Azure Information Protection unified labeling client - Version release history and support policy
Applies to: Azure Information Protection, Windows 10, Windows 8.1, Windows 8, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
*Customers with extended Microsoft support for Windows 7 and Office 2010 can also get Azure Information Protection support for these versions. Check with your support contact for full details.
Instructions for: Azure Information Protection unified labeling client for Windows
You can download the Azure Information Protection unified labeling client from the Microsoft Download Center.
After a short delay of typically a couple of weeks, the latest general availability version is also included in the Microsoft Update Catalog with a product name of Microsoft Azure Information Protection > Microsoft Azure Information Protection Unified Labeling Client, and the classification of Updates. This inclusion in the catalog means that you can upgrade the client by using WSUS or Configuration Manager, or other software deployment mechanisms that use Microsoft Update.
For more information, see Upgrading and maintaining the Azure Information Protection unified labeling client.
Servicing information and timelines
Each general availability (GA) version of the Azure Information Protection unified labeling client is supported for up to six months after the release of the subsequent GA version. The documentation does not include information about unsupported versions of the client. Fixes and new functionality are always applied to the latest GA version and will not be applied to older GA versions.
Preview versions should not be deployed for end users on production networks. Instead, use the latest preview version to see and try new functionality or fixes that are coming in the next GA version. Preview versions that are not current are not supported.
General availability versions that are no longer supported:
|Client version||Date released|
The date format used on this page is month/day/year.
Use the following information to see what's new or changed for a supported release of the Azure Information Protection unified labeling client for Windows. The most current release is listed first. The date format used on this page is month/day/year.
Minor fixes are not listed so if you experience a problem with the unified labeling client, we recommend that you check whether it is fixed with the latest GA release. If the problem remains, check the current preview version (if available).
This client is replacing the Azure Information Protection client (classic). To compare features and functionality with the classic client, see Compare the the labeling clients for Windows computers.
Unified labeling scanner and client version 184.108.40.206
Fixes and improvements:
Fixed issues in file labeling actions for New Label audit logs.
For more information, see Version 220.127.116.11 and Azure Information Protection audit log reference (public preview).
Unified labeling scanner and client version 18.104.22.168
New features for the unified labeling scanner:
Use scanner to apply labels based on recommended conditions. AIP customers can now choose to implement service side only auto-labeling. This feature allows AIP end users to always to follow recommendations instead of the previous scenario, which only enabled automatic labeling on the user side.
Learn which files previously discovered by scanner were deleted from the scanned repository These deleted files were not previously reported in AIP analytics and are now available in the scanner discovery report.
Get reports from scanner on failures to apply action events. Use reports to learn about failed action events and discover ways to prevent future occurrences.
Introduction of AIP scanner diagnostic analyzer tool for detection and analysis of common scanner errors. To begin using AIP scanner diagnostics, run the new Start-AIPScannerDiagnostics cmdlet.
You can now manage and limit max CPU consumption on the scanner machine. Learn how to prevent 100% CPU usage and manage your CPU usage using two new advanced settings ScannerMaxCPU, and ScannerMinCPU.
Now you can configure the unified labeling scanner to skip specific files depending on their file attributes. Define the list of file attributes that triggers a file to be skipped using the new ScannerFSAttributesToSkip advanced setting.
New features for the unified labeling client:
Justification popups now appear for changes made to default labels in the unified labeling client.
Smoother integration with visual content markings applied by Office. For more information about configuring content markings in Office document, see How to configure a label for visual markings for Azure Information Protections.
New WordShapeNameToRemove advanced property enables removal of content marking in Word documents made by third-party applications. Learn more about how to identify existing shape names and define them for removal using WordShapeNameToRemove.
Support for Double Key Encryption (DKE) (public preview).
Now you can use the unified labeling client to protect highly sensitive content while maintaining full control of your key. DKE requires two keys to access protected content: one key is stored in Azure, and the other key is held by the customer.
For more information about the default, cloud-based tenant root keys, see Planning and implementing your Azure Information Protection tenant key. For information about implementing Double Key Encryption, see Double key encryption in the Microsoft 365 documentation.
New audit logs generated for removed files
Audit logs are now generated each time the scanner detects that a file that had previously been scanned is now removed.
For more information, see:
In this version, file labeling actions do not generate New Label audit logs. If you run the scanner in Enforce=On mode, we recommend that upgrade to Version 22.214.171.124.
TLS 1.2 enforcement
Starting with this version of the Azure Information Protection client, only TLS versions 1.2 or higher are supported.
Customers that have a TLS setup that does not support TLS 1.2 must move to setup that supports TLS 1.2 to use Azure Information Protection policies, tokens, audit, and protection, and to receive Azure Information Protection-based communication.
For more requirement details, see Firewalls and network infrastructure requirements.
Fixes and improvements
Scanner SQL improvements for:
- Files with large numbers of information types
SharePoint scanning improvements for:
- Scanning performance
- Files with special characters in the path
- Libraries with large file count
To view a quickstart for using Azure Information Protection with SharePoint, see Quickstart: Find what sensitive information you have in files stored on-premises.
Improved user notifications for missing policies. For more information about label policies for the unified labeling client, see What label policies can do in the Microsoft 365 documentation.
Automatic labels are now applied in Excel for scenarios where a user starts to close a file without saving, just as they are when a user actively saves a file.
Headers and footers are removed as expected, and not on each document save, when the ExternalContentMarkingToRemove setting is configured.
Dynamic user variables are now displayed in a document's visual markings as expected.
Issue where only the first page of content of a PDF was being used for applying auto-classification rules is now resolved, and auto-classification based on all content in the PDF now proceeds as expected. For more information about classification and labeling, see the classification and labeling FAQ.
When multiple Exchange accounts are configured and the Azure Information Protection Outlook client is enabled, mails are sent from the secondary account as expected. For more information about configuring the unified labeling client with Outlook, see Additional prerequisites for the Azure Information Protection unified labeling client.
When a document with a higher confidentiality label is dragged and dropped into an email, the email now automatically receives the higher confidentiality label as expected. For more information about labeling client features, see the labeling client comparison table.
Custom permissions are now applied to emails as expected, when email addresses include both an apostrophe (') and period (.) For more information about configuring the unified labeling client with Outlook, see Additional prerequisites for the Azure Information Protection unified labeling client.
By default, a file's NTFS owner is lost when the file is labeled by the unified labeling scanner, PowerShell, or the File Explorer extension. Now you can configure the system to keep the file's NTFS owner by setting the new UseCopyAndPreserveNTFSOwner advanced setting to true.
The UseCopyAndPreserveNTFSOwner advanced setting requires a low latency, reliable network connection between the scanner and the scanned repository.
Supported through 12/29/2020
General availability version of the scanner, to inspect and label documents in on-premises data stores.
- Easier SharePoint on-premises and subsite discovery. Setting each specific site is no longer required.
- Advanced property for SQL chunk sizing added.
- Administrators now have the ability to stop existing scans and perform a re-scan if a change was made to the default label.
- By default, scanner now sets minimal telemetry for faster scans and reduced log size and information types are now cached in the database. Learn more about scanner optimization.
- Scanner now supports separate deployments for database and the service, while Sysadmin rights are needed only for database deployment.
- Improvements made to scanner performance.
Modification of PowerShell cmdlet Set-AIPFileLabel to enable removal of protection from PST, rar, 7zip and MSG files. This feature is disabled by default and must be turned on using the Set-LabelPolicy cmdlet, as described here.
Added ability for Azure Information Protection administrators to control when .pfile extensions are used for files. Learn more about changing protected file types.
Dynamic visual marking support added for applications and variables. Learn more about how to configure labels for visual markings.
Improvements made to customizable policy tips for automatic and recommended labels.
Support added for offline labeling capability with Office apps in the unified labeling client.
- In instances where users attempted unsuccessfully to open protected TIFF files, and TIFF files created by RightFax, the TIFF files now open and remain stable as expected.
- Previous corruptions of protected txt and PDF files are resolved.
- Inconsistent labeling between Automatic and Manual in Log Analytics was corrected.
- Unexpected inheritance issues identified between new emails and a user's last opened email is now resolved.
- Protection of .msg files as .msg.pfiles now works as expected.
- Co-owner permissions added from Office user defined settings is now applied as expected.
- When entering permissions downgrade justification, text can no longer be entered when other options are already selected.
Supported through 09/09/2020
Preview version of the scanner, to inspect and label documents on-premises data stores. With this version of the scanner:
Multiple scanners can share the same SQL Server database when you configure the scanners to use the same scanner profile. This configuration makes it easier to manage multiple scanners, and results in faster scanning times. When you use this configuration, always wait for a scanner to finish installing before installing another scanner with the same profile.
You must specify a profile when you install the scanner and the scanner database is named AIPScannerUL_<profile_name>. The Profile parameter is also mandatory for Set-AIPScanner.
You can set a default label on all documents, even if documents are already labeled. In the scanner profile or repository settings, set the Relabel files option to On with the new Enforce default label checkbox selected.
You can remove existing labels from all documents and this act includes removing protection if it was previously applied by a label. Protection applied independently from a label is preserved. This scanner configuration is achieved in the scanner profile or repository settings with the following settings:
- Label files based on content: Off
- Default label: None
- Relabel files: On with the Enforce default label checkbox selected
As with the scanner from the classic client, by default, the scanner protects Office files and PDF files. You can protect other files types when you use a PowerShell advanced setting.
Event IDs for the scanner cycles starting and finishing are not written to the Windows event log. Instead, use the Azure portal for this information.
Known issue: New and renamed labels aren't available to select as a default label for the scanner profile or repository settings. Workarounds:
- For new labels: In the Azure portal, add the label you want to use to the global policy or a scoped policy.
- For renamed labels: Close and reopen the Azure portal.
You can upgrade scanners from the Azure Information Protection client (classic). After the upgrade, which creates a new database, the scanner rescans all files the first time it runs. For instructions, see Upgrading the Azure Information Protection scanner from the admin guide.
For additional information, see the blog post announcement: Unified labeling AIP scanner preview brings scaling out and more!
The PowerShell cmdlet Set-AIPAuthentication has new parameters (AppId, AppSecret, TenantId, DelegatedUser, and OnBehalfOf) for when you want to label files non-interactively, and also a new procedure to register an app in Azure AD. Example scenarios include the scanner and automated PowerShell scripts to label documents. For instructions, see How to label files non-interactively from the admin guide.
Note that DelegatedUser is a new parameter since the last preview version of the unified labeling client, and that the API permissions for the registered app have consequently changed.
New PowerShell label policy advanced setting to change which file types to protect.
New PowerShell label policy advanced setting to extend your label migration rules to SharePoint properties.
Matched custom sensitive information types are sent to Azure Information Protection analytics.
The applied label displays the configured color for the label, if a color has been configured.
When you add or change protection settings to a label, the client reapplies the label with these latest protection settings when the document is next saved. Similarly, the scanner reapplies the label with these latest protection settings when the document is next scanned in enforce mode.
Support for disconnected computers by exporting files from one client and manually copying them to the disconnected computer. Note that this configuration is supported for labeling with File Explorer, PowerShell, and the scanner. This configuration is not supported for labeling with Office apps.
New cmdlet, Export-AIPLogs, to gather all log files from %localappdata%\Microsoft\MSIP\Logs and saves them to a single, compressed file that has a .zip format. This file can then be sent to Microsoft Support if you are requested to send log files to help investigate a reported issue.
You can successfully make changes to a protected file using File Explorer and right-click after a password for the file has been removed.
You can successfully open natively protected files in the viewer without requiring the Save As, Export (EXPORT) usage right.
Labels and policy settings refresh as expected without having to run Clear-AIPAuthentication, or manually delete the %LocalAppData%\Microsoft\MSIP\mip folder.
Reset Settings now deletes the %LocalAppData%\Microsoft\MSIP\mip\<ProcessName.exe> folders instead of the %LocalAppData%\Microsoft\MSIP\mip\<ProcessName>\mip folder.
Get-AIPFileStatus now includes the content ID for a protected document.
Not sure if unified labeling is the right client to install? See Choose which labeling client to use for Windows computers.
For more information about installing and using the unified labeling client: