Azure Information Protection unified labeling client - Version release history and support policy
Applies to: Azure Information Protection, Windows 10, Windows 8.1, Windows 8, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
If you have Windows 7 or Office 2010, see AIP and legacy Windows and Office versions.
Relevant for: AIP unified labeling client only. For the classic client, see AIP classic client version release history and support policy.
You can download the Azure Information Protection unified labeling client from the Microsoft Download Center.
After a short delay of typically a couple of weeks, the latest general availability version is also included in the Microsoft Update Catalog. Azure Information Protection versions have a product name of Microsoft Azure Information Protection > Microsoft Azure Information Protection Unified Labeling Client, and a classification of Updates.
Including Azure Information Protection in the catalog means that you can upgrade the client using WSUS or Configuration Manager, or other software deployment mechanisms that use Microsoft Update.
For more information, see Upgrading and maintaining the Azure Information Protection unified labeling client.
Servicing information and timelines
Each general availability (GA) version of the Azure Information Protection unified labeling client is supported for up to six months after the release of the subsequent GA version. The documentation does not include information about unsupported versions of the client. Fixes and new functionality are always applied to the latest GA version and will not be applied to older GA versions.
Noted Azure Information Protection features are currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
General availability versions that are no longer supported
|Client version||Date released|
The date format used on this page is month/day/year.
Use the following information to see what's new or changed for a supported release of the Azure Information Protection unified labeling client for Windows. The most current release is listed first. The date format used on this page is month/day/year.
The latest version of Azure Information Protection is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Minor fixes are not listed so if you experience a problem with the unified labeling client, we recommend that you check whether it is fixed with the latest GA release. If the problem remains, check the current preview version (if available).
The unified labeling client replaces the Azure Information Protection classic client. To compare features and functionality with the classic client, see Compare the labeling solutions for Windows computers.
Unified labeling scanner and client version 188.8.131.52
This version includes the following new features, fixes, and enhancements for the unified labeling scanner and client:
New features for the scanner:
New features for the client:
Fixes and improvements:
PowerShell support for disconnected scanner servers
The Azure Information Protection on-premises scanner now supports managing content scan jobs over PowerShell, for scanner servers that cannot connect to the internet, or for scanners in an Azure China 21Vianet environment (China sovereign cloud).
To support disconnected or Azure China 21Vianet scanner servers, we've added the following new cmdlets:
|Add-AIPScannerRepository||Adds a new repository to your content scan job.|
|Get-AIPScannerContentScanJob||Gets details about your content scan job.|
|Get-AIPScannerRepository||Gets details about repositories defined for your content scan job.|
|Remove-AIPScannerContentScanJob||Deletes your content scan job.|
|Remove-AIPScannerRepository||Removes a repository from your content scan job.|
|Set-AIPScannerContentScanJob||Defines settings for your content scan job.|
|Set-AIPScannerRepository||Defines settings for an existing repository in your content scan job.|
The Set-MIPNetworkDiscovery cmdlet was also added to provide additional support, enabling you to update the installation settings for the Network Discovery service via PowerShell.
For more information, see When the scanner server cannot have internet connectivity and Configure the scanner.
Support for NFS repositories in content scan jobs (Public preview)
Now you can add NFS repositories to your content scan jobs, in addition to SMB file shares and SharePoint repositories.
To support scans on NFS shares, services for NFS must be deployed on the scanner machine:
On your machine, navigate to the Windows Features (Turn Windows features on or off) settings dialog.
Select the following items:
- Services for NFS
- Administrative Tools
- Client for NFS
- Services for NFS
For more information, see Create a content scan job.
Added support for additional sensitive information types
We’ve added support for additional sensitive information types in Azure Information Protection, such as Australia business number, Australia company number, or Austria identity card.
For more information, see the Sensitive information type entity definitions in the Microsoft 365 documentation.
Track document access and revoke access (Public preview)
Once you've upgraded to version 184.108.40.206, any protected documents that are not yet registered for tracking are registered the next time they're opened on a machine with the AIP unified labeling client installed. Protected documents are supported for track and revoke, even if they are not labeled.
Having your documents registered for tracking enables administrators to use PowerShell to track document access, and revoke access if needed.
Once you've upgraded, end-users can also revoke access for documents that they've protected. To revoke access from Microsoft Office apps, use the new Revoke access option on the Sensitivity menu.
For more information, see:
- Administrator Guide: Track and revoke document access with Azure Information Protection
- User Guide: Revoke document access with Azure Information Protection
- Known issues for tracking and revoking document access
If you have privacy requirements in your organization or region that require you to turn off document tracking features, see the track and revoke administrator procedures.
Upgrades from the classic client
The AIP classic client supports track and revoke features using the Microsoft tracking portal. This tracking portal is not relevant when working with the unified labeling client.
To view tracking data with the unified labeling client, use the PowerShell commands only, as described in the admin guide.
Fixes and improvements for the unified labeling scanner
The following fixes were delivered in version 220.127.116.11 of the Azure Information Protection unified labeling scanner:
- Added support for hyphens (-) in scanner database names
- Updates in reports for when the Label files based on content option is set to Off
- Improved memory consumption for large numbers of information type matches
- Support for SharePoint on-premises paths that end in a slash (/)
- Increased SharePoint scanning speed
- Support for avoiding a timeout when scanning a SharePoint server.
Fixes and improvements for the unified labeling client
Issues fixed for labeling on emails from Office MSI, such as when replying to or forwarding an email.
NewLabel audit log events now include the action source, for events generated by emails sent from Outlook.
Issues fixed where the policy was sometimes not updated without clearing the cache, after making changes to the label policy in Microsoft 365.
Outlook Preview mode now generates audit logs for discovery events
When turning on this functionality, we recommend that you also raise the default timeout value, as defined in the OutlookGetEmailAddressesTimeOutMSProperty setting.
Updates to the order of precedence used when more than one label policy is configured for a user, each with conflicting advanced settings.
In such cases, the advanced settings from the first policy are always applied, according to the order of the policies in the admin center. The exception for the OutlookDefaultLabel is now removed.
In a scenario where %APPDATA% (AppData\Roaming) points to a non-default Windows folder structure, files in folders that are mapped to user directories are now excluded from labeling and protection as expected, based on the configuration.
New advanced client setting (PowerPointRemoveAllShapesByShapeName), added to remove shapes from PowerPoint headers or footers, by using the shape name instead of the text inside a shape.
Unified labeling scanner and client version 18.104.22.168
Supported through 7/13/2021
This version includes the following new features, fixes, and enhancements, for the unified labeling scanner and client:
New features for the scanner:
New features for the client:
Fixes and improvements:
Optional full rescans for changes detected
Administrators can now skip a full rescan after making changes to policies or content scan jobs. Skipping a full rescan applies your changes only on files that have been modified or created since the last scan.
For example, you may have made changes that only affect the end user, such as in visual markings, and don't want to take the time required to run a full rescan immediately.
Skip the full, immediate rescan, and return later to run a full rescan and apply your changes across your repositories.
Administrators making changes in their policies and content scan jobs must now understand the effects of those changes on the content, and determine whether a full rescan is required.
For example, if you’ve changed Policy enforcement settings from Enforce = Off to Enforce = On, make sure to run a full rescan to apply your labels across your content.
Configure SharePoint timeouts
The default timeout for SharePoint interactions has been updated to two minutes, after which the attempted AIP operation fails.
AIP administrators can also now configure SharePoint timeouts, separately for all web requests and file web requests.
For more information, see Configure SharePoint timeouts.
Network Discovery support
The unified labeling scanner now includes a new network discovery service, which enables you to scan specified IP addresses or ranges for network file shares that may have sensitive content.
The network discovery service updates Repository reports with a list of share locations that may be at risk, based on the discovered permissions and access rights. Check the updated Repository reports to ensure that your content scan jobs include all repositories that need to be scanned.
For more information, see Network discovery cmdlets.
To use the Network discovery service
Upgrade your scanner version and make sure that you have your scanner cluster configured correctly. For more information, see:
Make sure that you have Azure Information Protection analytics enabled.
In the Azure portal, go to Azure Information Protection > Manage > Configure analytics (Preview).
For more information, see Central reporting for Azure Information Protection (public preview).
Enable Network Discovery by running the Install-MIPNetworkDiscovery PowerShell cmdlet.
When running this cmdlet, make sure to use a weak user as the value for the StandardDomainsUserAccount parameter to ensure that any public access to repositories is reported.
This user must be a member of the Domain Users group only, and is used to simulate public access to the repositories.
In the Azure portal, go to Azure Information Protection > Network scan jobs and create jobs to scan specific areas of your network.
Use the generated reports on the new Repositories pane to find additional network file shares that may be at risk. Add any risky file shares to your content scan jobs to scan the added repositories for sensitive content.
