Extend sensitivity labeling on Windows

  • Article

Note

The Microsoft Purview Information Protection client is currently in preview and scheduled for general availability.

The Microsoft Purview Information Protection client extends sensitivity labels beyond labels that are built into Microsoft 365 apps and services, and supports a wider range of file types.

This client runs on Windows only and replaces the Azure Information Protection (AIP) unified labeling client. It has the following components:

Component Description
Information protection scanner Used to discover, label, and encrypt files on data stores such as network shares and SharePoint Server libraries.
Information protection file labeler Used to apply sensitivity labels and encryption using File Explorer.
Information protection viewer Used to view files that are encrypted.
Microsoft Purview Information Protection PowerShell module Used to adjust sensitivity labels on files, and install and configure Microsoft Purview Information Protection scanner.

There's no Office Add-in with the Microsoft Purview Information Protection client because this functionality is replaced with sensitivity labels that are built into Office.

For the latest release information and support timelines for each client version, see Microsoft Purview Information Protection client - Release management and supportability.

Requirements for deploying the information protection client

To use the Microsoft Purview Information Protection client, install this client on Windows computers where you want to use the client components.

You also must meet the following requirements:

The following operating systems support the Microsoft Purview Information Protection client:

  • Windows 11
  • Windows 10 (x86, x64) (Handwriting isn't supported in the Windows 10 RS4 build and later.)
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2 and Windows Server 2012

ARM64 isn't supported.

Install or upgrade the information protection client

To upgrade to the Microsoft Purview Information client from an existing Azure Information Protection (AIP) unified labeling client, you must first uninstall the existing the AIP client from your local computers and then perform a fresh install of the Microsoft Purview information client.

Warning

Installation of the Microsoft Purview Information Protection Client will fail if any Azure Information Protection client versions are present on the local computer.

There are two options for installing the information protection client:

  • Installing the information protection client using the .exe installer
  • Installing the information protection client using the .msi installer

If you're currently running the information protection scanner from the Azure Information Protection (AIP) unified labeling client, see Upgrade the Microsoft Purview Information Protection scanner from the Azure Information Protection client before using these client installation instructions.

To install the information protection client with the .exe file:

  1. Download the executable version of the Microsoft Purview Information Protection client from the Microsoft Download Center. For example, PurviewInfoProtection.exe.

    Important

    If there is a preview version available, use that version only for testing. It is not intended for end users in a production environment.

  2. For a default installation, simply run the executable. To view all installation options, first run the executable with /help. For example:
    PurviewInfoProtection.exe **/help**

    1. To silently install the client, run:
      PurviewInfoProtection.exe /quiet
    2. To silently install only the PowerShell cmdlets, run:
      PurviewInfoProtection.exe PowerShellOnly=true /quiet

    Note

    By default, the option to send usage statistics to Microsoft is enabled. To disable this option, make sure to take one of the following steps:

    • During installation, specify AllowTelemetry=0
    • After installation, update the registry key as follows: EnableTelemetry=0.

  3. To complete the installation, restart any instances of File Explorer.

  4. Confirm that the installation was successful by checking the install log file, which is created in the %temp% folder by default.

    The install log file has the following naming format: Microsoft_Azure_Information_Protection_<number>_<number>_MSIP.Setup.Main.msi.log

    For example: Microsoft_Azure_Information_Protection_20161201093652_000_MSIP.Setup.Main.msi.log

    In the log file, search for the following string: Product: Microsoft Purview Information Protection--Installation completed successfully. If the installation failed, this log file contains details to help you identify and resolve any problems.

    Tip

    You can change the location of the installation log file with the /log installation parameter.

Log file locations

Client and scanner log files are located in the following locations on the Windows computer:

  • \ProgramFiles (x86)\Microsoft Purview Information Protection (64-bit operating systems only)
  • \Program Files\Microsoft Purview Information Protection (32-bit operating systems only)
  • %localappdata%\Microsoft\MSIP

Supported languages

The information protection client supports the same languages that Office 365 supports. For a list of these languages, see the International availability page from Office.

For these languages, menu options, dialog boxes, and messages from the Microsoft Purview Information Protection client display in the user's language. There's a single installer that detects the language, so no additional configuration is required to install the information protection client for different languages.

However, label names and descriptions that you specify aren't automatically translated when you configure labels in the admin portal. For users to see labels in their preferred language, provide your own translations and configure them for the labels by using PowerShell and the LocaleSettings parameter for Set-Label. For more information, see Example configuration to configure a sensitivity label for different languages.

Supported file types

This section lists the file types supported by the Microsoft Purview Information Protection client. For the listed file types, WebDav locations aren't supported.

Tip

When you encrypt file types that don't have built-in support for encryption and so use generic encryption, we recommend that you assign the permission of co-owner to these files.

The following file types can be labeled without encryption.

  • Adobe Portable Document Format: .pdf

  • Microsoft Project: .mpp, .mpt

  • Microsoft Publisher: .pub

  • Microsoft XPS: .xps .oxps

  • Images: .jpg, .jpe, .jpeg, .jif, .jfif, .jfi. png, .tif, .tiff

  • Autodesk Design Review 2013: .dwfx

  • Adobe Photoshop: .psd

  • Digital Negative: .dng

  • Microsoft Office: The following file types, including 97-2003 file formats and Office Open XML formats for Word, Excel, and PowerPoint.

    Word Excel PowerPoint Visio
    .doc .xls .potm .vdw
    .docm .xlsb .potx .vsd
    .docx .xlst .pps .vsdm
    .dot .xlsm .ppsm .vsdx
    .doctm .xlsx .ppsx .vss
    .dotx .xltm .vssm
    .xltx .vst
    .vstm
    .vssx
    .vstx

Excluded folders and file types

To help prevent users from changing files that are critical for computer operations, some file types and folders are automatically excluded from labeling. If users try to label these files by using the information protection client, they see a message that those files are excluded.

The following folders are excluded from labeling by the information protection client:

  • Windows
  • Program Files (\Program Files and \Program Files (x86))
  • \ProgramData
  • \AppData (for all users)

File types that can't be encrypted by default

Any file that is password-protected can't be natively encrypted by the client unless the file is currently open in the application that applies the encryption. You most often see PDF files that are password-protected but other applications, such as Office apps, also offer this functionality.

File types supported for inspection

The information protection client uses Windows IFilter to inspect the contents of documents. Windows IFilter is used by Windows Search for indexing. As a result, the following file types can be inspected when you use the Set-FileLabel -Autolabel PowerShell command.

Application type File type
Word .doc, .docx, .docm, .dot, .dotx
Excel .xls, .xlt, .xlsx, .xlsm, .xlsb
PowerPoint .ppt, .pps, .pot, .pptx
PDF .pdf
Text .txt, .xml, .csv

Scanning .ZIP files

You can use the information protection scanner or the Set-FileLabel PowerShell command to inspect .zip files.

Note

When your information protection scanner is installed on a Windows server computer, you must also install the Microsoft Office iFilter in order to scan .zip files for sensitive information types. For more information, see the Microsoft download site.

After finding sensitive information, if the .zip file should be labeled and encrypted with a label, from the scanner deployment instructions, specify the .zip file name extension with the PowerShell PFileSupportedExtensions advanced setting.

Example scenario:

A file named accounts.zip contains Excel spreadsheets with credit card numbers. You have a sensitivity label named Confidential \ Finance, which is configured to discover credit card numbers and automatically apply the label with encryption that restricts access to the Finance group.

After inspecting the file, the client from your PowerShell session labels this file as Confidential \ Finance. Next, the client applies generic encryption to the file so that only members of the Finance groups can unzip it, and renames the file accounts.zip.pfile.

Support for disconnected computers

By default, the information protection client automatically tries to connect to the internet to download sensitivity labels and sensitivity label policy settings from Microsoft Purview.

If you have computers that can't connect to the internet for a period of time, you can export and copy files that manually manages the policy for the information protection client.

To support disconnected computers from the information protection client:

  1. Choose or create a user account in Microsoft Entra ID that you will use to download labels and policy settings that you want to use on your disconnected computer.

  2. As an additional label policy setting for this account, turn off sending audit data to Microsoft Purview by using the EnableAudit PowerShell advanced setting with Set-LabelPolicy from Security & Compliance PowerShell.

    We recommend this step because if the disconnected computer does have periodic internet connectivity, it will send logging information to Microsoft Purview that includes the user name from step 1. That user account might be different from the local account you're using on the disconnected computer.

  3. From a computer with internet connectivity that has the information protection client installed and signed in with the user account from step 1, download the labels and policy settings.

  4. From this computer, export the log files.

    For example, run the Export-DebugLogs cmdlet, or use the Export Logs option from the client's Help and Feedback dialog box from file labeler.

    The log files are exported as a single compressed file.

  5. Open the compressed file, and from the MSIP folder, copy any files that have an .xml file name extension.

  6. Paste these files into the %localappdata%\Microsoft\MSIP folder on the disconnected computer.

  7. If your chosen user account is one that usually connects to the internet, enable sending audit data again, by setting the EnableAudit value to True.

Be aware that if a user on this computer selects the Reset Settings option from Help and feedback in the file labeler, this action deletes the policy files and leaves the client inoperable until you manually replace the files or the client connects to the internet so it can download the files it needs.

If your disconnected computer is running the information protection scanner, there are additional configuration steps you must take. For more information, see Restriction: The scanner server cannot have internet connectivity from the scanner deployment instructions.

Supported customizations

The information protection client supports PowerShell advanced settings and some registry settings that might be needed for specific scenarios or users.

For the PowerShell advanced settings that are supported with New-Label or Set-Label, and New-LabelPolicy or Set-LabelPolicy from Security & Compliance PowerShell, see Advanced settings for Microsoft Purview Information Protection client.

Use the following sections to help you configure the registry for supported customizations.

Change the local logging level

By default, the Purview Information Protection client writes client log files to the %localappdata%\Microsoft\MSIP folder. These files are intended for troubleshooting by Microsoft Support.

To change the logging level for these files, locate the following value name in the registry and set the value data to the required logging level:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\MSIP\LogLevel

Set the logging level to one of the following values:

  • Off: No local logging.

  • Error: Errors only.

  • Warn: Errors and warnings.

  • Info: Minimum logging, which includes no event IDs (the default setting for the scanner).

  • Debug: Full information.

  • Trace: Detailed logging (the default setting for clients).

This registry setting doesn't change the information that's sent to Microsoft Purview auditing.

Enable data boundary settings

Following Microsoft's commitment to EU data boundary, EU customers who use the Microsoft Purview Information Protection client can send their data to the EU to be stored and processed.

Turn on this feature in the information protection client by changing the following registry key that specifies the location to send events:

  • Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\MSIP\DataBoundary (DWORD)
  • Values:
    • Default = 0
    • North_America = 1
    • European_Union = 2

Enable system default browser for authentication

Use the system default browser for authentication in Microsoft Purview Information Protection client. By default, the information protection client opens Microsoft Edge for authentication.

Turn on this feature in the information protection client by enabling the following registry key:

  • Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\MSIP\MSALUseSytemDefaultBrowserAuth (DWORD)
  • Values:
    • Disabled = 0
    • Enabled = 1

Hide the "Apply sensitivity label with Microsoft Purview" menu option in File Explorer

To hide the Apply sensitivity label with Microsoft Purview right-click menu option in File Explorer, create the following DWORD registry key that has the value name of LegacyDisable and any value data:

HKEY_CLASSES_ROOT\AllFilesystemObjects\shell\Microsoft.Azip.RightClick

How to apply sensitivity labels using the information protection client

After the Microsoft Purview Information Protection client is installed, you can apply sensitivity labels that you've created and published, by using:

To view encrypted documents, see View protected files with the Microsoft Purview Information Protection viewer.