Enable or Disable Transport Decryption

Applies to: Exchange Server 2010

Enabling transport decryption allows the Transport Rules agent on Hub Transport servers to access content in messages protected by Information Rights Management (IRM). As a result, other transport agents can access message content and possibly make changes to it. For example, the Transport Rules agent may need to inspect message content and apply transport rules (such as rules that apply a disclaimer to the message). To successfully decrypt IRM-protected messages, you must add the Federated Delivery mailbox to the super users group configured on your Active Directory Rights Management Services (AD RMS) server.

Important

Members of the super users group are granted an owner use license when they request a license from the AD RMS cluster. This allows them to decrypt all RMS-protected content created by that AD RMS cluster.

When enabling transport decryption, you can specify the following settings:

• Mandatory   Rejects messages that can't be decrypted and returns a non-delivery report (NDR) to the sender.
• Optional   Uses a best-effort approach to decryption. If possible, messages are decrypted, but they're delivered even if decryption fails.

To learn more about transport decryption, see Understanding Transport Decryption.

Looking for other management tasks related to IRM? Check out Managing Information Rights Management.

Prerequisites

• An AD RMS server exists in the Active Directory forest and is accessible.
• The Federated Delivery mailbox has been added to the AD RMS super users group. For details, see Add a Federated Delivery Mailbox to the AD RMS Super Users Group.

Use the Shell to enable transport decryption

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Rights protection" entry in the Messaging Policy and Compliance Permissions topic.

Note

You can't use the EMC to enable transport decryption.

This example enables transport decryption for the Microsoft Exchange Server 2010 organization. Messages that can't be decrypted are rejected, and an NDR is returned to the sender.

Set-IRMConfiguration -TransportDecryptionSetting Mandatory

For detailed syntax and parameter information, see Set-IRMConfiguration.

Use the Shell to disable transport decryption

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Rights protection" entry in the Messaging Policy and Compliance Permissions topic.

Note

   You can't use the EMC to disable transport decryption.

This example disables transport decryption for the Exchange 2010 organization.

Set-IRMConfiguration -TransportDecryptionSetting Disabled

For detailed syntax and parameter information, see Set-IRMConfiguration.

Other Tasks

After you enable or disable transport decryption, you may also want to:

• Enable or Disable Journal Report Decryption
• Enable or Disable Information Rights Management in Outlook Web App