Network discovery cmdlets
PowerShell cmdlets added for Network Discovery include:
|Get-MIPNetworkDiscoveryConfiguration||Gets the current setting for whether the Network Discovery service pulls network scan data from the default, online configuration, or an offline file exported from the Azure portal.|
|Get-MIPNetworkDiscoveryJobs||Gets a list of currently configured network scan jobs.|
|Get-MIPNetworkDiscoveryStatus||Gets the current status of all network scan jobs configured in your tenant.|
|Import-MIPNetworkDiscoveryConfiguration||Imports the configuration for a network scan job from a file.|
|Install-MIPNetworkDiscovery||Installs the Network Discovery service|
|Set-MIPNetworkDiscoveryConfiguration||Sets the configuration for whether the Network Discovery service pulls network scan data from the default, online configuration, or an offline file exported from the Azure portal.|
|Start-MIPNetworkDiscovery||Runs a specific network scan job immediately.|
|Uninstall-MIPNetworkDiscovery||Uninstalls the Network Discovery service.|
Administrator customizations for AIP popups in Outlook
AIP administrators can now customize the popups that appear in Outlook for end-users, such as popups for blocked emails, warning messages, and justification prompts.
For more information, including several sample rules for common use case scenarios, see Customize Outlook popup messages.
Administrator customizations for justification prompts
AIP administrators can now customize one of the options in the justification prompts that are displayed when end-users change classification labels on documents and emails.
For more information, see Customize justification prompt texts for modified labels.
Audit log updates
Audit logs for access events from the unified labeling client are now sent only when users open labeled or protected files, providing a clearer indication of user access.
For more information, see Access audit logs.
DKE template-based labeling updates
Azure Information Protection now supports Double Key Encryption (DKE) template-based labeling in the scanner, as well as using the File Explorer and PowerShell.
For more information, see:
- Planning and implementing your Azure Information Protection tenant key
- Double Key Encryption in the Microsoft 365 docs
Azure Information Protection scanner fixed issues, version 22.214.171.124
The following fixes were delivered in version 126.96.36.199 of the Azure Information Protection unified labeling scanner:
- Improvements for scanning files with long paths
- The AIP scanner now scans full SharePoint environments when there are multiple ContentDatabases.
- The AIP scanner now supports SharePoint files with a period in the path, but no extension. For example, a file with a path of
https://sharepoint.contoso.com/shared documents/meeting-notes, with no extension, is now scanned successfully.
- The AIP scanner now supports custom sensitive information types that are created in the Microsoft Security and Compliance center, and do not belong to any policy.
Azure Information Protection client fixed issues, version 188.8.131.52
The following fixes were delivered in version 184.108.40.206 of the Azure Information Protection unified labeling client:
- A new, narrated indication for any items currently selected from the Sensitivity menu in Office apps. For more information, see the page on Sensitivity labels in the Microsoft 365 docs.
- Fixes for viewing JPEG files in the AIP Viewer
- Downgrading a label now automatically includes the ProtectionOwnerBefore in audit events
- Change events now include the LastModifiedDate in audit logs
- Added support for Proxy.pac files when using a proxy to acquire a token. For more information, see Firewalls and network infrastructure requirements.
- Fixes for authenticating when refreshing policies
- Fixes for automatic content marking updates for PowerPoint in read-only mode
- Improvements in popups and error texts
- Tooltip updates to show the highest classification for email attachments, considering both the classification of the email and the attachment.
- Fixes to the Report an Issue text when modifying sensitivity labeling policies using the Set-LabelPolicy cmdlet
- Fixes in errors shown when the Set-AipFileLabel cmdlet is used with an invalid label ID.
- Performance fixes for decrypting SMIME emails in Outlook's reading pane. To implement this fix, enable the OutlookSkipSmimeOnReadingPaneEnabled advanced property.
- Fixes for decrypting PST files that contain password-encrypted files. Decrypting PST files no longer fails if the PST file contains a password-protected file.
- Removing a protection label that is not included in your scoped policy now removes both the label and protection from the content.
Unified labeling scanner and client version 220.127.116.11
Supported through 3/22/2021
Fixed issue for PPT, Excel and Word users which resulted in files freezing, crashing, or being forced to repeat save that was related to mandatory labels configured with protection, watermarking, and/or content marking.
Unified labeling scanner and client version 18.104.22.168
Supported through 2/23/2021
Fixes and improvements:
Fixed issues in file labeling actions for New Label audit logs.
For more information, see Version 22.214.171.124 and Azure Information Protection audit log reference (public preview).
Unified labeling scanner and client version 126.96.36.199
Supported through 1/20/2021
- New features for the unified labeling client, version 188.8.131.52
- New features for the unified labeling scanner, version 184.108.40.206
- New audit logs generated for removed files
- TLS 1.2 enforcement
- Fixes and improvements, version 220.127.116.11
New features for the unified labeling scanner, version 18.104.22.168
Use scanner to apply labels based on recommended conditions. AIP customers can now choose to implement service side only autolabeling. This feature allows AIP end users to always follow recommendations instead of the previous scenario, which only enabled automatic labeling on the user side.
