Export (0) Print
Expand All

Rights Management sharing application administrator guide

Published: July 17, 2013

Updated: August 1, 2014

Applies To: Windows 7 with SP1, Windows 8, Windows 8.1

Use the following information if you are responsible for the Microsoft Rights Management sharing application on an enterprise network, or if you want more technical information than is in the Rights Management sharing application user guide or FAQ for Microsoft Rights Management Sharing Application for Windows:

TipTip
If you are new to the RMS sharing app, or looking for more information, see How RMS protects all file types – by using the RMS sharing app.

The Windows version of the RMS sharing application supports a scripted installation, which makes it suitable for enterprise deployments.

The only prerequisites for installations are that the computers run a minimum version of Windows 7 Service Pack 1, and that the Microsoft Framework, minimum version 4.0 is installed. If you need to install the Microsoft .NET Framework 4.0, you can download it for installation from the Microsoft Download Center.

  1. Go to the Microsoft Rights Management sharing application for Windows page in the Microsoft Download Center, and click Download.

  2. Select and download the files that you need. There are two client installation packages: one for Windows 64-bit (Microsoft Rights Management sharing application x64.zip), and another for Windows 32-bit (Microsoft Rights Management sharing application x86.zip).

  3. Extract the files from the compressed installation packages, for example, by double-clicking them. Then copy the extracted files to a network location that client computers can access.

The setup packages for the RMS sharing application supports different deployment scenarios and includes the following:

 

Description Deployment scenario

Microsoft Online Sign-In Assistant

Required for the following:

  • Office 2013 and Azure RMS or Active Directory RMS

  • Office 2010 and Azure RMS

  • RMS sharing application and Office add-in only

Hotfix for Office (KB 2596501)

Required for the following:

  • Office 2010 and Azure RMS

  • Office 2010 and Active Directory RMS

Hotfix to enable the AD RMS Client 1.0 to work with Azure RMS (KB 2843630)

Required for the following:

  • Office 2010 and Azure RMS

  • Office 2010 and Active Directory RMS

AD RMS Client and the RMS sharing application

Required for the following:

  • Office 2013 and Azure RMS or Active Directory RMS

  • Office 2010 and Azure RMS

  • Office 2010 and Active Directory RMS

  • RMS sharing application and Office add-in only

Office add-in for the ribbon

Required for the following:

  • Office 2013 and Azure RMS or Active Directory RMS

  • Office 2010 and Azure RMS

  • Office 2010 and Active Directory RMS

  • RMS sharing application and Office add-in only

Azure Active Directory Rights Management preparation tool

Required for the following:

  • Office 2010 and Azure RMS

Use the following procedures to identify the commands required to deploy the RMS sharing application for these deployment scenarios:

  • Office 2013 and Azure RMS or Active Directory RMS

    Your users are running Office 2013, your organization uses Azure RMS or Active Directory RMS, and users collaborate with other organizations who use Azure RMS or Active Directory RMS.

  • Office 2010 and Azure RMS

    Your users are running Office 2010, your organization uses Azure RMS, and users collaborate with other organizations who use Azure RMS or Active Directory RMS.

  • Office 2010 and Active Directory RMS

    Your users are running Office 2010, your organization uses AD RMS, and users collaborate with other organizations who use Azure RMS.

  • RMS sharing application and Office add-in only

    Your users are running Office 2013 or Office 2010, your organization uses AD RMS, and users do not need to collaborate with other organizations who use Azure RMS. This installation lets you install just the sharing application and Office add-in.

noteNote
In these scenarios, if your organization is running AD RMS, your users can receive protected content from other organizations who use Azure RMS, but your users cannot send protected content to users in an organization that uses Azure RMS. However, if your organization is running Azure RMS, your users can send and receive protected content from other organizations.

To complete the installation for each procedure, the computer must restart. You can initiate an automatic restart by using a command such as shutdown /i.

  • On each computer on which you want to install the RMS sharing application and related components, run the following command with elevated privileges:

    setup.exe /s
    

To verify success, see the Verifying installation success section in this topic.

  1. You must be the global administrator for your Office 365 or Azure Active Directory tenant so that you can get your organization’s certification service URL by running the Azure Active Directory Rights Management preparation tool. You need run this tool only once, on a single computer. You will use the certification service URL when you install the RMS sharing application on each computer:

    1. Log in to a computer by using a local administrator account.

    2. On that computer, download and install the Microsoft Online Sign In Assistant.

    3. Run the following command to see displayed on the screen the certification service URL, which you can then copy and save for the next step:

      • For Windows 8 and Windows 8.1, 64-bit:

        x64\aadrmprep.exe /findCertificationUrl /logfile "<log file path and name>"
        
      • For Windows 8 and Windows 8.1, 32-bit:

        X86\aadrmprep.exe /findCertificationUrl /logfile "<log file path and name>"
        
      • For Windows 7, 64-bit:

        x64\win7\aadrmprep.exe /findCertificationUrl /logfile "<log file path and name>"
        
      noteNote
      This command might prompt you to enter your credentials for Azure. If the computer is not joined to a domain, you will be prompted. If the computer is joined to a domain, the tool might be able to use cached credentials.

  2. On each computer on which you will install the RMS sharing application, run the following command with elevated privileges:

    setup.exe /s /configureO2010Admin /certificationUrl <certification_url>
    
  3. On each computer on which you will install the RMS sharing application, users must run the following command (does not need elevated privileges). There are different ways to achieve this, including asking users to run the command (for example, a link in an email message or a link on the help desk portal) or you can add it to their logon script:

    bin\RMSSetup.exe /configureO2010Only
    

To verify success, see the Verifying installation success section in this topic.

  1. On each computer on which you will install the RMS sharing application, run the following command with elevated privileges:

    setup.exe /s /configureO2010Admin
    
  2. On each computer on which you will install the RMS sharing application, users must run the following command (does not need elevated privileges). There are different ways to achieve this, including asking users to run the command (for example, a link in an email message or a link on the help desk portal) or you can add it to their logon script:

    • For Windows 8 and Windows 8.1, 64-bit:

      x64\aadrmprep.exe /configureO2010
      
    • For Windows 8 and Windows 8.1, 32-bit:

      X86\aadrmprep.exe /configureO2010
      
    • For Windows 7, 64-bit:

      x64\win7\aadrmpep.exe /configureO2010
      

To verify success, see the Verifying installation success section in this topic.

  1. Install the AD RMS Client and the RMS sharing application by using the following command:

    • For 64-bit Windows:

      x64\setup_ipviewer.exe /norestart /quiet /msicl "MSIRESTARTMANAGERCONTROL=Disable" /log "<log file path and name>"
      
    • For 32-bit Windows:

      X86\setup_ipviewer.exe /norestart /quiet /msicl "MSIRESTARTMANAGERCONTROL=Disable" /log "<log file path and name>"
      

    For example: \\server5\apps\rms\x64\setup_ipviewer.exe /norestart /quiet /msicl "MSIRESTARTMANAGERCONTROL=Disable" /log "C:\Log files\ipviewerinstall.log"

  2. Install the Office add-in by using the following commands:

    • For 64-bit version of Office:

      msiexec.exe /norestart /quiet MSIRESTARTMANAGERCONTROL=Disable /i "x64\Setup64.msi" /L*v "<log file path and name>"
      
    • For 32-bit version of Office:

      msiexec.exe /norestart /quiet MSIRESTARTMANAGERCONTROL=Disable /i "x86\Setup.msi" /L*v "<log file path and name>"
      

    For example: \\server5\apps\rms\msiexec.exe /norestart /quiet MSIRESTARTMANAGERCONTROL=Disable /i "x64\Setup64.msi" /L*v "C:\Log files\rmsofficeinstall.log"

To verify success, see the Verifying installation success section in this topic.

You can use the installation log files to verify a successful installation.

  • To verify success of the Setup.exe command, on each computer, search for the installation log file RMInstaller.log in the %temp%\RMS_installer_<guid> folder, and then identify the exit code.

    A successful installation has an exit code of 0 and any other number indicates a failed installation.

    Example log file name: C:\temp\RMS_Installer_9352fc91-1982-43bf-958a-2ef1fe9c2ed0\RMInstaller.log

  1. To verify success of the Setup.exe command, on each computer, search for the installation log file RMInstaller.log in the %temp%\RMS_installer_<guid> folder, and then identify the exit code.

    A successful installation has an exit code of 0 and any other number indicates a failed installation.

    Example log file name: C:\temp\RMS_Installer_9352fc91-1982-43bf-958a-2ef1fe9c2ed0

  2. To verify success for the RMSSetup.exe command, the user should have the following files created in their %localappdata%\microsoft\drm folder:

    • CERT-Machine-2048.drm

    • CERT-Machine.drm

    • CLC-*.drm

    • GIC-*.drm

    Example of a CLC-*.drm file:

    CLC-alice@isvtenant999.onmicrosoft.com-{1b9cfccf;k5b11;k4a10;kac15;k29b2b6980f4c}.drm

  1. To verify success of the Setup.exe command, on each computer, search for the installation log file in the %temp%\RMS_installer_<guid> folder, and identify the exit code.

    A successful installation has an exit code of 0 and any other number indicates a failed installation.

    Example log file name: C:\temp\RMS_Installer_9352fc91-1982-43bf-958a-2ef1fe9c2ed0

  2. To verify success of the aadrmprep.exe command, on each computer, search for the following text in the installation log file: aadrmprep.exe exited with status SUCCESS

    noteNote
    Sometimes, this installation can run twice; the first occurrence fails and the second is successful.

    If you want to manually check the registry changes that this tool makes, they are as follows:

    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDRM\Federation]

      "FederationHomeRealm"="urn:HostedRmsOnlineService:Certification"

    • [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MSDRM\Federation]

      "FederationHomeRealm"="urn:HostedRmsOnlineService:Certification"

    • [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MSDRM\ServiceLocation\Activation]

      @="<certification url>"

    • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Common\DRM]

      DefaultUser="<default_user>"

  1. To verify success of the Setup_ipviewer.exe command, search for the following text in the installation log file: Installation success or error status: 0

    Example lines from a successful installation:

    MSI (s) (F0:B8) [14:19:57:854]: Product: Active Directory Rights Management Services Client 2.1 -- Installation completed successfully.

    MSI (s) (F0:B8) [14:19:57:854]: Windows Installer installed the product. Product Name: Active Directory Rights Management Services Client 2.1. Product Version: 1.0.1179.1. Product Language: 1033. Manufacturer: Microsoft Corporation. Installation success or error status: 0.

  2. To verify success of the Office add-in, on each computer, search for the following text in the installation log file: Installation success or error status: 0

    Example lines from a successful installation:

    MSI (s) (9C:88) [18:49:04:007]: Product: Microsoft RMS Office Addins -- Installation completed successfully.

    MSI (s) (9C:88) [18:49:04:007]: Windows Installer installed the product. Product Name: Microsoft RMS Office Addins. Product Version: 1.0.7. Product Language: 1033. Manufacturer: Microsoft. Installation success or error status: 0.

Not all of the installation commands that are required for these deployments support an uninstallation command. You can uninstall the AD RMS client and the sharing application, and you can uninstall the Office add-in. Use the following commands to uninstall these elements.

  • Use the following commands:

    • For 64-bit Windows:

      x64\setup_ipviewer.exe /uninstall /quiet
      
    • For 32-bit Windows:

      x86\setup_ipviewer.exe /uninstall /quiet
      

  • Use the following commands:

    • For 64-bit version of Office:

      msiexec /x \x64\Setup[64].msi /quiet
      
    • For 32-bit version of Office:

      msiexec /x \x86\Setup.msi /quiet
      

By default, users are notified if there is a later version of the RMS sharing application, and prompted to download it. You can suppress this notification by making the following registry edit:

  • HKEY_LOCAL_MACHINE\Softwre\Microsoft\MSIPC\RmsSharingApp: Set the AllowUpdatePrompt value to 0

The Microsoft Rights Management sharing application is an optional downloadable application for Microsoft Windows and other platforms that provides the following:

  • Protection of a single file or bulk protection of multiple files as well as all files within a selected folder.

  • Full support for protection of any type of file and a built-in viewer for commonly used text and image file types.

  • Generic protection for files that do not support RMS protection.

  • Full interoperability with files protected using Office Information Rights Management (IRM).

  • Full interoperability with PDF files protected using SharePoint, FCI, and supported PDF authoring tools.

The Microsoft Rights Management sharing application uses the new AD RMS Client 2.1 runtime. By using the functionality of AD RMS 2.1, the Microsoft Rights Management sharing application provides end users a simple protection and consumption experience.

With the October 2013 release of RMS, you can natively protect documents by using Office 2010 and send them to people in another company, who can then consume them by using Azure RMS. In addition, with this release, if you use AD RMS in Cryptographic Mode 2, you can use RMS for individuals and consume content from people in another company that uses Azure RMS. For more information about Cryptographic Mode 2, see AD RMS Cryptographic Modes.

Microsoft Rights Management sharing application supports protection at two different levels, as described in the following table.

 

Type of protection Native Generic

Description

For text, image, Microsoft Office (Word, Excel, PowerPoint) files, .pdf files, and other application file types that support AD RMS, native protection provides a strong level of protection that includes both encryption and enforcement of rights (permissions).

For all other applications and file types, generic protection provides a level of protection that includes both file encapsulation using the .pfile file type and authentication to verify if a user is authorized to open the file.

Protection

Files are fully encrypted and protection is enforced in the following ways:

  • Before protected content is rendered, successful authentication must occur for those who receive the file through email or are given access to it through file or share permissions.

  • Additionally, usage rights and policy set by the content owner when files are protected are fully enforced when the content is rendered in either IP Viewer (for protected text and image files) or the associated application (for all other supported file types).

File protection is enforced in the following ways:

  • Before protected content is rendered, successful authentication must occur for those who are authorized to open the file and given access to it. If authorization fails, the file does not open.

  • Usage rights and policy set by the content owner are displayed to inform authorized users of the intended usage policy.

  • Audit logging of authorized users opening and accessing files occurs, however, no usage rights are enforced by non-supporting applications.

Default for file types

This is the default level of protection for the following file types:

  • Text and image files

  • Microsoft Office (Word, Excel, PowerPoint) files

  • Portable document format (.pdf)

For more information, see the following section, Supported file types and file name extensions.

This is the default protection for all other file types (such as .vsdx, .rtf, and so on) not supported through full protection.

You can change the default protection level that the RMS sharing application applies. You can change the default level of native to generic, from generic to native, and even prevent the RMS sharing application from applying protection. For more information, see the Changing the default protection level of files section in this topic.

The following table lists file types that are natively supported by Microsoft Rights Management sharing application. For these file types, the original file name extension is changed when native protected is applied, and these files become read-only.

In addition, when the RMS sharing application natively protects a Word, Excel, or PowerPoint file that users protect by sharing, this action automatically creates a second file that is a copy of the original with the same file name but with a .ppdf file name extension ¹. This version of the file ensures that recipients who install the RMS sharing application can always open the file that has native protection applied.

For files that are generically protected, the original file name extension is always changed to .pfile.

WarningWarning
If you have firewalls, web proxies, or security software that inspect and take action according to file name extensions, you might need to reconfigure these to support these new file name extensions.

 

Original file name extension RMS-protected file name extension

.txt

.ptxt

.xml

.pxml

.jpg

.pjpg

.jpeg

.ppng

.pdf

.ppdf

.png

.ppng

.tiff

.ptiff

.bmp

.pbmp

.gif

.pgif

.giff

.pgiff

.jpe

.pjpe

.jfif

.pjfif

.jif

.pjif

¹ PDF Rendering Powered by Foxit. Copyright © 2003–2014 by Foxit Corporation.

The following table lists the file types that the Microsoft Rights Management sharing application natively supports in Microsoft Office 2013 and Office 2010. For these files, the file name extension remains the same after the file is protected by RMS.

 

File types supported by Office File types supported by Office

.doc

.docm

.docx

.dot

.dotm

.dotx

.potm

.potx

.pps

.ppsm

.ppsx

.ppt

.pptm

.pptx

.thmx

.xla

.xlam

.xls

.xlsb

.xlt

.xlsm

.xlsx

.xltm

.xltx

.xps

You can change how the RMS sharing application protects files by editing the registry. For example, you can force files that support native protection to be generically protected by the RMS sharing application.

Reasons for why you might want to do this:

  • To ensure that all users can open the file from their mobile devices.

  • To ensure that all users can open the file if they don’t have an application that supports native protection.

  • To accommodate security systems that take action on files by their file name extension and can be reconfigured to accommodate the .pfile file name extension but cannot be reconfigured to accommodate multiple file name extensions for native protection.

Similarly, you can force the RMS sharing application to apply native protection to files that by default, would have generic protection applied. This might be appropriate if you have an application that supports the RMS APIs – for example, a line-of-business application written by your internal developers or an application purchased from an independent software vendor (ISV).

You can also force the RMS sharing application to block the protection of files (not apply native protection or generic protection). For example, this might be required if you have an automated application or service that must be able to open a specific file to process its contents. When you block protection for a file type, users cannot use the RMS sharing application to protect a file that has that file type. When they try, they see a message that the administrator has prevented protection and they must cancel their action to protect the file.

To configure the RMS sharing application to apply generic protection to all files that by default, would have native protection applied, make the following registry edits:

  1. HKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\RMSSharingApp\FileProtection: Create a new key named *.

    This setting denotes files with any file name extension.

  2. In the newly added key of HKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\RMSSharingApp\FileProtection\*, create a new string value (REG_SZ) named Encryption that has the data value of Pfile.

    This setting results in the RMS sharing application applying generic protection.

These two settings result in the RMS sharing application applying generic protection to all files that have a file name extension. If this is your goal, no further configuration is required. However, you can define exceptions for specific file types, so that they are still natively protected. To do this, you must make three additional registry edits for each file type:

  1. HKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\RMSSharingApp\FileProtection: Add a new key that has the name of the file name extension (without the preceding period).

    For example, for files that have a .docx file name extension, create a key named DOCX.

  2. In the newly added file type key (for example, HKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\RMSSharingApp\FileProtection\DOCX), create a new DWORD Value named AllowPFILEEncryption that has a value of 0.

  3. In the newly added file type key (for example, HKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\RMSSharingApp\FileProtection\DOCX), create a new String Value named Encryption that has a value of Native.

As a result of these settings, all files are generically protected except files that have a .docx file name extension, which are natively protected by the RMS sharing application.

Repeat these three steps for other file types that you want to define as exceptions because they support native protection and you do not want them to be generically protected by the RMS sharing application.

You can make similar registry edits for other scenarios by changing the value of the Encryption string that supports the following values:

  • Pfile: Generic protection

  • Native: Native protection

  • Off: Block protection

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft