Azure Information Protection unified labeling client - Version release history and support policy

Applies to: Azure Information Protection, Windows 10, Windows 8.1, Windows 8, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

If you have Windows 7 or Office 2010, see AIP and legacy Windows and Office versions.

Relevant for: AIP unified labeling client only. For the classic client, see AIP classic client version release history and support policy.

You can download the Azure Information Protection unified labeling client from the Microsoft Download Center.

After a short delay of typically a couple of weeks, the latest general availability version is also included in the Microsoft Update Catalog. Azure Information Protection versions have a product name of Microsoft Azure Information Protection > Microsoft Azure Information Protection Unified Labeling Client, and a classification of Updates.

Including Azure Information Protection in the catalog means that you can upgrade the client using WSUS or Configuration Manager, or other software deployment mechanisms that use Microsoft Update.

For more information, see Upgrading and maintaining the Azure Information Protection unified labeling client.

Servicing information and timelines

Each general availability (GA) version of the Azure Information Protection unified labeling client is supported for up to six months after the release of the subsequent GA version. The documentation does not include information about unsupported versions of the client. Fixes and new functionality are always applied to the latest GA version and will not be applied to older GA versions.

Noted Azure Information Protection features are currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

General availability versions that are no longer supported

Client version Date released
2.6.111.0 03/09/2020
2.5.33.0 10/23/2019
2.2.21.0 09/03/2019
2.2.19.0 08/06/2019
2.2.14.0 07/15/2019
2.0.779.0 05/01/2019
2.0.778.0 04/16/2019

The date format used on this page is month/day/year.

Release information

Use the following information to see what's new or changed for a supported release of the Azure Information Protection unified labeling client for Windows. The most current release is listed first. The date format used on this page is month/day/year.

The latest version of Azure Information Protection is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Note

Minor fixes are not listed so if you experience a problem with the unified labeling client, we recommend that you check whether it is fixed with the latest GA release. If the problem remains, check the current preview version (if available).

For technical support, see the Support options and community resources information. We also invite you to engage with the Azure Information Protection team, on their Yammer site.

The unified labeling client replaces the Azure Information Protection classic client. To compare features and functionality with the classic client, see Compare the labeling solutions for Windows computers.

Version 2.9.111.0

Unified labeling scanner and client version 2.9.111.0

Release 1/13/2021

This version includes the following new features, fixes, and enhancements for the unified labeling scanner and client:

PowerShell support for disconnected scanner servers

The Azure Information Protection on-premises scanner now supports managing content scan jobs over PowerShell, for scanner servers that cannot connect to the internet, or for scanners in an Azure China 21Vianet environment (China sovereign cloud).

To support disconnected or Azure China 21Vianet scanner servers, we've added the following new cmdlets:

Cmdlet Description
Add-AIPScannerRepository Adds a new repository to your content scan job.
Get-AIPScannerContentScanJob Gets details about your content scan job.
Get-AIPScannerRepository Gets details about repositories defined for your content scan job.
Remove-AIPScannerContentScanJob Deletes your content scan job.
Remove-AIPScannerRepository Removes a repository from your content scan job.
Set-AIPScannerContentScanJob Defines settings for your content scan job.
Set-AIPScannerRepository Defines settings for an existing repository in your content scan job.

The Set-MIPNetworkDiscovery cmdlet was also added to provide additional support, enabling you to update the installation settings for the Network Discovery service via PowerShell.

For more information, see When the scanner server cannot have internet connectivity and Configure the scanner.

Support for NFS repositories in content scan jobs (Public preview)

Now you can add NFS repositories to your content scan jobs, in addition to SMB file shares and SharePoint repositories.

To support scans on NFS shares, services for NFS must be deployed on the scanner machine:

  1. On your machine, navigate to the Windows Features (Turn Windows features on or off) settings dialog.

  2. Select the following items:

    • Services for NFS
      • Administrative Tools
      • Client for NFS

For more information, see Create a content scan job.

Added support for additional sensitive information types

We’ve added support for additional sensitive information types in Azure Information Protection, such as Australia business number, Australia company number, or Austria identity card.

For more information, see the Sensitive information type entity definitions in the Microsoft 365 documentation.

Track document access and revoke access (Public preview)

Once you've upgraded to version 2.9.111.0, any protected documents that are not yet registered for tracking are registered the next time they're opened on a machine with the AIP unified labeling client installed. Protected documents are supported for track and revoke, even if they are not labeled.

Having your documents registered for tracking enables administrators to use PowerShell to track document access, and revoke access if needed.

Once you've upgraded, end-users can also revoke access for documents that they've protected. To revoke access from Microsoft Office apps, use the new Revoke access option on the Sensitivity menu.

For more information, see:

If you have privacy requirements in your organization or region that require you to turn off document tracking features, see the track and revoke administrator procedures.

Upgrades from the classic client

The AIP classic client supports track and revoke features using the Microsoft tracking portal. This tracking portal is not relevant when working with the unified labeling client.

To view tracking data with the unified labeling client, use the PowerShell commands only, as described in the admin guide.

Fixes and improvements for the unified labeling scanner

The following fixes were delivered in version 2.9.111.0 of the Azure Information Protection unified labeling scanner:

Fixes and improvements for the unified labeling client

Version 2.8.85.0

Unified labeling scanner and client version 2.8.85.0

Released 09/22/2020

Supported through 7/13/2021

This version includes the following new features, fixes, and enhancements, for the unified labeling scanner and client:

Optional full rescans for changes detected

Administrators can now skip a full rescan after making changes to policies or content scan jobs. Skipping a full rescan applies your changes only on files that have been modified or created since the last scan.

For example, you may have made changes that only affect the end user, such as in visual markings, and don't want to take the time required to run a full rescan immediately.

Skip the full, immediate rescan, and return later to run a full rescan and apply your changes across your repositories.

Important

Administrators making changes in their policies and content scan jobs must now understand the effects of those changes on the content, and determine whether a full rescan is required.

For example, if you’ve changed Policy enforcement settings from Enforce = Off to Enforce = On, make sure to run a full rescan to apply your labels across your content.

Configure SharePoint timeouts

The default timeout for SharePoint interactions has been updated to two minutes, after which the attempted AIP operation fails.

AIP administrators can also now configure SharePoint timeouts, separately for all web requests and file web requests.

For more information, see Configure SharePoint timeouts.

Network Discovery support

The unified labeling scanner now includes a new network discovery service, which enables you to scan specified IP addresses or ranges for network file shares that may have sensitive content.

The network discovery service updates Repository reports with a list of share locations that may be at risk, based on the discovered permissions and access rights. Check the updated Repository reports to ensure that your content scan jobs include all repositories that need to be scanned.

Tip

For more information, see Network discovery cmdlets.

To use the Network discovery service

  1. Upgrade your scanner version and make sure that you have your scanner cluster configured correctly. For more information, see:

  2. Make sure that you have Azure Information Protection analytics enabled.

    In the Azure portal, go to Azure Information Protection > Manage > Configure analytics (Preview).

    For more information, see Central reporting for Azure Information Protection (public preview).

  3. Enable Network Discovery by running the Install-MIPNetworkDiscovery PowerShell cmdlet.

    Important

    When running this cmdlet, make sure to use a weak user as the value for the StandardDomainsUserAccount parameter to ensure that any public access to repositories is reported.

    This user must be a member of the Domain Users group only, and is used to simulate public access to the repositories.

  4. In the Azure portal, go to Azure Information Protection > Network scan jobs and create jobs to scan specific areas of your network.

  5. Use the generated reports on the new Repositories pane to find additional network file shares that may be at risk. Add any risky file shares to your content scan jobs to scan the added repositories for sensitive content.

Network discovery cmdlets

PowerShell cmdlets added for Network Discovery include:

Cmdlet Description
Get-MIPNetworkDiscoveryConfiguration Gets the current setting for whether the Network Discovery service pulls network scan data from the default, online configuration, or an offline file exported from the Azure portal.
Get-MIPNetworkDiscoveryJobs Gets a list of currently configured network scan jobs.
Get-MIPNetworkDiscoveryStatus Gets the current status of all network scan jobs configured in your tenant.
Import-MIPNetworkDiscoveryConfiguration Imports the configuration for a network scan job from a file.
Install-MIPNetworkDiscovery Installs the Network Discovery service
Set-MIPNetworkDiscoveryConfiguration Sets the configuration for whether the Network Discovery service pulls network scan data from the default, online configuration, or an offline file exported from the Azure portal.
Start-MIPNetworkDiscovery Runs a specific network scan job immediately.
Uninstall-MIPNetworkDiscovery Uninstalls the Network Discovery service.

Administrator customizations for AIP popups in Outlook

AIP administrators can now customize the popups that appear in Outlook for end-users, such as popups for blocked emails, warning messages, and justification prompts.

For more information, including several sample rules for common use case scenarios, see Customize Outlook popup messages.

Administrator customizations for justification prompts

AIP administrators can now customize one of the options in the justification prompts that are displayed when end-users change classification labels on documents and emails.

For more information, see Customize justification prompt texts for modified labels.

Audit log updates

Audit logs for access events from the unified labeling client are now sent only when users open labeled or protected files, providing a clearer indication of user access.

For more information, see Access audit logs.

DKE template-based labeling updates

Azure Information Protection now supports Double Key Encryption (DKE) template-based labeling in the scanner, as well as using the File Explorer and PowerShell.

For more information, see:

Azure Information Protection scanner fixed issues, version 2.8.85.0

The following fixes were delivered in version 2.8.85.0 of the Azure Information Protection unified labeling scanner:

  • Improvements for scanning files with long paths
  • The AIP scanner now scans full SharePoint environments when there are multiple ContentDatabases.
  • The AIP scanner now supports SharePoint files with a period in the path, but no extension. For example, a file with a path of https://sharepoint.contoso.com/shared documents/meeting-notes, with no extension, is now scanned successfully.
  • The AIP scanner now supports custom sensitive information types that are created in the Microsoft Security and Compliance center, and do not belong to any policy.

Azure Information Protection client fixed issues, version 2.8.85.0

The following fixes were delivered in version 2.8.85.0 of the Azure Information Protection unified labeling client:

  • A new, narrated indication for any items currently selected from the Sensitivity columns icon menu in Office apps. For more information, see the page on Sensitivity labels in the Microsoft 365 docs.
  • Fixes for viewing JPEG files in the AIP Viewer
  • Downgrading a label now automatically includes the ProtectionOwnerBefore in audit events
  • Change events now include the LastModifiedDate in audit logs
  • Added support for Proxy.pac files when using a proxy to acquire a token. For more information, see Firewalls and network infrastructure requirements.
  • Fixes for authenticating when refreshing policies
  • Fixes for automatic content marking updates for PowerPoint in read-only mode
  • Improvements in popups and error texts
  • Tooltip updates to show the highest classification for email attachments, considering both the classification of the email and the attachment.
  • Fixes to the Report an Issue text when modifying sensitivity labeling policies using the Set-LabelPolicy cmdlet
  • Fixes in errors shown when the Set-AipFileLabel cmdlet is used with an invalid label ID.
  • Performance fixes for decrypting SMIME emails in Outlook's reading pane. To implement this fix, enable the OutlookSkipSmimeOnReadingPaneEnabled advanced property.
  • Fixes for decrypting PST files that contain password-encrypted files. Decrypting PST files no longer fails if the PST file contains a password-protected file.
  • Removing a protection label that is not included in your scoped policy now removes both the label and protection from the content.

Version 2.7.101.0

Unified labeling scanner and client version 2.7.101.0

Released 08/23/2020

Supported through 3/22/2021

Fix:

Fixed issue for PPT, Excel and Word users which resulted in files freezing, crashing, or being forced to repeat save that was related to mandatory labels configured with protection, watermarking, and/or content marking.

Version 2.7.99.0

Unified labeling scanner and client version 2.7.99.0

Released 07/20/2020

Supported through 2/23/2021

Fixes and improvements:

Fixed issues in file labeling actions for New Label audit logs.

For more information, see Version 2.7.96.0 and Azure Information Protection audit log reference (public preview).

Version 2.7.96.0

Unified labeling scanner and client version 2.7.96.0

Released 06/29/2020

Supported through 1/20/2021

New features for the unified labeling scanner, version 2.7.96.0

New features for the unified labeling client, version 2.7.96.0

New audit logs generated for removed files

Audit logs are now generated each time the scanner detects that a file that had previously been scanned is now removed.

For more information, see:

Important

In this version, file labeling actions do not generate New Label audit logs. If you run the scanner in Enforce=On mode, we recommend that upgrade to Version 2.7.99.0.

TLS 1.2 enforcement

Starting with this version of the Azure Information Protection client, only TLS versions 1.2 or later are supported.

Customers that have a TLS setup that does not support TLS 1.2 must move to a setup that supports TLS 1.2 to use Azure Information Protection policies, tokens, audit, and protection, and to receive Azure Information Protection-based communication.

For more requirement details, see Firewalls and network infrastructure requirements.

Fixes and improvements, version 2.7.96.0

  • Scanner SQL improvements for:

    • Performance
    • Files with large numbers of information types
  • SharePoint scanning improvements for:

    • Scanning performance
    • Files with special characters in the path
    • Libraries with large file count

    To view a quickstart for using Azure Information Protection with SharePoint, see Quickstart: Find what sensitive information you have in files stored on-premises.

  • Improved user notifications for missing policies. For more information about label policies for the unified labeling client, see What label policies can do in the Microsoft 365 documentation.

  • Automatic labels are now applied in Excel for scenarios where a user starts to close a file without saving, just as they are when a user actively saves a file.

  • Headers and footers are removed as expected, and not on each document save, when the ExternalContentMarkingToRemove setting is configured.

  • Dynamic user variables are now displayed in a document's visual markings as expected.

  • Issue where only the first page of content of a PDF was being used for applying autoclassification rules is now resolved, and autoclassification based on all content in the PDF now proceeds as expected. For more information about classification and labeling, see the classification and labeling FAQ.

  • When multiple Exchange accounts are configured and the Azure Information Protection Outlook client is enabled, mails are sent from the secondary account as expected. For more information about configuring the unified labeling client with Outlook, see Configure your group policy to prevent disabling AIP.

  • When a document with a higher confidentiality label is dragged and dropped into an email, the email now automatically receives the higher confidentiality label as expected. For more information about labeling client features, see the labeling client comparison table.

  • Custom permissions are now applied to emails as expected, when email addresses include both an apostrophe (') and period (.) For more information about configuring the unified labeling client with Outlook, see Configure your group policy to prevent disabling AIP.

  • By default, a file's NTFS owner is lost when the file is labeled by the unified labeling scanner, PowerShell, or the File Explorer extension. Now you can configure the system to keep the file's NTFS owner by setting the new UseCopyAndPreserveNTFSOwner advanced setting to true.

    The UseCopyAndPreserveNTFSOwner advanced setting requires a low latency, reliable network connection between the scanner and the scanned repository.

Next steps

Not sure if unified labeling is the right client to install? See Choose your Windows labeling solution.

For more information about installing and using the unified labeling client: