RMS Machine Activation

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Machine activation is a prerequisite for publishing or using rights-protected content on a client computer. Machine activation is the process by which a client computer is issued a unique lockbox and a matching RMS machine certificate. The lockbox contains the computer's private key, and the machine certificate contains the computer's public key. Because the lockbox contains the computer's private key, it is the core security principal for encryption and decryption. Each user of the computer will have a unique machine certificate that is created by the machine activation process.

The machine activation process used with the RMS client for Service Pack 1 and later is considerably different from the machine activation process in version 1. The RMS client for Service Pack 1 and later is "self-activating." When the RMS client is installed by a logged in user or an RMS feature is first used by a logged on user, the client starts the activation process, which generates several sets of keys using the crypto API included with Windows. These keys are used to perform a set of encryptions that generate a machine certificate that binds the user, the computer, and the RMS client together in the RMS trust hierarchy.