Azure Information Protection unified labeling client - Version release history and support policy
Applies to: Azure Information Protection, Windows 10, Windows 8.1, Windows 8, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Instructions for: Azure Information Protection unified labeling client for Windows
You can download the Azure Information Protection unified labeling client from the Microsoft Download Center.
After a short delay of typically a couple of weeks, the latest general availability version is also included in the Microsoft Update Catalog with a product name of Microsoft Azure Information Protection > Microsoft Azure Information Protection Unified Labeling Client, and the classification of Updates. This inclusion in the catalog means that you can upgrade the client by using WSUS or Configuration Manager, or other software deployment mechanisms that use Microsoft Update.
For more information, see Upgrading and maintaining the Azure Information Protection unified labeling client.
Servicing information and timelines
Each general availability (GA) version of the Azure Information Protection unified labeling client is supported for up to six months after the release of the subsequent GA version. The documentation does not include information about unsupported versions of the client. Fixes and new functionality are always applied to the latest GA version and will not be applied to older GA versions.
Preview versions should not be deployed for end users on production networks. Instead, use the latest preview version to see and try new functionality or fixes that are coming in the next GA version. Preview versions that are not current are not supported.
General availability versions that are no longer supported:
|Client version||Date released|
The date format used on this page is month/day/year.
Use the following information to see what's new or changed for a supported release of the Azure Information Protection unified labeling client for Windows. The most current release is listed first. The date format used on this page is month/day/year.
Minor fixes are not listed so if you experience a problem with the unified labeling client, we recommend that you check whether it is fixed with the latest GA release. If the problem remains, check the current preview version (if available).
This client is replacing the Azure Information Protection client (classic). To compare features and functionality with the classic client, see Compare the the labeling clients for Windows computers.
Unified labeling scanner (public preview) version 22.214.171.124
This limited release is focused only on the public preview versions of the unified labeling scanner version 126.96.36.199 as described below:
New in scanner
- Use scanner to apply labels based on recommended conditions. AIP scanner can now treat automatic labeling rules with "recommended label" actions as automatic rules. This change was implemented to allow AIP customers a choice of implementing auto-labeling only on the service side, allowing their end users to always to follow recommendations instead of the previous option of only enabling automatic labeling on the user side.
- Learn which files previously discovered by scanner were deleted from the scanned repository These deleted files were not previously reported in AIP analytics and are now available in the scanner discovery report.
- Get reports from scanner on failures to apply action events. Use reports to learn about failed action events and discover ways to prevent future occurrences.
- Introduction of AIP scanner diagnostic analyzer tool for detection and analysis of common scanner errors. To begin using AIP scanner diagnostics, run the new Start-AIPScannerDiagnostics cmdlet.
- You can now manage and limit max CPU consumption on the scanner machine. Learn how to prevent 100% CPU usage and manage your CPU usage using two new advanced settings ScannerMaxCPU, and ScannerMinCPU.
Fixes and improvements
- Scanner SQL performance improvements
- SharePoint scanning performance improvements
General availability version of the scanner, to inspect and label documents in on-premises data stores.
- Easier SharePoint on-premises and subsite discovery. Setting each specific site is no longer required.
- Advanced property for SQL chunk sizing added.
- Administrators now have the ability to stop existing scans and perform a re-scan if a change was made to the default label.
- By default, scanner now sets minimal telemetry for faster scans and reduced log size and information types are now cached in the database. Learn more about scanner optimization.
- Scanner now supports separate deployments for database and the service, while Sysadmin rights are needed only for database deployment.
- Improvements made to scanner performance.
Modification of PowerShell cmdlet Set-AIPFileLabel to enable removal of protection from PST, rar, 7zip and MSG files. This feature is disabled by default and must be turned on using the Set-LabelPolicy cmdlet, as described here.
Added ability for Azure Information Protection administrators to control when .pfile extensions are used for files. Learn more about changing protected file types.
Dynamic visual marking support added for applications and variables. Learn more about how to configure labels for visual markings.
Improvements made to customizable policy tips for automatic and recommended labels.
Support added for offline labeling capability with Office apps in the unified labeling client.
- In instances where users attempted unsuccessfully to open protected TIFF files, and TIFF files created by RightFax, the TIFF files now open and remain stable as expected.
- Previous corruptions of protected txt and PDF files are resolved.
