다음을 통해 공유

AD RMS Decommissioning for modern Office clients

  • 아티클

The current AD RMS guidance for decommissioning the service does not work with newer Office versions. By newer versions, I am referring to Office 2010 and newer. These versions do not support the decommissioning pipeline. The documentation to which I am referring is: Decommission AD RMS.

The decommissioning process that I've been sharing with users involve Office registry settings to prevent the creation of new content. After giving end users the opportunity to unprotect their content use another registry setting in Office to disable all RMS functionality. Use a superuser to recover any data end users did not unprotect. 

Before getting rid of your AD RMS server(s) please do the following. If you have the default AD RMS centrally managed keys we may export the keys and or recover them via SQL restore.  Option one is backing up the AD RMS keys via a TPD export. If you hang on to the AD RMS SQL databases, and know the cluster key password (second option below), we should be able to get our centrally managed AD RMS keys back if needed. 

  1. Export your Trusted Publishing Domains (TPDs) for safe keeping. See this link for details.
  2. Reset the cluster key password if restoring the AD RMS databases needs to be an option for recovering data in the future. 

"Decommission"

  1. Roll out the DisableCreation registry setting to the clients. (This prevents the creation of new content but allows the consumption of protected content)
  2. Inform users that AD RMS is going away. State they need to start removing any protection applied to the content. Provide an end date.
  3. After the end date arrives, start rolling out new registry settings to the clients. (This prevents the users from creating or opening any RMS content)
    1. Set DisableCreation to 0.
    2. Create/set Disable to 1.
  4. If users are unable to open content you may use a superuser to decrypt if for them. The super users cannot have the Disable setting if using Office applications to do the decryption.

Registry Settings

Disable creation of IRM protected content in all Office applications

Office 2010: HKCU\Software\Microsoft\Office\14.0\Common\DRM
Office 2013: HKCU\Software\Microsoft\Office\15.0\Common\DRM
Office 2016: HKCU\Software\Microsoft\Office\16.0\Common\DRM
  Name:  DisableCreation
  Type:  DWORD
  Value: 0/1

  0 = No functionality affected by this registry key
  1 = IRM protection options are removed; you can still consume protected files.

Disable all Office IRM functionality

Office 2010: HKCU\Software\Microsoft\Office\14.0\Common\DRM
Office 2013: HKCU\Software\Microsoft\Office\15.0\Common\DRM
Office 2016: HKCU\Software\Microsoft\Office\16.0\Common\DRM
  Name:  Disable
  Type:  DWORD
  Value: 0/1

  0 = No functionality affected by this registry key
  1 = All IRM functionality is removed; IRM is disabled