Azure Information Protection unified labeling client - Version release history and support policy
Applies to: Azure Information Protection, Windows 10, Windows 8.1, Windows 8, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Instructions for: Azure Information Protection unified labeling client for Windows
You can download the Azure Information Protection unified labeling client from the Microsoft Download Center.
After a short delay of typically a couple of weeks, the latest general availability version is also included in the Microsoft Update Catalog with a product name of Microsoft Azure Information Protection > Microsoft Azure Information Protection Unified Labeling Client, and the classification of Updates. This inclusion in the catalog means that you can upgrade the client by using WSUS or Configuration Manager, or other software deployment mechanisms that use Microsoft Update.
For more information, see Upgrading and maintaining the Azure Information Protection unified labeling client.
Servicing information and timelines
Each general availability (GA) version of the Azure Information Protection unified labeling client is supported for up to six months after the release of the subsequent GA version. The documentation does not include information about unsupported versions of the client. Fixes and new functionality are always applied to the latest GA version and will not be applied to older GA versions.
Preview versions should not be deployed for end users on production networks. Instead, use the latest preview version to see and try new functionality or fixes that are coming in the next GA version. Preview versions that are not current are not supported.
General availability versions that are no longer supported:
|Client version||Date released|
The date format used on this page is month/day/year.
Use the following information to see what’s new or changed for a supported release of the Azure Information Protection unified labeling client for Windows. The most current release is listed first. The date format used on this page is month/day/year.
Minor fixes are not listed so if you experience a problem with the unified labeling client, we recommend that you check whether it is fixed with the latest GA release. If the problem remains, check the current preview version (if available).
This client is replacing the Azure Information Protection client (classic). To compare features and functionality with the classic client, see Compare the the labeling clients for Windows computers.
Version 188.8.131.52 (preview)
Modification of PowerShell cmdlet Set-AIPFileLabel to enables removal of protection from PST, rar, 7zip and MSG files.
Added ability for Azure Information Protection administrators to control when .pfile extensions are used for files. Learn more about changing protected file types.
Dynamic visual marking support added for applications and variables. Learn more about how to configure labels for visual markings.
Improvements made to customizable policy tips for automatic and recommended labels.
Support added for offline labeling capability with Office apps in the unified labeling client.
New WordShapeNameToRemove advanced property enables removal of content marking in Word documents made by third party applications. Learn more about how to identify existing shape names and define them for removal using WordShapeNameToRemove.
Scanner related features:
- Easier SharePoint on-premises and subsite discovery. Setting each specific site is no longer required.
- Advanced property for SQL chunk sizing added.
- Administrators now have the ability to stop existing scans and perform a re-scan if a change was made to the default label.
- By default, scanner now sets minimal telemetry for faster scans and reduced log size and information types are now cached in the database. Learn more about scanner optimization.
- Scanner now supports separate deployments for database and the service, while Sysadmin rights are needed only for database deployment.
- In instances where users attempted unsuccessfully to open protected TIFF files, and TIFF files created by RightFax, the TIFF files now open and remain stable as expected.
- Previous corruptions of protected txt and PDF files are resolved.
- Inconsistent labeling between Automatic and Manual in Log Analytics was corrected.
- Unexpected inheritance issues identified between new emails and a user's last opened email is now resolved.
- Protection of .msg files as .msg.pfiles now works as expected.
- Co-owner permissions added from Office user defined settings is now applied as expected.
- When entering permissions downgrade justification, text can no longer be entered when other options are already selected.
Preview version of the scanner, to inspect and label documents on-premises data stores. With this version of the scanner:
Multiple scanners can share the same SQL Server database when you configure the scanners to use the same scanner profile. This configuration makes it easier to manage multiple scanners, and results in faster scanning times. When you use this configuration, always wait for a scanner to finish installing before installing another scanner with the same profile.
You must specify a profile when you install the scanner and the scanner database is named AIPScannerUL_<profile_name>. The Profile parameter is also mandatory for Set-AIPScanner.
You can set a default label on all documents, even if documents are already labeled. In the scanner profile or repository settings, set the Relabel files option to On with the new Enforce default label checkbox selected.
You can remove existing labels from all documents and this act includes removing protection if it was previously applied by a label. Protection applied independently from a label is preserved. This scanner configuration is achieved in the scanner profile or repository settings with the following settings:
- Label files based on content: Off
- Default label: None
- Relabel files: On with the Enforce default label checkbox selected
As with the scanner from the classic client, by default, the scanner protects Office files and PDF files. You can protect other files types when you use a PowerShell advanced setting.
Event IDs for the scanner cycles starting and finishing are not written to the Windows event log. Instead, use the Azure portal for this information.
Known issue: New and renamed labels aren't available to select as a default label for the scanner profile or repository settings. Workarounds:
- For new labels: In the Azure portal, add the label you want to use to the global policy or a scoped policy.
- For renamed labels: Close and reopen the Azure portal.
You can upgrade scanners from the Azure Information Protection client (classic). After the upgrade, which creates a new database, the scanner rescans all files the first time it runs. For instructions, see Upgrading the Azure Information Protection scanner from the admin guide.
For additional information, see the blog post announcement: Unified labeling AIP scanner preview brings scaling out and more!
The PowerShell cmdlet Set-AIPAuthentication has new parameters (AppId, AppSecret, TenantId, DelegatedUser, and OnBehalfOf) for when you want to label files non-interactively, and also a new procedure to register an app in Azure AD. Example scenarios include the scanner and automated PowerShell scripts to label documents. For instructions, see How to label files non-interactively from the admin guide.
Note that DelegatedUser is a new parameter since the last preview version of the unified labeling client, and that the API permissions for the registered app have consequently changed.
New PowerShell label policy advanced setting to change which file types to protect.
New PowerShell label policy advanced setting to extend your label migration rules to SharePoint properties.
Matched custom sensitive information types are sent to Azure Information Protection analytics.
The applied label displays the configured color for the label, if a color has been configured.
When you add or change protection settings to a label, the client reapplies the label with these latest protection settings when the document is next saved. Similarly, the scanner reapplies the label with these latest protection settings when the document is next scanned in enforce mode.
Support for disconnected computers by exporting files from one client and manually copying them to the disconnected computer. Note that this configuration is supported for labeling with File Explorer, PowerShell, and the scanner. This configuration is not supported for labeling with Office apps.
New cmdlet, Export-AIPLogs, to gather all log files from %localappdata%\Microsoft\MSIP\Logs and saves them to a single, compressed file that has a .zip format. This file can then be sent to Microsoft Support if you are requested to send log files to help investigate a reported issue.
You can successfully make changes to a protected file using File Explorer and right-click after a password for the file has been removed.
You can successfully open natively protected files in the viewer without requiring the Save As, Export (EXPORT) usage right.
Labels and policy settings refresh as expected without having to run Clear-AIPAuthentication, or manually delete the %LocalAppData%\Microsoft\MSIP\mip folder.
Reset Settings now deletes the %LocalAppData%\Microsoft\MSIP\mip\<ProcessName.exe> folders instead of the %LocalAppData%\Microsoft\MSIP\mip\<ProcessName>\mip folder.
Get-AIPFileStatus now includes the content ID for a protected document.
Supported through 04/23/2020
When you use the advanced setting OutlookDefaultLabel to set a different default label for Outlook, and the label you specify doesn't have any sublabels for the label policy, the label is correctly applied.
When the Azure Information Protection client is used in an Office app, a user with an Active Directory account that isn't configured for single sign-on is prompted to authenticate for Azure Information Protection. After successfully authenticating, the client status correctly changes to online, which enables labeling functionality.
Supported through 03/03/2020
The client can successfully download its policy and display the current sensitivity labels. This fix is required after upgrading from a previous version and you haven't configured any custom information types in your labeling center.
General performance and stability improvements.
Supported through 02/06/2020
Support for advanced settings that you configure with PowerShell for the Security & Compliance Center.
These advanced settings support the following customizations:
- Display the Information Protection bar in Office apps
- Exempt Outlook messages from mandatory labeling
- Enable recommended classification in Outlook
- Set a different default label for Outlook
- Remove "Not now" for documents when you use mandatory labeling
- Remove headers and footers from other labeling solutions
- Disable custom permissions in File Explorer
- For files protected with custom permissions, always display custom permissions to users in File Explorer
- For email messages with attachments, apply a label that matches the highest classification of those attachments
- Add "Report an Issue" for users
- Implement pop-up messages in Outlook that warn, justify, or block emails being sent
- Disable sending discovered sensitive information in documents to Azure Information Protection analytics
- Send information type matches to Azure Information Protection analytics
- Migrate labels from Secure Islands and other labeling solutions
- Apply a custom property when a label is applied
- Configure a label to apply S/MIME protection in Outlook
- Specify a default sublabel for a parent label
- Specify a color for the label
Support for labels that are configured for user-defined permissions for Word, Excel, PowerPoint, and File Explorer. For more information, see the Let users assign permissions section in the Office documentation.
PowerShell changes in the AzureInformationProtection module:
- New cmdlet: New-AIPCustomPermissions - replaces New-RMSProtectionLicense to create an ad-hoc policy for custom permissions
- New parameters:
- CustomPermissions and RemoveProtection - added to Set-AIPFileLabel
- OnBeHalfOf - added to Set-AIPAuthentication, to be used instead of the Token parameter for non-interactive sessions
- WhatIf and DiscoveryInfoTypes - added to Set-AIPFileClassification, so that this cmdlet can run in discovery mode without applying labels
- Deprecated cmdlets that connect directly to a protection service: Clear-RMSAuthentication, Get-RMSFileStatus, Get-RMSServer, Get-RMSServerAuthentication, Get-RMSTemplate, Protect-RMSFile, Set-RMSServerAuthentication, Unprotect-RMSFile
After you change to an alternative locale in Windows, you can still apply a label with protection to a PDF document.
When a label is removed from content, protection is also removed only when it was applied as part of the label configuration. If the protection was applied independently from the label, that protection is preserved. For example, a user applied custom permissions to a file.
When automatic labeling is configured, the label applies the first time a document is saved.
Default labeling supports sublabels.
Not sure if this is the right client to install? See Choose which labeling client to use for Windows computers.
For more information about installing and using this client: