The Microsoft Purview Information Protection client extends sensitivity labels beyond labels that are built into Microsoft 365 apps and services, and supports a wider range of file types.
This client runs on Windows only and replaces the Azure Information Protection (AIP) unified labeling client. It has the following components:
The following operating systems support the Microsoft Purview Information Protection client:
Windows 11
Windows 10 (x64) (Handwriting isn't supported in the Windows 10 RS4 build and later.)
Windows Server 2019
Windows Server 2016
ARM64 isn't supported.
If you're working with virtual machines, check whether the software publisher for your virtual desktop solution has other configuration requirements for running the information protection client.
For example, for Citrix solutions, you might need to disable the Citrix Application Programming Interface (API) hooks for Office and the Microsoft Purview Information Protection client.
These applications use the following files, respectively: winword.exe, excel.exe, outlook.exe, powerpnt.exe, msip.app.exe, msip.viewer.exe
Remote Desktop Services supports the information protection client for the following server operating systems:
Windows Server 2019
Windows Server 2016
Windows Server 2012 R2 and Windows Server 2012
If you delete user profiles when you use the information protection client with Remote Desktop Services, make sure to keep the %Appdata%\Microsoft\Protect folder.
You must have a cloud-based subscription for sensitivity labeling using the Microsoft Purview Information Protection client or scanner. For more information, see:
To support authentication and authorization for Microsoft Purview Information Protection, you must have a Microsoft Entra ID. To use user accounts from your on-premises directory, you must also configure directory integration.
Single sign-on (SSO) is supported for Microsoft Purview Information Protection, so that users aren't repeatedly prompted for their credentials. If you use another vendor solution for federation, check with that vendor for instructions on configuring it for Microsoft Entra ID. WS-Trust is commonly required for these solutions to support single sign-on.
Multi-factor authentication (MFA) is supported with Microsoft Purview Information Protection when you have the required client software and that the MFA-supporting infrastructure is configured correctly.
Other prerequisites are required for specific scenarios, such as when using certificate-based or multifactor authentication, or when UPN values don't match user email addresses.
To install the information protection client, you must have local administrative permissions on the client computer, and the following additional requirements.
Microsoft .NET Framework requirements
The full installation of the client requires a minimum version of Microsoft .NET Framework 4.7.2.
If this framework is missing, the setup wizard from the executable installer tries to download and install this prerequisite. When this prerequisite is installed as part of the client installation, the computer must be restarted.
Windows PowerShell minimum requirements
The PowerShell module for the client requires a minimum version of Windows PowerShell 4.0.
If you're working on an older operating system, you might need to install PowerShell manually. For more information, see How to Install Windows PowerShell 4.0.
Important
The installer doesn't check or install this prerequisite for you.
To confirm the version of Windows PowerShell that you are running, type $PSVersionTable in a PowerShell session.
Screen resolution requirements
Windows computers with monitor resolutions of 800x600 and lower can't fully display the file labeler dialog box when you right-click a file or folder in File Explorer.
Install or upgrade the information protection client
If you install the Microsoft Purview Information client interactively and the Azure Information Protection (AIP) unified labeling client is detected, you can upgrade the older client after you acknowledge the AIP Add-in for Office will be removed.
Note
Upgrades by using Microsoft Update Catalog or any other non-interactive installation require a registry key configuration if any Azure Information Protection client versions are present on the local computer.
There are two options for installing the information protection client:
Installing the information protection client using the .exe installer
Installing the information protection client using the .msi installer
If you're upgrading the information protection scanner, either from the Azure Information Protection (AIP) unified labeling client or a previous version of the information protection client, see Upgrade the Microsoft Purview Information Protection scanner before using these client installation instructions.
To install the information protection client with the .exe file:
Download the executable version of the Microsoft Purview Information Protection client from the Microsoft Download Center. For example, PurviewInfoProtection.exe.
Important
If there is a preview version available, use that version only for testing. It is not intended for end users in a production environment.
For a default installation, simply run the executable. To view all installation options, first run the executable with /help. For example: PurviewInfoProtection.exe **/help**
To silently install the client, run: PurviewInfoProtection.exe /quiet
To silently install only the PowerShell cmdlets, run: PurviewInfoProtection.exe PowerShellOnly=true /quiet
Note
By default, the option to send usage statistics to Microsoft is enabled. To disable this option, make sure to take one of the following steps:
During installation, specify AllowTelemetry=0
After installation, update the registry key as follows: EnableTelemetry=0.
To complete the installation, restart any instances of File Explorer.
Confirm that the installation was successful by checking the install log file, which is created in the %temp% folder by default.
The install log file has the following naming format: Microsoft_Azure_Information_Protection_<number>_<number>_MSIP.Setup.Main.msi.log
For example: Microsoft_Azure_Information_Protection_20161201093652_000_MSIP.Setup.Main.msi.log
In the log file, search for the following string: Product: Microsoft Purview Information Protection--Installation completed successfully. If the installation failed, this log file contains details to help you identify and resolve any problems.
Tip
You can change the location of the installation log file with the /log installation parameter.
For central deployment, use the following information that is specific to the .msi installation version of the information protection client. If you use Microsoft Intune for your software deployment method, use these instructions together with Add apps with Microsoft Intune.
To install the information protection client with the .msi file
Download the .msi version of the Microsoft Purview Information Protection client from the Microsoft Download Center. For example, PurviewInfoProtection.msi.
Important
If there is a preview version available, use that version only for testing. It is not intended for end users in a production environment.
For each computer that runs the .msi file, make sure that the following software dependency is installed. Package it with the .msi version of the client or only deploy to computers that have the following software already installed:
Office version
Operating system
Software
All versions except Office 365 1902 or later
Windows 10 version 1809 only, operation system builds older than 17763.348
For a default installation, run the .msi with /quiet, for example: PurviewInfoProtection.msi /quiet.
Note
By default, the option to send usage statistics to Microsoft is enabled. To disable this option, make sure to take one of the following steps:
During installation, specify AllowTelemetry=0
After installation, update the registry key as follows: EnableTelemetry=0.
Log file locations
Client and scanner log files are located in the following locations on the Windows computer:
\ProgramFiles (x86)\Microsoft Purview Information Protection (64-bit operating systems only)
\Program Files\Microsoft Purview Information Protection (32-bit operating systems only)
%localappdata%\Microsoft\MSIP
Supported languages
The information protection client supports the same languages that Office 365 supports. For a list of these languages, see the International availability page from Office.
For these languages, menu options, dialog boxes, and messages from the Microsoft Purview Information Protection client display in the user's language. There's a single installer that detects the language, so no additional configuration is required to install the information protection client for different languages.
However, label names and descriptions that you specify aren't automatically translated when you configure labels in the admin portal. For users to see labels in their preferred language, provide your own translations and configure them for the labels by using PowerShell and the LocaleSettings parameter for Set-Label. For more information, see Example configuration to configure a sensitivity label for different languages.
Supported file types
This section lists the file types supported by the Microsoft Purview Information Protection client. For the listed file types, WebDav locations aren't supported.
Tip
When you encrypt file types that don't have built-in support for encryption and so use generic encryption, we recommend that you assign the permission of co-owner to these files.
Microsoft Office: The following file types, including 97-2003 file formats and Office Open XML formats for Word, Excel, and PowerPoint.
Word
Excel
PowerPoint
Visio
.doc
.xls
.potm
.vdw
.docm
.xlsb
.potx
.vsd
.docx
.xlst
.pps
.vsdm
.dot
.xlsm
.ppsm
.vsdx
.doctm
.xlsx
.ppsx
.vss
.dotx
.xltm
.vssm
.xltx
.vst
.vstm
.vssx
.vstx
The information protection client supports encryption at two different levels, as described in the following table.
Type of encryption
Native
Generic
Description
For text, image, Microsoft Office (Word, Excel, PowerPoint) files, .pdf files, and other application file types that support a Rights Management service, native encryption provides a strong level of protection with encryption and enforcement of rights (permissions).
Generic encryption provides a level of protection for other file types. Generic encryption uses file encapsulation with the .pfile file type and authentication to verify whether a user is authorized to open the file.
Encryption
File protection is enforced in the following ways:
- Before encrypted content is rendered, successful authentication must occur for those users who receive the file through email or are given access to it through file or share permissions.
- Additionally, usage rights and policy that were set by the content owner when the files were encrypted are enforced when the content is rendered in either the information protection viewer (for encrypted text and image files) or the associated application (for all other supported file types).
File protection is enforced in the following ways:
- Before encrypted content is rendered, successful authentication must occur for people who are authorized to open the file and given access to it. If authorization fails, the file doesn't open.
- Usage rights and policy set by the content owner are displayed to inform authorized users of the intended usage policy.
- Audit logging of authorized users opening and accessing files occurs. However, usage rights aren't enforced.
Default for file types
Default level of encryption for the following file types:
- Text and image files
- Microsoft Office (Word, Excel, PowerPoint) files
- Portable document format (.pdf)
Default encryption for all other file types (such as .vsdx, .rtf, and so on) that aren't supported by native encryption.
Supported file types for native encryption
The following table lists a subset of file types that support native encryption when the information protection client applies a sensitivity label with encryption.
These file types are identified separately because, when they're natively encrypted, the original file name extension is changed and these files become read-only. When files are generically encrypted, the original file name extension is always changed to .pfiletype.
Warning
If you have firewalls, web proxies, or security software that inspect and take action according to file name extensions, you might need to reconfigure these network devices and software to support these new file name extensions.
Original filename extension
Encrypted file name extension
.bmp
.pbmp
.gif
.pgif
.jfif
.pjfif
.jpe
.pjpe
.jpeg
.pjpeg
.jpg
.pjpg
.jt
.pjt
.png
.ppng
.tif
.ptif
.tiff
.ptiff
.txt
.ptxt
.xla
.pxla
.xlam
.pxlam
.xml
.pxml
File types supported by Office
The following list includes the remaining file types that support labeling and native encryption by the information protection client. You'll recognize these as file types for Microsoft Office apps. The supported file formats for these file types are the 97-2003 file formats and Office Open XML formats for the following Office programs: Word, Excel, and PowerPoint.
For these files, the file name extension remains the same after the file is encrypted.
Word
Excel
PowerPoint
Visio
.doc
.xls
.potm
.vdw
.docm
.xlsb
.potx
.vsd
.docx
.xlst
.pps
.vsdm
.dot
.xlsm
.ppsm
.vsdx
.doctm
.xlsx
.ppsx
.vss
.dotx
.xltm
.vssm
.xltx
.vst
.vstm
.vssx
.vstx
Excluded folders and file types
To help prevent users from changing files that are critical for computer operations, some file types and folders are automatically excluded from classifying and labeling. If users try to label these files by using the information protection client, they see a message that those files are excluded.
The following folders are excluded from classifying and labeling by the information protection client:
Windows
Program Files (\Program Files and \Program Files (x86))
\ProgramData
\AppData (for all users)
The following file types are excluded from classifying and labeling by the information protection client:
Extension
Extension
Extension
Extension
.bat
.dll
.ini
.pdb
.cmd
.drm
.jar
.pst
.com
.drv
.lnk
.sca
.cpl
.exe
.msi
.sys
.dat
.inf
.msp
.tmp
By default, the scanner excludes the same file types from being labeled as the information protection client. It also excludes these file types:
.msg
.rtf
.rar
To change the file types included or excluded for file inspection by the scanner, configure the File types to scan in the content scan job.
File types that can't be encrypted by default
Any file that is password-protected can't be natively encrypted by the client unless the file is currently open in the application that applies the encryption. You most often see PDF files that are password-protected but other applications, such as Office apps, also offer this functionality.
File types supported for inspection
The information protection client uses Windows IFilter to inspect the contents of documents. Windows IFilter is used by Windows Search for indexing. As a result, the following file types can be inspected when you use the Set-FileLabel -Autolabel PowerShell command.
Application type
File type
Word
.doc, .docx, .docm, .dot, .dotx
Excel
.xls, .xlt, .xlsx, .xlsm, .xlsb
PowerPoint
.ppt, .pps, .pot, .pptx
PDF
.pdf
Text
.txt, .xml, .csv
Scanning .ZIP files
You can use the information protection scanner or the Set-FileLabel PowerShell command to inspect .zip files.
Note
When your information protection scanner is installed on a Windows server computer, you must also install the Microsoft Office iFilter in order to scan .zip files for sensitive information types. For more information, see the Microsoft download site.
After finding sensitive information, if the .zip file should be labeled and encrypted with a label, from the scanner deployment instructions, specify the .zip file name extension with the PowerShell PFileSupportedExtensions advanced setting.
Example scenario:
A file named accounts.zip contains Excel spreadsheets with credit card numbers. You have a sensitivity label named Confidential \ Finance, which is configured to discover credit card numbers and automatically apply the label with encryption that restricts access to the Finance group.
After inspecting the file, the client from your PowerShell session labels this file as Confidential \ Finance. Next, the client applies generic encryption to the file so that only members of the Finance groups can unzip it, and renames the file accounts.zip.pfile.
Support for disconnected computers
By default, the information protection client automatically tries to connect to the internet to download sensitivity labels and sensitivity label policy settings from Microsoft Purview.
If you have computers that can't connect to the internet for a period of time, you can export and copy files that manually manages the policy for the information protection client.
To support disconnected computers from the information protection client:
Choose or create a user account in Microsoft Entra ID that you will use to download labels and policy settings that you want to use on your disconnected computer.
As an additional label policy setting for this account, turn off sending audit data to Microsoft Purview by using the EnableAudit PowerShell advanced setting with Set-LabelPolicy from Security & Compliance PowerShell.
We recommend this step because if the disconnected computer does have periodic internet connectivity, it will send logging information to Microsoft Purview that includes the user name from step 1. That user account might be different from the local account you're using on the disconnected computer.
From a computer with internet connectivity that has the information protection client installed and signed in with the user account from step 1, download the labels and policy settings.
From this computer, export the log files.
For example, run the Export-DebugLogs cmdlet, or use the Export Logs option from the client's Help and Feedback dialog box from file labeler.
The log files are exported as a single compressed file.
Open the compressed file, and from the MSIP folder, copy any files that have an .xml file name extension.
Paste these files into the %localappdata%\Microsoft\MSIP folder on the disconnected computer.
If your chosen user account is one that usually connects to the internet, enable sending audit data again, by setting the EnableAudit value to True.
Be aware that if a user on this computer selects the Reset Settings option from Help and feedback in the file labeler, this action deletes the policy files and leaves the client inoperable until you manually replace the files or the client connects to the internet so it can download the files it needs.
If your disconnected computer is running the information protection scanner, there are additional configuration steps you must take. For more information, see Restriction: The scanner server cannot have internet connectivity from the scanner deployment instructions.
Supported customizations
The information protection client supports PowerShell advanced settings and some registry settings that might be needed for specific scenarios or users.
Use the following sections to help you configure the registry for supported customizations.
Enable non-interactive upgrade from the Azure Information Protection client
If you install the Microsoft Purview Information Protection client and the Azure Information Protection unified labeling client is detected, an interactive installation of the client requires you to acknowledge that the AIP Add-in for Office from the older client will be removed.
To use a non-interactive installation for the client, such as Microsoft Update Catalog, Group Policy, or scripting, you must either first uninstall the Azure Information Protection client, or create and configure the following registry key for the local computer:
Set the value to 1 to silently allow the upgrade and uninstall the AIP Office add-in; 0 blocks the upgrade if the Azure Information Protection client is installed.
Change the local logging level
By default, the Purview Information Protection client writes client log files to the %localappdata%\Microsoft\MSIP folder. These files are intended for troubleshooting by Microsoft Support.
To change the logging level for these files, locate the following value name in the registry and set the value data to the required logging level:
Set the logging level to one of the following values:
Off: No local logging.
Error: Errors only.
Warn: Errors and warnings.
Info: Minimum logging, which includes no event IDs (the default setting for the scanner).
Debug: Full information.
Trace: Detailed logging (the default setting for clients).
This registry setting doesn't change the information that's sent to Microsoft Purview auditing.
Enable data boundary settings
Following Microsoft's commitment to EU data boundary, EU customers who use the Microsoft Purview Information Protection client can send their data to the EU to be stored and processed.
Turn on this feature in the information protection client by changing the following registry key that specifies the location to send events:
Use the system default browser for authentication in Microsoft Purview Information Protection client. By default, the information protection client opens Microsoft Edge for authentication.
Turn on this feature in the information protection client by enabling the following registry key:
Hide the "Apply sensitivity label with Microsoft Purview" menu option in File Explorer
To hide the Apply sensitivity label with Microsoft Purview right-click menu option in File Explorer, create the following DWORD registry key that has the value name of LegacyDisable and any value data:
Microsoft Purview sensitivity labels enable you to classify and protect sensitive data throughout your organization, including in the cloud and on devices. This module covers how to classify and protect sensitive information to ensure its security and compliance.