- Inconsistent labeling between Automatic and Manual in Log Analytics was corrected.
- Unexpected inheritance issues identified between new emails and a user's last opened email is now resolved.
- Protection of .msg files as .msg.pfiles now works as expected.
- Co-owner permissions added from Office user defined settings is now applied as expected.
- When entering permissions downgrade justification, text can no longer be entered when other options are already selected.
Supported through 09/09/2020
Preview version of the scanner, to inspect and label documents on-premises data stores. With this version of the scanner:
Multiple scanners can share the same SQL Server database when you configure the scanners to use the same scanner profile. This configuration makes it easier to manage multiple scanners, and results in faster scanning times. When you use this configuration, always wait for a scanner to finish installing before installing another scanner with the same profile.
You must specify a profile when you install the scanner and the scanner database is named AIPScannerUL_<profile_name>. The Profile parameter is also mandatory for Set-AIPScanner.
You can set a default label on all documents, even if documents are already labeled. In the scanner profile or repository settings, set the Relabel files option to On with the new Enforce default label checkbox selected.
You can remove existing labels from all documents and this act includes removing protection if it was previously applied by a label. Protection applied independently from a label is preserved. This scanner configuration is achieved in the scanner profile or repository settings with the following settings:
- Label files based on content: Off
- Default label: None
- Relabel files: On with the Enforce default label checkbox selected
As with the scanner from the classic client, by default, the scanner protects Office files and PDF files. You can protect other files types when you use a PowerShell advanced setting.
Event IDs for the scanner cycles starting and finishing are not written to the Windows event log. Instead, use the Azure portal for this information.
Known issue: New and renamed labels aren't available to select as a default label for the scanner profile or repository settings. Workarounds:
- For new labels: In the Azure portal, add the label you want to use to the global policy or a scoped policy.
- For renamed labels: Close and reopen the Azure portal.
You can upgrade scanners from the Azure Information Protection client (classic). After the upgrade, which creates a new database, the scanner rescans all files the first time it runs. For instructions, see Upgrading the Azure Information Protection scanner from the admin guide.
For additional information, see the blog post announcement: Unified labeling AIP scanner preview brings scaling out and more!
The PowerShell cmdlet Set-AIPAuthentication has new parameters (AppId, AppSecret, TenantId, DelegatedUser, and OnBehalfOf) for when you want to label files non-interactively, and also a new procedure to register an app in Azure AD. Example scenarios include the scanner and automated PowerShell scripts to label documents. For instructions, see How to label files non-interactively from the admin guide.
Note that DelegatedUser is a new parameter since the last preview version of the unified labeling client, and that the API permissions for the registered app have consequently changed.
New PowerShell label policy advanced setting to change which file types to protect.
New PowerShell label policy advanced setting to extend your label migration rules to SharePoint properties.
Matched custom sensitive information types are sent to Azure Information Protection analytics.
The applied label displays the configured color for the label, if a color has been configured.
When you add or change protection settings to a label, the client reapplies the label with these latest protection settings when the document is next saved. Similarly, the scanner reapplies the label with these latest protection settings when the document is next scanned in enforce mode.
Support for disconnected computers by exporting files from one client and manually copying them to the disconnected computer. Note that this configuration is supported for labeling with File Explorer, PowerShell, and the scanner. This configuration is not supported for labeling with Office apps.
New cmdlet, Export-AIPLogs, to gather all log files from %localappdata%\Microsoft\MSIP\Logs and saves them to a single, compressed file that has a .zip format. This file can then be sent to Microsoft Support if you are requested to send log files to help investigate a reported issue.
You can successfully make changes to a protected file using File Explorer and right-click after a password for the file has been removed.
You can successfully open natively protected files in the viewer without requiring the Save As, Export (EXPORT) usage right.
Labels and policy settings refresh as expected without having to run Clear-AIPAuthentication, or manually delete the %LocalAppData%\Microsoft\MSIP\mip folder.
Reset Settings now deletes the %LocalAppData%\Microsoft\MSIP\mip\<ProcessName.exe> folders instead of the %LocalAppData%\Microsoft\MSIP\mip\<ProcessName>\mip folder.
Get-AIPFileStatus now includes the content ID for a protected document.
Not sure if this is the right client to install? See Choose which labeling client to use for Windows computers.
For more information about installing and using this client: