Pro-Exchange,Lync & Office 365
Belgian Microsoft Unified Communications Professionals
Microsoft Exchange Server, Microsoft Lync Server & Office 365
Integrating AD RMS with Exchange 2010 (part 3)


In the first part of this article, we talked about what AD RMS was and how to setup a small test-environment. In the second part, I showed how to integrate RMS with Exchange 2010 and how you could/should create and deploy rights policy templates to your users.

Today, I’ll show you how to protect a new mail message using Outlook 2010 or OWA and I will also be talking about the more automated ways of integrating RMS templates: Outlook- & Transport protection Rules.


Outlook- & Transport Protection Rules

If we would use the environment that we created during the past two parts of this article, creating rights-protected content would entirely be up to the user. This would mean that if the user did not apply a RMS template on an outgoing message, the message could still leave the organization without being protected, possibly leaving sensible information unprotected.

There are cases in which you might want content always to be protected (e.g. email coming from the financial department). Outlook- & Transport Protection rules enable you to create “rules” that will automatically apply a RMS template, without any user intervention. The main difference between both is that an Outlook Protection Rule will encrypt the message when it leaves the user’s computer (before hitting the hub  transport servers) whereas a Transport Protection Rule will apply a RMS template while the message is in transit (on the hub transport servers). In the latter case, the user will have no idea whether the message will be encrypted or not. Outlook Protection Rules allows the user to see that the message was encrypted and – if configured – also allows the user to modify the template used to encrypt the message.

If you want to use Outlook Protection Rules, you also have to make sure that the template that is defined in the rule also is available on the client’s computer. For more information on how to achieve that, please take a look at my previous article.

Whenever a message is protected with an Outlook Protection Rule, it is encrypted and therefor – normally – not readable to a hub transport server. This would definitely limit processing options during transport (e.g. for message compliancy). Fortunately, Exchange 2010 allows you to enable “transport decryption”. The decryption agent will decrypt the message upon reception, allowing other agents to also process the message (e.g. append a disclaimer etc.). Once processing is complete, the hub transport server will re-encrypt the message with the same AD RMS template that was used to encrypt it in the first place, before sending it out onto the internet.

For more information about transport decryption and –agents, have a look here: and

Creating Outlook Protection Rules

Creating an Outlook Protection Rule is pretty straightforward, however you can only do this using the Exchange Management Shell (EMS):

New-OutlookProtectionRule –Name <name> –ApplyRightsProtectionTemplate <name_of_the_rms_template>


In the example above, I first queried for all availably RMS templates using the Get-RMSTemplate cmdlet. I then used the “Do Not Print” template to create an Outlook Protection Rule that would apply to all email messages.

If you want to limit the scope of the Outlook Protection Rule, you would use either the –SentTo or –SentToScope parameters:


Notice that I added the –SendToScope “inOrganization” parameter. This will make sure that the Outlook Protection Rule is only applied to messages sent internally.

Note: I replaced the name of the RMS template by the TemplateGUID. This because I created a duplicate RMS-template called “Do Not Forward and wanted to be sure the correct one was selected.

For more information on the New-OutlookProtectionRule and it’s parameters, please check:


Creating Transport Protection Rules

Transport protection rules are “no more” than regular transport rules which we use to apply an AD RMS Template to a message. Creating transport rules can either be done through the EMC or the EMS.
In order to alternate between EMS and EMC, I will show you how to perform this task using the EMC. However, if you want to use the EMS, take a look here:

Open the EMC and navigate to “Organization Configuration” > “Hub Transport”; select the “Transport Rules”-tab from the result pane and click “New Transport Rule” from the actions pane.


This will launch the “New Transport Rule”-wizard.

Enter descriptive details and click Next:


Select an appropriate condition that meets your requirement and click Next. In this example I chose to create a condition based on the membership of a Distribution Group “HR”:


Select “Rights Protect Message with RMS Template” and click the underlined text “RMS Template”:


Select the desired RMS Template and confirm:


Click Next.


Add an exception (if required) and click Next:


Click Next again and then click New.


Creating a rights-protected document with Outlook

Besides the automatic application of RMS templates (through Outlook- or Transport Protection Rules), a user can still decide to apply a RMS template to a message himself.

Open a new mail message and navigate to the options-tab. From there, click the arrow under “Permission”:


Select an available template to apply it to the message.



Creating a rights-protected document with OWA

From within OWA, open a new mail message and click the arrow next to the permissions-icon. Select an available template to apply it to the message.



Throughout the past few articles, we created a simple RMS infrastructure and integrated it with Exchange 2010. We deployed some RMS templates and distributed them to a Windows 7 machine.
Afterwards we’ve also taken a look at the more automated ways of integrating RMS through protection rules.

I hope that you feel a bit more confident with regards to RMS/IRM now and if if you have any questions, please don’t hesitate to comment or to contact me directly.

See you next time!


Posted 08-28-2011 10:25 by Michael Van Horenbeeck


you could check here wrote you could check here
on 09-10-2014 3:43

Integrating AD RMS with Exchange 2010 (part 3) - Exchange 2010 - Pro-Exchange,Lync & Office 365