.

  • New visual markings are consistently applied when a user adds new sections to a Word document, and then relabels the document.

  • The Azure Information Protection client correctly removes protection from a PDF document that was protected by the Rights Management sharing application.

  • Sublabels are correctly applied by PowerShell and the scanner when the parent label is configured for user-defined permissions.

  • The Azure Information Protection client correctly displays labels that have been applied by clients that support unified labeling.

  • Documents open correctly in Office without a recovery message after protection has been removed by File Explorer and right-click, PowerShell, and the scanner.

  • When you use the advanced client setting to set a default label for Outlook, you can apply a parent label that has sublabels when all those sublabels are disabled for the user.

  • When you use the policy setting For email messages with attachments, apply a label that matches the highest classification of those attachments and the label with the highest classification is configured for user-defined permissions, the outcome previously was that the label was applied to the email, but the protection was not. Now:

    • When the label's user-defined permissions include Outlook (Do Not Forward): Apply that label and its Do Not Forward protection to the email.
    • When the label's user-defined permissions are just for Word, Excel, PowerPoint, and File Explorer: Do not apply the label and do not apply any protection to the email.

Additional changes:

  • The following sensitive information types are no longer supported for labels that you configure for recommended or automatic classification:

    • EU Phone Number
    • EU GPS Coordinates
  • Because the Azure Information Protections scanner is configured from the Azure portal, the following cmdlets are now deprecated and can't be used to configure data repositories or the file types list:

    • Add-AIPScannerRepository
    • Add-AIPScannerScannedFileTypes
    • Get-AIPScannerRepository
    • Remove-AIPScannerRepository
    • Remove-AIPScannerScannedFileTypes
    • Set-AIPScannerRepository
    • Set-AIPScannerScannedFileTypes
  • A new PowerShell cmdlet, Import-AIPScannerConfiguration, for scenarios where the Azure Information Protection scanner cannot download its configuration from the Azure portal.

  • The Azure Information Protection scanner no longer excludes .zip files by default. To inspect and label .zip files, see the To inspect .zip files section of the admin guide.

  • The policy setting Users must provide justification to set a lower classification label, remove a label, or remove protection no longer applies to the scanner. The scanner performs these actions when you configure the setting Relabel files to On in the scanner profile, and then select the Allow label downgrade checkbox.

Next steps

Not sure if this is the right client to install? See Choose which labeling client to use for Windows computers.

For more information about installing and using the client: