Recently the project I’m supporting is looking at RMS to provide information rights management (IRM) on some documents. Windows RMS provides two means to let users protect content. First, there is the ad hoc method that lets a user specify what protections they want to put on their content, and what users/groups it applies to. Second, an RMS administrator can configure standard templates (i.e. “Company Confidential”) which all users in the enterprise can use. In most organizations both content protection methods have their place.
However, I’m disappointed in how Microsoft implemented these templates. You’d think the RMS client would dynamically query the RMS server for available templates when you want to protect content and present them to the user for selection. However, it’s much more brain dead and less dynamic. In Windows XP and Vista RTM, the administrator had to ‘manually’ copy the XML templates to a special directory on each and very computer for every user. Most used a GPO or logon script. Still a kludge if you ask me.
Starting with Vista SP1 and later, including Windows 7, Microsoft included a scheduled task called “AD RMS Rights Policy Template Management” which discovers the RMS servers in the environment and downloads the templates for each user. It’s triggered to run every day at 3AM or at user logon time.
However, the default configuration of this task is brain dead. Under HKCUSoftwareMicrosoftMSDRMTemplateManagement there’s a key called “lastUpdatedTime” which gets populated each time the scheduled task runs. There’s also another key called “UpdateFrequency” which is set to 30. What does the 30 mean? It will only download templates once every 30 days. Even if you manually run the task it won’t touch the RMS servers. The minimum you can set the frequency to is once a day (1). You can, however, delete the “lastupdatedtime” key and it will check the RMS server and re-populate the key.
Also another very important point is to add the RMS FQDN to each user’s Local Intranet security zone in IE. If you don’t do this then the task won’t authenticate to the RMS IIS server and you will get a Last Run Result of (0x8004CF43).
If the task worked the scheduled task probably has a Last Run Result of (0x4CF04). To confirm the templates actually downloaded, go to your profile directory and under C:Users%username%AppDataLocalMicrosoftDRMTemplates you should see one XML document for each template defined in the RMS console. If not, make sure you have invoked a document protection attempt in office so that it discovers your RMS server.
Another annoyance with RMS is that Office isn’t smart enough to look in this templates folder by default. NO! Let’s make it harder on our admins to get all of this working. Under:
HKCUSoftwareMicrosoftOffice14.0CommonDRM
you need to create a REG_EXPAND_SZ value with a name of AdminTemplatePath with a value of:
%UserProfile%AppDataLocalMicrosoftDRMTemplates
Why Microsoft needs to make this so difficult is beyond me. Personally I think the embedded RMS client should make a dynamic web services call to the RMS server when a user wants to protect content, get the latest templates, and cache them locally. Office needs to look at the default template location too. Also remember the scheduled task is NOT enabled by default. So if your organization is going to use RMS, you need to configure a GPO or script to enable the task on all Vista SP1 and later clients. If you are going to use Remote Desktop Services (RDS) or XenApp, enable the scheduled task on your servers.