Learn which files previously discovered by scanner were deleted from the scanned repository These deleted files were not previously reported in AIP analytics and are now available in the scanner discovery report.
Get reports from scanner on failures to apply action events. Use reports to learn about failed action events and discover ways to prevent future occurrences.
Introduction of AIP scanner diagnostic analyzer tool for detection and analysis of common scanner errors. To begin using AIP scanner diagnostics, run the Start-AIPScannerDiagnostics cmdlet.
You can now manage and limit max CPU consumption on the scanner machine. Learn how to prevent 100% CPU usage and manage your CPU usage using two new advanced settings ScannerMaxCPU, and ScannerMinCPU.
Now you can configure the unified labeling scanner to skip specific files depending on their file attributes. Define the list of file attributes that triggers a file to be skipped using the new ScannerFSAttributesToSkip advanced setting.
New features for the unified labeling client, version 22.214.171.124
Justification popups now appear for changes made to default labels in the unified labeling client.
Smoother integration with visual content markings applied by Office. For more information about configuring content markings in Office document, see How to configure a label for visual markings for Azure Information Protections.
New WordShapeNameToRemove advanced property enables removal of content marking in Word documents made by third-party applications. Learn more about how to identify existing shape names and define them for removal using WordShapeNameToRemove.
Support for Double Key Encryption (DKE) (public preview).
Now you can use the unified labeling client to protect highly sensitive content while maintaining full control of your key. DKE requires two keys to access protected content: one key is stored in Azure, and the other key is held by the customer.
For more information about the default, cloud-based tenant root keys, see Planning and implementing your Azure Information Protection tenant key. For information about implementing Double Key Encryption, see Double key encryption in the Microsoft 365 documentation.
New audit logs generated for removed files
Audit logs are now generated each time the scanner detects that a file that had previously been scanned is now removed.
For more information, see:
In this version, file labeling actions do not generate New Label audit logs. If you run the scanner in Enforce=On mode, we recommend that upgrade to Version 126.96.36.199.
TLS 1.2 enforcement
Starting with this version of the Azure Information Protection client, only TLS versions 1.2 or later are supported.
Customers that have a TLS setup that does not support TLS 1.2 must move to a setup that supports TLS 1.2 to use Azure Information Protection policies, tokens, audit, and protection, and to receive Azure Information Protection-based communication.
For more requirement details, see Firewalls and network infrastructure requirements.
Fixes and improvements, version 188.8.131.52
Scanner SQL improvements for:
- Files with large numbers of information types
SharePoint scanning improvements for:
- Scanning performance
- Files with special characters in the path
- Libraries with large file count
To view a quickstart for using Azure Information Protection with SharePoint, see Quickstart: Find what sensitive information you have in files stored on-premises.
Improved user notifications for missing policies. For more information about label policies for the unified labeling client, see What label policies can do in the Microsoft 365 documentation.
Automatic labels are now applied in Excel for scenarios where a user starts to close a file without saving, just as they are when a user actively saves a file.
Headers and footers are removed as expected, and not on each document save, when the ExternalContentMarkingToRemove setting is configured.
Dynamic user variables are now displayed in a document's visual markings as expected.
Issue where only the first page of content of a PDF was being used for applying autoclassification rules is now resolved, and autoclassification based on all content in the PDF now proceeds as expected. For more information about classification and labeling, see the classification and labeling FAQ.
When multiple Exchange accounts are configured and the Azure Information Protection Outlook client is enabled, mails are sent from the secondary account as expected. For more information about configuring the unified labeling client with Outlook, see Configure your group policy to prevent disabling AIP.
When a document with a higher confidentiality label is dragged and dropped into an email, the email now automatically receives the higher confidentiality label as expected. For more information about labeling client features, see the labeling client comparison table.
Custom permissions are now applied to emails as expected, when email addresses include both an apostrophe (') and period (.) For more information about configuring the unified labeling client with Outlook, see Configure your group policy to prevent disabling AIP.
By default, a file's NTFS owner is lost when the file is labeled by the unified labeling scanner, PowerShell, or the File Explorer extension. Now you can configure the system to keep the file's NTFS owner by setting the new UseCopyAndPreserveNTFSOwner advanced setting to true.
The UseCopyAndPreserveNTFSOwner advanced setting requires a low latency, reliable network connection between the scanner and the scanned repository.
Not sure if unified labeling is the right client to install? See Choose your Windows labeling solution.
For more information about installing and using the unified labeling client: