Azure Information Protection unified labeling client - Version release history and support policy

Applies to: Azure Information Protection, Windows 10, Windows 8.1, Windows 8, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

*Customers with extended Microsoft support for Windows 7 and Office 2010 can also get Azure Information Protection support for these versions. Check with your support contact for full details.

Instructions for: Azure Information Protection unified labeling client for Windows

You can download the Azure Information Protection unified labeling client from the Microsoft Download Center.

After a short delay of typically a couple of weeks, the latest general availability version is also included in the Microsoft Update Catalog with a product name of Microsoft Azure Information Protection > Microsoft Azure Information Protection Unified Labeling Client, and the classification of Updates. This inclusion in the catalog means that you can upgrade the client by using WSUS or Configuration Manager, or other software deployment mechanisms that use Microsoft Update.

For more information, see Upgrading and maintaining the Azure Information Protection unified labeling client.

Servicing information and timelines

Each general availability (GA) version of the Azure Information Protection unified labeling client is supported for up to six months after the release of the subsequent GA version. The documentation does not include information about unsupported versions of the client. Fixes and new functionality are always applied to the latest GA version and will not be applied to older GA versions.

Preview versions should not be deployed for end users on production networks. Instead, use the latest preview version to see and try new functionality or fixes that are coming in the next GA version. Preview versions that are not current are not supported.

General availability versions that are no longer supported:
Client version Date released 09/03/2019 08/06/2019 07/15/2019
2.0.779.0 05/01/2019
2.0.778.0 04/16/2019

The date format used on this page is month/day/year.

Release information

Use the following information to see what's new or changed for a supported release of the Azure Information Protection unified labeling client for Windows. The most current release is listed first. The date format used on this page is month/day/year.


Minor fixes are not listed so if you experience a problem with the unified labeling client, we recommend that you check whether it is fixed with the latest GA release. If the problem remains, check the current preview version (if available).

For technical support, see the Support options and community resources information. We also invite you to engage with the Azure Information Protection team, on their Yammer site.

This client is replacing the Azure Information Protection client (classic). To compare features and functionality with the classic client, see Compare the the labeling clients for Windows computers.


Unified labeling scanner and client version

Fixes and improvements:

Fixed issues in file labeling actions for New Label audit logs.

For more information, see Version and Azure Information Protection audit log reference (public preview).


Unified labeling scanner and client version

Released 06/29/2020

New features for the unified labeling scanner:

New features for the unified labeling client:

New audit logs generated for removed files

Audit logs are now generated each time the scanner detects that a file that had previously been scanned is now removed.

For more information, see:


In this version, file labeling actions do not generate New Label audit logs. If you run the scanner in Enforce=On mode, we recommend that upgrade to Version

TLS 1.2 enforcement

Starting with this version of the Azure Information Protection client, only TLS versions 1.2 or higher are supported.

Customers that have a TLS setup that does not support TLS 1.2 must move to setup that supports TLS 1.2 to use Azure Information Protection policies, tokens, audit, and protection, and to receive Azure Information Protection-based communication.

For more requirement details, see Firewalls and network infrastructure requirements.

Fixes and improvements

  • Scanner SQL improvements for:

    • Performance
    • Files with large numbers of information types
  • SharePoint scanning improvements for:

    • Scanning performance
    • Files with special characters in the path
    • Libraries with large file count

    To view a quickstart for using Azure Information Protection with SharePoint, see Quickstart: Find what sensitive information you have in files stored on-premises.

  • Improved user notifications for missing policies. For more information about label policies for the unified labeling client, see What label policies can do in the Microsoft 365 documentation.

  • Automatic labels are now applied in Excel for scenarios where a user starts to close a file without saving, just as they are when a user actively saves a file.

  • Headers and footers are removed as expected, and not on each document save, when the ExternalContentMarkingToRemove setting is configured.

  • Dynamic user variables are now displayed in a document's visual markings as expected.

  • Issue where only the first page of content of a PDF was being used for applying auto-classification rules is now resolved, and auto-classification based on all content in the PDF now proceeds as expected. For more information about classification and labeling, see the classification and labeling FAQ.

  • When multiple Exchange accounts are configured and the Azure Information Protection Outlook client is enabled, mails are sent from the secondary account as expected. For more information about configuring the unified labeling client with Outlook, see Additional prerequisites for the Azure Information Protection unified labeling client.

  • When a document with a higher confidentiality label is dragged and dropped into an email, the email now automatically receives the higher confidentiality label as expected. For more information about labeling client features, see the labeling client comparison table.

  • Custom permissions are now applied to emails as expected, when email addresses include both an apostrophe (') and period (.) For more information about configuring the unified labeling client with Outlook, see Additional prerequisites for the Azure Information Protection unified labeling client.

  • By default, a file's NTFS owner is lost when the file is labeled by the unified labeling scanner, PowerShell, or the File Explorer extension. Now you can configure the system to keep the file's NTFS owner by setting the new UseCopyAndPreserveNTFSOwner advanced setting to true.

    The UseCopyAndPreserveNTFSOwner advanced setting requires a low latency, reliable network connection between the scanner and the scanned repository.


Released 03/09/2020

Supported through 12/29/2020

New features:


  • In instances where users attempted unsuccessfully to open protected TIFF files, and TIFF files created by RightFax, the TIFF files now open and remain stable as expected.
  • Previous corruptions of protected txt and PDF files are resolved.
  • Inconsistent labeling between Automatic and Manual in Log Analytics was corrected.
  • Unexpected inheritance issues identified between new emails and a user's last opened email is now resolved.
  • Protection of .msg files as .msg.pfiles now works as expected.
  • Co-owner permissions added from Office user defined settings is now applied as expected.
  • When entering permissions downgrade justification, text can no longer be entered when other options are already selected.


Released: 10/23/2019

Supported through 09/09/2020

New features:

  • Preview version of the scanner, to inspect and label documents on-premises data stores. With this version of the scanner:

    • Multiple scanners can share the same SQL Server database when you configure the scanners to use the same scanner profile. This configuration makes it easier to manage multiple scanners, and results in faster scanning times. When you use this configuration, always wait for a scanner to finish installing before installing another scanner with the same profile.

    • You must specify a profile when you install the scanner and the scanner database is named AIPScannerUL_<profile_name>. The Profile parameter is also mandatory for Set-AIPScanner.

    • You can set a default label on all documents, even if documents are already labeled. In the scanner profile or repository settings, set the Relabel files option to On with the new Enforce default label checkbox selected.

    • You can remove existing labels from all documents and this act includes removing protection if it was previously applied by a label. Protection applied independently from a label is preserved. This scanner configuration is achieved in the scanner profile or repository settings with the following settings:

      • Label files based on content: Off
      • Default label: None
      • Relabel files: On with the Enforce default label checkbox selected
    • As with the scanner from the classic client, by default, the scanner protects Office files and PDF files. You can protect other files types when you use a PowerShell advanced setting.

    • Event IDs for the scanner cycles starting and finishing are not written to the Windows event log. Instead, use the Azure portal for this information.

    • Known issue: New and renamed labels aren't available to select as a default label for the scanner profile or repository settings. Workarounds:

      • For new labels: In the Azure portal, add the label you want to use to the global policy or a scoped policy.
      • For renamed labels: Close and reopen the Azure portal.

    You can upgrade scanners from the Azure Information Protection client (classic). After the upgrade, which creates a new database, the scanner rescans all files the first time it runs. For instructions, see Upgrading the Azure Information Protection scanner from the admin guide.

    For additional information, see the blog post announcement: Unified labeling AIP scanner preview brings scaling out and more!

  • The PowerShell cmdlet Set-AIPAuthentication has new parameters (AppId, AppSecret, TenantId, DelegatedUser, and OnBehalfOf) for when you want to label files non-interactively, and also a new procedure to register an app in Azure AD. Example scenarios include the scanner and automated PowerShell scripts to label documents. For instructions, see How to label files non-interactively from the admin guide.

    Note that DelegatedUser is a new parameter since the last preview version of the unified labeling client, and that the API permissions for the registered app have consequently changed.

  • New PowerShell label policy advanced setting to change which file types to protect.

  • New PowerShell label policy advanced setting to extend your label migration rules to SharePoint properties.

  • Matched custom sensitive information types are sent to Azure Information Protection analytics.

  • The applied label displays the configured color for the label, if a color has been configured.

  • When you add or change protection settings to a label, the client reapplies the label with these latest protection settings when the document is next saved. Similarly, the scanner reapplies the label with these latest protection settings when the document is next scanned in enforce mode.

  • Support for disconnected computers by exporting files from one client and manually copying them to the disconnected computer. Note that this configuration is supported for labeling with File Explorer, PowerShell, and the scanner. This configuration is not supported for labeling with Office apps.

  • New cmdlet, Export-AIPLogs, to gather all log files from %localappdata%\Microsoft\MSIP\Logs and saves them to a single, compressed file that has a .zip format. This file can then be sent to Microsoft Support if you are requested to send log files to help investigate a reported issue.


  • You can successfully make changes to a protected file using File Explorer and right-click after a password for the file has been removed.

  • You can successfully open natively protected files in the viewer without requiring the Save As, Export (EXPORT) usage right.

  • Labels and policy settings refresh as expected without having to run Clear-AIPAuthentication, or manually delete the %LocalAppData%\Microsoft\MSIP\mip folder.

Additional changes

  • Reset Settings now deletes the %LocalAppData%\Microsoft\MSIP\mip\<ProcessName.exe> folders instead of the %LocalAppData%\Microsoft\MSIP\mip\<ProcessName>\mip folder.

  • Get-AIPFileStatus now includes the content ID for a protected document.

Next steps

Not sure if unified labeling is the right client to install? See Choose which labeling client to use for Windows computers.

For more information about installing and using the unified labeling client: