RMS Automatic Template Downloading on Windows 7

Recently the project I’m supporting is looking at RMS to provide information rights management (IRM) on some documents. Windows RMS provides two means to let users protect content. First, there is the ad hoc method that lets a user specify what protections they want to put on their content, and what users/groups it applies to. Second, an RMS administrator can configure standard templates (i.e. “Company Confidential”) which all users in the enterprise can use. In most organizations both content protection methods have their place.

However, I’m disappointed in how Microsoft implemented these templates. You’d think the RMS client would dynamically query the RMS server for available templates when you want to protect content and present them to the user for selection. However, it’s much more brain dead and less dynamic. In Windows XP and Vista RTM, the administrator had to ‘manually’ copy the XML templates to a special directory on each and very computer for every user. Most used a GPO or logon script. Still a kludge if you ask me.

Starting with Vista SP1 and later, including Windows 7, Microsoft included a scheduled task called “AD RMS Rights Policy Template Management” which discovers the RMS servers in the environment and downloads the templates for each user. It’s triggered to run every day at 3AM or at user logon time.

However, the default configuration of this task is brain dead. Under HKCUSoftwareMicrosoftMSDRMTemplateManagement there’s a key called “lastUpdatedTime” which gets populated each time the scheduled task runs. There’s also another key called “UpdateFrequency” which is set to 30. What does the 30 mean? It will only download templates once every 30 days. Even if you manually run the task it won’t touch the RMS servers. The minimum you can set the frequency to is once a day (1). You can, however, delete the “lastupdatedtime” key and it will check the RMS server and re-populate the key.

Also another very important point is to add the RMS FQDN to each user’s Local Intranet security zone in IE. If you don’t do this then the task won’t authenticate to the RMS IIS server and you will get a Last Run Result of (0x8004CF43).

If the task worked the scheduled task probably has a Last Run Result of (0x4CF04). To confirm the templates actually downloaded, go to your profile directory and under C:Users%username%AppDataLocalMicrosoftDRMTemplates you should see one XML document for each template defined in the RMS console. If not, make sure you have invoked a document protection attempt in office so that it discovers your RMS server.

Another annoyance with RMS is that Office isn’t smart enough to look in this templates folder by default. NO! Let’s make it harder on our admins to get all of this working. Under:


you need to create a REG_EXPAND_SZ value with a name of AdminTemplatePath with a value of:


Why Microsoft needs to make this so difficult is beyond me. Personally I think the embedded RMS client should make a dynamic web services call to the RMS server when a user wants to protect content, get the latest templates, and cache them locally. Office needs to look at the default template location too. Also remember the scheduled task is NOT enabled by default. So if your organization is going to use RMS, you need to configure a GPO or script to enable the task on all Vista SP1 and later clients. If you are going to use Remote Desktop Services (RDS) or XenApp, enable the scheduled task on your servers.

SIA311: RMS in Server 2008 R2 and beyond

This session covered some new cool features of RMS when combined with Windows Server 2008 R2 and Exchange 2010. Some of the new features include:

– AD RMS bulk protection tool. This tool can bulk encrypt and decrypt Microsoft Office files and attachments within PSTs. The tool can be extended to other file formats (like PDF) with third party IRM protectors. For example, FoxIt makes a PDF protector.

– Windows Server 2008 R2 has a new feature called the File Classification Infrastructure (FCI). This service is highly customizable and searches file contents and can perform almost any action, including protecting a file with RMS. For example, you can setup a regular expression to search for credit card number looking strings and automatically apply a policy. If you want near real-time protection, see this blog post. Titus labs has some additional FCI add-ons you can find here.

RMS can now be deployed and managed by PowerShell.

– The presenter covered several Exchange 2010 integration points, nearly all of which I’ve covered in other blogs this week. A few that I didn’t mention was the ability to mark a voice mail as private, which prevents you from forwarding it to anyone else. RMS integration with OWA supports IE, FireFox, Safari and Chrome. Exchange 2010 SP1 will provide the ability to preview RMS protected attachments in OWA. There are also enhancements with cross premises IRM support for Exchange online and the Microsoft Federation Gateway.

– The next version of Mac Office (probably 2011) will provide full support for RMS protected documents, templates , and emails. No firm release date, but probably next year.

– The speaker also mentioned a company, Gigatrust, which enhances RMS to support additional file types.

The most powerful features of RMS on Server 2008 R2 is the file classification tool. Microsoft has partnered with RSA to provide a RMS integration solution for data loss prevention (DLP). See more information here.

If you are tired of the constant security problems with Adobe Reader and Acrobat, I was very pleased to hear Foxit has full RMS support via their PDF Security Suite. Personally I’m tired of the Adobe bloat, nearly weekly security problems with their products, and very poor cumulative patching mechanism.