How to install Azure Information Protection (AIP) Client using ConfigMgr

 

The Azure Information Protection client (AIP) for Windows helps you keep important documents and emails safe from people who shouldn't see them, even if your email is forwarded or your document is saved to another location. You can also use this client (AIP) to open documents that other people have protected by using the Rights Management protection technology from Azure Information Protection.  Read more information about requirements for AIP https://docs.microsoft.com/en-us/azure/information-protection/get-started/requirements

All you need is a computer that runs at least Windows 7 with Service Pack 1 ,then download and install this free AIP client from Microsoft.

Before you try to install AIP client ,there are few components as prerequisites that needs to be installed on the computer before AIP can process the policies for you.

In this blog post , we will see what are the prerequisites that are required to deploy AIP client and also their detection methods on computers that are running windows 7 SP1 and above.

Since AIP client has 4 prerequisites ,we will use task sequence to deploy AIP client instead of application deployment with dependencies. If you already have these prereq installed on all your client PC ,then you simply create AIP application and deploy without task sequence.

Before you proceed further ,would recommend to read through these articles

Azure Information Protection client administrator guide https://docs.microsoft.com/en-us/azure/information-protection/rms-client/client-admin-guide

Custom configurations for the Azure Information Protection client https://docs.microsoft.com/en-us/azure/information-protection/rms-client/client-admin-guide-customizations

Prerequisites:

1.Microsoft .NET Framework 4.6.2 : AIP Client requires a minimum version of Microsoft .NET Framework 4.6.2 and if this is missing, the installer tries to download and install this prerequisite. When this prerequisite is installed as part of the client installation, your computer must be restarted.

2.Windows PowerShell version 4.0: The PowerShell module for the client requires Windows PowerShell version 4.0, which might need to be installed on older operating systems. For more information, see How to Install Windows PowerShell 4.0. The installer does not check or install this prerequisite for you. To confirm the version of Windows PowerShell that you are running, type $PSVersionTable in a PowerShell session .

3.Visual C++ Redistributable for Visual Studio 2015 (32-bit version) : For computers running Windows 7 Service Pack 1, install vc_redist.x86.exe from the following download page: Visual C++ Redistributable for Visual Studio 2015

4.If you have Windows 7 SP1, the Azure Information Protection client requires a specific update, KB2533623. If your PC needs this update but it is not installed, installation completes but with a message that the Azure Information Protection client requires this update. Until this update is installed, you won't be able to use all features of the Azure Information Protection client.

5. Configure the GPO with settings like ‘congratulations’ prompt for user when they launch  office apps and other settings as described in TechNet document https://docs.microsoft.com/en-us/azure/information-protection/rms-client/client-admin-guide-customizations

In this post, i will not go step by step creation of all the prerequisites instead, will go with some important information like installation program ,detection method and requirements etc.

Note: All these prereq files require reboot including .net, PowerShell . Without reboot ,it will not install any further components hence i leave the reboot to configmgr based on the exit codes (3010 soft reboot,1641 hard reboot)

1.Microsoft .NET Framework 4.6.2 or above:

since there is newer version of .net framework 4.7.1 available ,i will go with this version instead of 4.6.2 (min version) but in detection method ,i will look for .net 4.6.2 and above. If 4.6.2 exist ,i will not do installation of this 4.7.1 and skip this install.

Installation program : "NDP471-KB4033342-x86-x64-AllOS-ENU" /q

Detection Rule: Setting type: Registry ,Hive: Software\Microsoft\NET Framework Setup\NDP\v4\Full ,Value:Release ,data type:Integer , Operator: greater than or equal to 461310 (this is .net 4.6.1 and above)

User experience: Install for system ,weather or not user logged in and determine the behaviour based on return codes.

Requirements: Free disk space: 5GB ,OS :Windows 7 and other OS if you have.

2. Windows PowerShell version 4.0: I am going create both powershell 4.0 and powershell 5.0 as some of the windows 7 machine that has version 2.0 ,cannot be upgraded to 5 directly (at least i have seen some failures)

Installation Program: wusa.exe Windows6.1-KB2819745-x64-MultiPkg.msu /quiet

Detection Method: Powershell

if (($PSVersionTable.PSVersion | Select-Object -ExpandProperty Major) -gt 4 )
{
Write-Host "Installed"
}
else
{
}

Requirement: Windows 7 (for windows 10 ,there will be powershell 5.0 so no need to install for windows 10).

Windows PowerShell version 5.1:

Installation Program: wusa.exe Win7AndW2K8R2-KB3191566-x64.msu /quiet

Detection Method: Powershell

if (($PSVersionTable.PSVersion | Select-Object -ExpandProperty Major) -gt 5 )
{
Write-Host "Installed"
}
else
{
}

Requirement: Windows 7 (for windows 10 ,there will be powershell 5.0 so no need to install for windows 10).

3.Visual C++ Redistributable for Visual Studio 2015 (32-bit version) :

Installation program: "vc_redist.x86.exe" /q

Requirement rule: Windows 7 and windows 10.

Detection Method: Powershell . If the client has VC++ 2015 then it will skip the installation .

function Get-InstalledApps
{
if ([IntPtr]::Size -eq 4) {
$regpath = 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*'
}
else {
$regpath = @(
'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*'
'HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*'
)
}
Get-ItemProperty $regpath | .{process{if($_.DisplayName -and $_.UninstallString) { $_ } }} | Select DisplayName, Publisher, InstallDate, DisplayVersion, UninstallString |Sort DisplayName
}

if (Get-InstalledApps | where {$_.DisplayName -like "Microsoft Visual C++ 2015 Redistributable*"})
{
Write-Host "Installed"
}
else
{
}

4. Azure Information Protection Client: Download AIP client (AzInfoProtection.exe) from https://portal.azurerms.com/#/download (this link has both viewer and client)

Also download the KB article as said in the prereq document .

Installation Program: Create a batch script and use the following code into it. (After the patch installation is done ,it will proceed to install AIP client and no reboot is required).

REM Install the KB article
wusa.exe "%~dp0Windows6.1-KB2533623-x64.msu" /quiet /norestart

sleep 10
REM Install Azure information protection client
AzInfoProtection.exe AllowTelemetry=0 /quiet /norestart

Detection Method: Windows installer: {30F836D2-A60B-4899-A369-B0FCA2884EAF}

Requirements : Windows 7 and windows 10.

If you are installing the AIP client on computers that run Office 2010 and your users are not local administrators on their computers or you do not want them to be prompted then you must supply ServiceLocation.

If the client was not installed with the ServiceLocation parameter, when you first open one of the Office applications that use the Azure Information Protection bar (for example, Word), you must confirm any prompts to update the registry for this first-time use. Service discovery is used to populate the registry keys.

Ex: AzInfoProtection.exe /quiet /norestart ServiceLocation=https://a44b2fd2-6a02-4d36-86b4-0017a1cede50.rms.eu.aadrm.com

How to get Service location ,please refer the document here

Uninstall string for AIP: "C:\ProgramData\Package Cache\{153d0dfd-99e1-483f-9d3f-d2b5b88e016c}\AzInfoProtection.exe" /uninstall /quiet

Change the product ID of the AIP client as per the installer.

With this ,we have created 5 applications and now we can use task sequence to deploy these  applications in sequence given below.

1.Microsoft .Net Framework 4.6.2/4.7.1

2. Microsoft Powershell 4.0

3.Microsoft Powershell 5.1

4.Microsoft VC++ 2015

5.Microsoft AIP client

Troubleshooting:

Deploy the task sequence to collection (machine based) and follow the logs smsts.log,appenforce.log

image

 References:

https://docs.microsoft.com/en-us/information-protection/rms-client/client-user-guide

https://docs.microsoft.com/en-us/information-protection/rms-client/install-client-app

https://docs.microsoft.com/en-us/azure/information-protection/rms-client/client-admin-guide-install

https://github.com/MicrosoftDocs/Azure-RMSDocs/blob/master/Azure-RMSDocs/rms-client/client-admin-guide-install.md

2 Responses to "How to install Azure Information Protection (AIP) Client using ConfigMgr"

  1. Hi - Excellent info. Thanks for sharing.

    One request - Any chance you can post how to perform in place upgrade sql 2016 to sql 2017 within CB1802? I have completed few task like DMA and testdpupgrade, but, I am uncomfortable with SSRS - because SSRS is a separate install in sql 2017. How it will affect SSRS during the upgrade is UNKNOWN.

    Thanks

    Ram

    Reply
    1. Hi Ram,
      I did not do any testing on upgrading SQL 2016 to SQL 2017 and reporting services yet due to other priority tasks.
      I would suggest you to contact your SQL database guys if they can help you in this case .I believe upgrading of SSRS would be easier and straight forward unless you have custom configurations done.

      Regards,
      Eswar

      Reply

Post Comment