Azure Information Protection unified labeling client - Version release history and support policy

Applies to: Azure Information Protection, Windows 10, Windows 8.1, Windows 8, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Instructions for: Azure Information Protection unified labeling client for Windows

You can download the Azure Information Protection unified labeling client from the Microsoft Download Center.

After a short delay of typically a couple of weeks, the latest general availability version is also included in the Microsoft Update Catalog with a product name of Microsoft Azure Information Protection > Microsoft Azure Information Protection Unified Labeling Client, and the classification of Updates. This inclusion in the catalog means that you can upgrade the client by using WSUS or Configuration Manager, or other software deployment mechanisms that use Microsoft Update.

For more information, see Upgrading and maintaining the Azure Information Protection unified labeling client.

Servicing information and timelines

Each general availability (GA) version of the Azure Information Protection unified labeling client is supported for up to six months after the release of the subsequent GA version. The documentation does not include information about unsupported versions of the client. Fixes and new functionality are always applied to the latest GA version and will not be applied to older GA versions.

Preview versions should not be deployed for end users on production networks. Instead, use the latest preview version to see and try new functionality or fixes that are coming in the next GA version. Preview versions that are not current are not supported.

General availability versions that are no longer supported:
Client version Date released 09/03/2019 08/06/2019 07/15/2019
2.0.779.0 05/01/2019
2.0.778.0 04/16/2019

The date format used on this page is month/day/year.

Release information

Use the following information to see what's new or changed for a supported release of the Azure Information Protection unified labeling client for Windows. The most current release is listed first. The date format used on this page is month/day/year.


Minor fixes are not listed so if you experience a problem with the unified labeling client, we recommend that you check whether it is fixed with the latest GA release. If the problem remains, check the current preview version (if available).

For technical support, see the Support options and community resources information. We also invite you to engage with the Azure Information Protection team, on their Yammer site.

This client is replacing the Azure Information Protection client (classic). To compare features and functionality with the classic client, see Compare the the labeling clients for Windows computers.


Unified labeling scanner (public preview) version

Released 05/05/2020

New features:


Released 03/09/2020

New features:


  • In instances where users attempted unsuccessfully to open protected TIFF files, and TIFF files created by RightFax, the TIFF files now open and remain stable as expected.
  • Previous corruptions of protected txt and PDF files are resolved.
  • Inconsistent labeling between Automatic and Manual in Log Analytics was corrected.
  • Unexpected inheritance issues identified between new emails and a user's last opened email is now resolved.
  • Protection of .msg files as .msg.pfiles now works as expected.
  • Co-owner permissions added from Office user defined settings is now applied as expected.
  • When entering permissions downgrade justification, text can no longer be entered when other options are already selected.


Released: 10/23/2019

Supported through 09/09/2020

New features:

  • Preview version of the scanner, to inspect and label documents on-premises data stores. With this version of the scanner:

    • Multiple scanners can share the same SQL Server database when you configure the scanners to use the same scanner profile. This configuration makes it easier to manage multiple scanners, and results in faster scanning times. When you use this configuration, always wait for a scanner to finish installing before installing another scanner with the same profile.

    • You must specify a profile when you install the scanner and the scanner database is named AIPScannerUL_<profile_name>. The Profile parameter is also mandatory for Set-AIPScanner.

    • You can set a default label on all documents, even if documents are already labeled. In the scanner profile or repository settings, set the Relabel files option to On with the new Enforce default label checkbox selected.

    • You can remove existing labels from all documents and this act includes removing protection if it was previously applied by a label. Protection applied independently from a label is preserved. This scanner configuration is achieved in the scanner profile or repository settings with the following settings:

      • Label files based on content: Off
      • Default label: None
      • Relabel files: On with the Enforce default label checkbox selected
    • As with the scanner from the classic client, by default, the scanner protects Office files and PDF files. You can protect other files types when you use a PowerShell advanced setting.

    • Event IDs for the scanner cycles starting and finishing are not written to the Windows event log. Instead, use the Azure portal for this information.

    • Known issue: New and renamed labels aren't available to select as a default label for the scanner profile or repository settings. Workarounds:

      • For new labels: In the Azure portal, add the label you want to use to the global policy or a scoped policy.
      • For renamed labels: Close and reopen the Azure portal.

    You can upgrade scanners from the Azure Information Protection client (classic). After the upgrade, which creates a new database, the scanner rescans all files the first time it runs. For instructions, see Upgrading the Azure Information Protection scanner from the admin guide.

    For additional information, see the blog post announcement: Unified labeling AIP scanner preview brings scaling out and more!

  • The PowerShell cmdlet Set-AIPAuthentication has new parameters (AppId, AppSecret, TenantId, DelegatedUser, and OnBehalfOf) for when you want to label files non-interactively, and also a new procedure to register an app in Azure AD. Example scenarios include the scanner and automated PowerShell scripts to label documents. For instructions, see How to label files non-interactively from the admin guide.

    Note that DelegatedUser is a new parameter since the last preview version of the unified labeling client, and that the API permissions for the registered app have consequently changed.

  • New PowerShell label policy advanced setting to change which file types to protect.

  • New PowerShell label policy advanced setting to extend your label migration rules to SharePoint properties.

  • Matched custom sensitive information types are sent to Azure Information Protection analytics.

  • The applied label displays the configured color for the label, if a color has been configured.

  • When you add or change protection settings to a label, the client reapplies the label with these latest protection settings when the document is next saved. Similarly, the scanner reapplies the label with these latest protection settings when the document is next scanned in enforce mode.

  • Support for disconnected computers by exporting files from one client and manually copying them to the disconnected computer. Note that this configuration is supported for labeling with File Explorer, PowerShell, and the scanner. This configuration is not supported for labeling with Office apps.

  • New cmdlet, Export-AIPLogs, to gather all log files from %localappdata%\Microsoft\MSIP\Logs and saves them to a single, compressed file that has a .zip format. This file can then be sent to Microsoft Support if you are requested to send log files to help investigate a reported issue.


  • You can successfully make changes to a protected file using File Explorer and right-click after a password for the file has been removed.

  • You can successfully open natively protected files in the viewer without requiring the Save As, Export (EXPORT) usage right.

  • Labels and policy settings refresh as expected without having to run Clear-AIPAuthentication, or manually delete the %LocalAppData%\Microsoft\MSIP\mip folder.

Additional changes

  • Reset Settings now deletes the %LocalAppData%\Microsoft\MSIP\mip\<ProcessName.exe> folders instead of the %LocalAppData%\Microsoft\MSIP\mip\<ProcessName>\mip folder.

  • Get-AIPFileStatus now includes the content ID for a protected document.

Next steps

Not sure if this is the right client to install? See Choose which labeling client to use for Windows computers.

For more information about installing and using this client: