The AIP Scanner is part of the AIP Client download. After you have downloaded and installed the AIP Client you can start the installation and configuration. But bevor we start the installation let’s have a look at some requirements:
- A Windows Server 2012 R2 or 2016 Server to run the service (For test and demo you can install it on a Win10 machine)
- A SQL Server 2012+ local or remote instance (Any version from Express or better is supported)
- Sysadmin role needed to install scanner service
- Service requires Log on locally right and Log on as a service right
- AIP Scanner is an AIP Premium P2/EMS E5 feature for more details review this article:
A really good steep-by-steep description about install and configure AIP Scanner is done by Kevin McKinnerney and can be found here:
This cmdlet adds a so called data repository to be scanned and creates a profile of settings. For example, you can specify a default label for unlabeled files, and whether to override an existing label or not. We can specify local folders, UNC paths, and SharePoint Server URLs for SharePoint sites and libraries. The scanner can handle more than one data repository. So you can configure a mix of local folders, UNC paths and SharePoint Server URLs with different setting covered by one AIP Scanner installation.
To change this settings we can use: Set-AIPScannerRepository cmdlet. To remove a data repository use: Remove-AIPScannerRepository cmdlet.
Set-AIPScannerConfiguration cmdlet is used to configure settings for the AIP Scanner. These settings include:
- Discovery mode or applies labels
- File will be relabeled YES or NO
- File attributes are changed YES or NO
- What is logged in the reports
- Scanner runs once or continuously
- Justification message used when required
- Rights Management owner for protected files
This cmdlet is used to let the scanner know which files types should be scanned.
The cmdlet sets a list of file types to scan or exclude from scanning. To scan all file types, use *. To scan only specific file types use *.<file name extension>. To exclude specific file types from being scanned use -*.<file name extension>. And to reset the list back to default use @().
If no data repository is specified the setup applies to all data repositories that do not have their own list specified.https://docs.microsoft.com/en-us/powershell/module/azureinformationprotection/set-aipscannerscannedfiletypes?view=azureipps
Add-AIPScannerRepository -Path C:\Temp2 -OverrideLabel On -MatchPolicy On
#Configure Scan: Scan for all knowen sensitive types
Set-AIPScannerConfiguration -Enforce On -Schedule OneTime -Type Full -DiscoverInformationTypes All