Excluding Lockboxes

Updated: October 22, 2009

Applies To: Windows Server 2008 R2, Windows Server 2008 R2 with SP1

Lockboxes are used to store a user's private key. If a vulnerability is found in a certain version of a lockbox, a new lockbox is released by Microsoft. You can ensure that clients use a minimum version of the Active Directory Rights Management Services (AD RMS) client software by using the lockbox version associated with the client to exclude the previous versions of the AD RMS client software. When you enable this feature, you specify the latest minimum lockbox version that was signed by the Microsoft Activation Service. You then enable lockbox exclusion on the each AD RMS cluster on which you want it to take effect. All certification and licensing requests are checked to make sure that the lockbox meets the minimum version criteria.

If you have enabled an exclusion based on lockbox version, clients that are using a version of the lockbox software earlier than the specified version cannot acquire rights account certificates (RACs) or use licenses because their requests will be denied. These clients must install a new version of the AD RMS client software to acquire a new lockbox that uses the current version of the software.

If a user who has an excluded lockbox was previously issued licenses for content, the user can still consume that content without acquiring a new lockbox.

Membership in the local AD RMS Enterprise Administrators, or equivalent, is the minimum required to complete this procedure.

To enable lockbox exclusion

  • At the Windows PowerShell command prompt, type:

    Set-ItemProperty -Path <drive>:\ExclusionPolicy\Lockbox -Name IsEnabled -Value $true

To exclude lockbox versions

  • At the Windows PowerShell command prompt, type:

    Set-ItemProperty -Path <drive>:\ExclusionPolicy\Lockbox -Name LockboxMinimumVersion -Value <version_number>

    where <drive> is the name of the Windows PowerShell drive and <version_number> is the lowest version number of the lockbox to be supported. The version number must be expressed as a series of four numbers separated by three period (.) characters, for example, 3.0.3198.15.

See Also

Concepts

Using Windows PowerShell to Administer AD RMS
Understanding the AD RMS Administration Provider Namespace
Enabling Exclusion Policies

Other Resources

Understanding AD RMS Exclusion Policies