Nov 8, 2011 4:08:49 AM
Configuring a Non-Domain-Joined RMS Client Machine

In most corporate environments, when you roll out RMS to the client machines you're talking about domain-joined machines that you are configuring via group policy, SCCM and similar desktop deployment tools. But what if you have a few users who need to have access to RMS-protected content from non-domain-joined clients? What if they need to apply rights-protections to content as well? With your custom templates no less, then what? Under some circumstances, it may be possible to get RMS configured on a non-domain-joined client machine just by asking the user to open a rights-protected document, but whether this will work or not depends on a lot of variables, and it's not a reliable solution. Your best bet is to hand the user an easy-to-run script packaged with your rights policy templates to line all the ducks up in a row automatically.

Things to think about when you start down this path include:

  • Does the end user have an account in your domain? RMS will work from a non-domain-joined computer, but the user still needs to be able to authenticate to the domain. The user's AD account also needs to be populated with an e-mail address in the mail field.
  • Will the user be attempting to use RMS from inside the corporate firewall or outside? If outside, are the RMS certification and licensing pipelines available outside the corporate firewall? If the RMS pipelines are not available outside the corporate firewall, does the user have the option to open a VPN connection?
  • Was the SSL certificate used to secure the RMS pipelines issued by a trusted certificate authority (VeriSign, Entrust, GoDaddy, etc.)? If not, in addition to the below-described configuration, you will also need to configure the user's machine to trust the root certificate of the CA that issued the certificate (typically an internal PKI).

The following PowerShell script was designed for use on Windows 7 and, as written, works with Office 2010, but can be modified for Office 2007 or Office 2003. If you need a script for Windows XP, PowerShell may not be the best choice, since it's not installed on XP by default. Plus, the rights policy template path referenced in the script is not valid on XP and XP also requires that the user install the RMS fat client (which is built into the OS on Windows 7).

The script is designed to do the following:

  1. Set an IE trust in the "Local Intranet" zone for the RMS cluster name. For example: https://rms.example.com
  2. Set the registry keys in the below table (note that some are HKLM and some are HKCU).
  3. Copy your RMS rights policy template files to the default location for templates on Windows 7 (creating the DRM and Templates directories if necessary): %localappdata%\Microsoft\DRM\Templates
Path Name Type Value
HKLM\Software\Microsoft\Office\14.0\Common\DRM CorpLicenseServer REG_SZ https://rms. example.com/_wmcs/licensing
HKLM\Software\Microsoft\Office\14.0\Common\DRM CorpCertificationServer REG_SZ https://rms. example.com/_wmcs/certification
HKCU\Software\Microsoft\Office\14.0\Common\DRM AdminTemplatePath REG_EXPAND_SZ %localappdata%\Microsoft\DRM\Templates
HKCU\Software\Microsoft\Office\14.0\Common\DRM DisablePassportCertification REG_DWORD 1

To use this script, copy the script contents to a file and edit the first two variables to match your RMS server cluster name (e.g. rms.example.com). If your RMS server cluster has a different name internally and externally, you'll need to configure the script appropriately for the location from which the user will be accessing RMS. Package the script together with the below-described batch file for ease of use. Out-of-the box, PowerShell on Windows 7 disables the use of unsigned scripts within the PowerShell interface. This batch file gets around that problem. If you prefer to just execute the PowerShell script from within the PowerShell window, you may need to enable RemotedSigned for the PowerShell ExecutionPolicy. If you would like the user to be able to apply rights-protections to content using your custom rights-policy templates, package the script together with the XML files for your rights policy templates (e.g. "Read Only for Employees.xml" and "Allow Print for Employees.xml") as well. The script and batch file assume that the batch file and the XML files are in the same directory as the PowerShell script.

If you decide not to distribute your rights policy templates, you can also skip setting the AdminTemplatePath registry setting. The DisablePassportCertification setting is included because leaving passport certification enabled can cause confusion for end users who are trying to certify to your corporate RMS environment, not Microsoft's passport-based RMS. However, this setting is not required for RMS functionality, and you can feel free to remove it.

Note that this script needs to be run as administrator in order to allow it to set HKLM registry settings. To use the script with the batch file, right-click the batch file name in Windows Explorer and choose to "Run as administrator." To use the script without the batch file, open a PowerShell window using the "Run as administrator" option, change to the directory in which you placed the PowerShell script and the rights policy templates, and execute the script from there.

Configure_RMS.ps1

# Set variables
# Set the $DomainName variable to the DNS domain name of your RMS server cluster
# (e.g. example.com, example.local). If your internal RMS cluster name differs from your
# external RMS cluster name (e.g. internal is rms.example.local, external is rms.example.com),
# set the domain name that's appropriate for the end user--external domain if the user will be
# contacting the RMS server cluster from outside the firewall or internal domain name if the
# user will be contacting the RMS server cluster from inside the firewall or over a VPN
# connection.
$DomainName = "example.com"
# Set the @RMSClusterName variable to the short DNS alias name that represents the RMS server
# cluster--e.g. RMS.
$RMSClusterName = "rms"
# Functionality to quit if the requested Office version is not installed. Do not change
# this variable.
$Continue = $true
# Registry key paths. Do not change these variables unless you are modifying the script
# to support a different version of Office. Office 2010 uses 14.0 in the paths, Office 2007
# uses 12.0 in the paths, and Office 2003 uses 11.0 in the paths.
$IETrust = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains"
$HKLMPath = "HKLM:\Software\Microsoft\Office\14.0\Common"
$HKCUPath = "HKCU:\Software\Microsoft\Office\14.0\Common"

# Set IE trust in Local Intranet zone
If (Test-Path "$IETrust\$DomainName")
{
   # Zone already exists for requested $DomainName
   If (Test-Path "$IETrust\$DomainName\$RMSClusterName")
   {
      # Zone already exists for requested $DomainName and $RMSClusterName.
      # Set the HTTPS value even if it already exists.
      Write-Host "`n`nCreating IE trust in existing RMS cluster name...`n`n"
      New-ItemProperty "$IETrust\$DomainName\$RMSClusterName" -Name https `
         -PropertyType DWord -Value 1 -Force
   }
   else
   {
      # Requested $RMSClusterName does not exist. Create it and the HTTPS value.
      Write-Host "`n`nCreating RMS cluster name zone...`n`n"
      New-Item "$IETrust\$DomainName\$RMSClusterName"
      Write-Host "`n`nCreating IE trust in new RMS cluster name zone...`n`n"
      New-ItemProperty "$IETrust\$DomainName\$RMSClusterName" -Name https `
         -PropertyType DWord -Value 1
   }
}
else
{
   # Zone does not exist for requested $DomainName. Create it, $RMSClusterName
   # and the HTTPS value.
   Write-Host "`n`nCreating domain name zone...`n`n"
   New-Item "$IETrust\$DomainName"
   Write-Host "`n`nCreating RMS cluster name zone in new domain name zone...`n`n"
   New-Item "$IETrust\$DomainName\$RMSClusterName"
   Write-Host "`n`nCreating IE trust in new RMS and domain name zones...`n`n"
   New-ItemProperty "$IETrust\$DomainName\$RMSClusterName" -Name https `
      -PropertyType DWord -Value 1
}

# Set registry key options for location of the RMS server cluster for the specified
# Microsoft Office version.
If (Test-Path "$HKLMPath")
{
   # The specified Microsoft Office version appears to be installed.
   If (Test-Path "$HKLMPath\DRM")
   {
      # DRM key already exists. Create the registry values, even if they already exist.
      Write-Host "`n`nCreating HKLM registry keys in pre-existing DRM key...`n`n"
      New-ItemProperty "$HKLMPath\DRM" -Name CorpLicenseServer -PropertyType String `
         -Value https://$RMSClusterName.$DomainName/_wmcs/licensing -Force
      New-ItemProperty "$HKLMPath\DRM" -Name CorpCertificationServer -PropertyType String `
         -Value https://$RMSClusterName.$DomainName/_wmcs/certification -Force
   }
   else
   {
      # DRM key does not exist. Create it and the registry keys.
      Write-Host "`n`nCreating new DRM key under HKLM path...`n`n"
      New-Item "$HKLMPath\DRM"
      Write-Host "`n`nCreating HKLM registry keys in new DRM key...`n`n"
      New-ItemProperty "$HKLMPath\DRM" -Name CorpLicenseServer -PropertyType String `
         -Value https://$RMSClusterName.$DomainName/_wmcs/licensing
      New-ItemProperty "$HKLMPath\DRM" -Name CorpCertificationServer -PropertyType String `
         -Value https://$RMSClusterName.$DomainName/_wmcs/certification
   }
}
else
{
   # WARNING: Script will stop at this point and make no further changes if the correct
   # HKLM path for the specified Office version is not found.
   Write-Host "The specified Microsoft Office version does not appear to be installed."
   $Continue = $false
}

If ($continue)
{
   # Set registry key options in HKCU for the specified Office version.
   If (Test-Path "$HKCUPath")
   {
      # The specified Microsoft Office version appears to be installed.
      If (Test-Path "$HKCUPath\DRM")
      {
         # DRM key already exists. Create the registry values, even if they already exist.
         Write-Host "`n`nCreating HKCU registry keys in pre-existing DRM key...`n`n"
         New-ItemProperty "$HKCUPath\DRM" -Name AdminTemplatePath -PropertyType ExpandString `
            -Value %localappdata%\Microsoft\DRM\Templates -Force
         New-ItemProperty "$HKCUPath\DRM" -Name DisablePassportCertification `
            -PropertyType DWord -Value 1 -Force
      }
      else
      {
         # DRM key does not exist. Create it and the registry keys.
         Write-Host "`n`nCreating new DRM key under HKCU path...`n`n"
         New-Item "$HKCUPath\DRM"
         Write-Host "`n`nCreating HKCU registry keys in new DRM key...`n`n"
         New-ItemProperty "$HKCUPath\DRM" -Name AdminTemplatePath -PropertyType ExpandString `
            -Value %localappdata%\Microsoft\DRM\Templates
         New-ItemProperty "$HKCUPath\DRM" -Name DisablePassportCertification `
            -PropertyType DWord -Value 1
      }
   }
   else
   {
      # WARNING: Script will stop at this point and make no further changes if the correct
      # HKCU path for the specified Office version is not found.
      Write-Host "The specified Microsoft Office version does not appear to be installed."
      $Continue = $false
   }

   # Install rights policy templates.
   If (Test-Path "$env:localappdata\Microsoft\DRM")
   {
      # DRM folder already exists.
      If (Test-Path "$env:localappdata\Microsoft\DRM\Templates")
      {
         # Templates folder under DRM already exists. Copy templates to it,
         # overwriting existing files.
         Write-Host "`n`nCopying policy templates to pre-existing Templates folder...`n`n"
         Copy-Item *.xml "$env:localappdata\Microsoft\DRM\Templates"
      }
      else
      {
         # Templates folder under DRM does not exist. Create it and copy templates to it,
         # overwriting existing files.
         Write-Host "`n`nCreating Templates folder in pre-existing DRM folder...`n`n"
         New-Item "$env:localappdata\Microsoft\DRM\Templates" -Type Directory
         Write-Host "`n`nCopying policy templates to new Templates folder...`n`n"
         Copy-Item *.xml "$env:localappdata\Microsoft\DRM\Templates"
      }
   }
   else
   {
      # DRM folder does not exist. Create it and the Templates folder and copy
      # templates to it, overwriting existing files.
      Write-Host "`n`nCreating DRM folder...`n`n"
      New-Item "$env:localappdata\Microsoft\DRM" -Type Directory
      Write-Host "`n`nCreating Templates folder in new DRM folder...`n`n"
      New-Item "$env:localappdata\Microsoft\DRM\Templates" -Type Directory
      Write-Host "`n`nCopying rights policy templates to new Templates folder...`n`n"
      Copy-Item *.xml "$env:localappdata\Microsoft\DRM\Templates"
   }
}

Configure_RMS.bat

pushd %~dp0
powershell.exe -command ^
  "& {set-executionpolicy Remotesigned -Scope Process; .'.\Configure_RMS.ps1' }"
popd
pause

Once the script has been run, the end user should be able to open existing rights-protected content or apply rights-protections to content. In many instances, the user will be prompted to enter his or her username and password for your Active Directory domain when using RMS. If the user is connected to your internal network using a VPN connection, RMS may be able to pick up the user's credentials from the VPN and won't prompt the user for authentication.

You may be aware that there are two approaches to configuring the location of the RMS server cluster in the registry on RMS clients. The approach used here is specific to Office applications, using the CorpLicenseServer and CorpCertificationServer registry settings. The other choice is to use the Activation and EnterprisePublishing registry settings, which are global and apply to all applications that use RMS, not just Office. The problem with a scripted approach with these settings is that the settings go in different locations in the registry depending on whether the OS is 32-bit or 64-bit and whether the version of Office (or other application) used is 32-bit or 64-bit. However, if you need to support RMS in third-party applications, you'll need to use the Activation and EnterprisePublishing settings. If you need to go this route and aren't sure whether you're working with 32-bit or 64-bit, you can always configure these settings both in the regular tree in the registry and in the wow6432node tree. On the plus side, if you use the Activation and EnterprisePublishing settings, you don't need to know what version of Office the user is running. (RMS only works with Office 2003 and higher.)