Translate this site using Windows Live Translator:
Tip O' The Day: 12/29/2006 All You Can Eat Office Registry Keys for IRM and a Bag of Chips - RMS: Protecting Your Assets. - Site Home - TechNet Blogs

RMS: Protecting Your Assets.

The Protecting 'My' Asset Disclaimer: This is my 'un-official', 'in my spare time', 'use at your own risk', all things RMS (Rights Management Services), IRM (Information Rights Management), IPP (Information Protection Pla

Tip O' The Day: 12/29/2006 All You Can Eat Office Registry Keys for IRM and a Bag of Chips

Tip O' The Day: 12/29/2006 All You Can Eat Office Registry Keys for IRM and a Bag of Chips

  • Comments 3
  • Likes

OK, so I lied about the bag of chips, but here are the keys. Some of these are a mystery to me, and I haven't had a chance to get into the source to look at them, or have and am in the process of figuring out their use. ;) Use these at your own risk. Anywhere that I have marked that they are available in Office 11, obviously you will need to make adjustments to the Key location (change 12.0 to 11.0) and GPO location. This is my last blog post this year, so HAPPY NEW YEAR EVERYONE!!!

 

 

Disable all IRM in Office client
Location:HKCU\Software\Microsoft\Office\12.0\Common\DRM
DWORD:Disable
Value:
0 - No functionality impacted by this regkey
1 - All IRM functionality is removed; IRM is disabled
Description:
This key can be used to disable all IRM functionality in the Office client. All IRM UI hooks are removed.
Exists in Office 11:Yes
Exists in Office 12:Yes
Can Be Set by GPO in Office 11:Yes
Can Be Set by GPO in Office 12:Yes
GPO Path and Name:
User Configuration\Microsoft Office 2007\Manage Restricted Permissions\Disable Information Rights Management User Interface

Disable creation of IRM content
Location:HKCU\Software\Microsoft\Office\12.0\Common\DRM
DWORD:DisableCreation
Value:
If DisableCreation is non-zero, then an Enterprise Install will act just like a Standard install. Users cannot create IRM content or edit the rights on a doc, but they can consume previously created content.
Description:
This regkey makes a Enterprise Professional version of Office behavior like a Standard copy. In this state, users can consume rights managed content, but cannot create new managed content or edit the permissions on existing content.
Exists in Office 11:No
Exists in Office 12:Yes
Can Be Set by GPO in Office 11:No
Can Be Set by GPO in Office 12:Yes
GPO Path and Name:
User Configuration\Microsoft Office 2007\Manage Restricted Permissions\Prevent users from changing permissions on rights managed content.

Set whether a HTML version of doc is embedded into IRM content
Location:HKCU\Software\Microsoft\Office\12.0\Common\DRM
DWORD:IncludeHTML
Value:
1 = Include HTML stream
0 = Do not include HTML stream
Description:
This regkey determines whether an HTML representation of the rights managed content is included in in Word, Excel, and PowerPoint rights managed documents. If the HTML stream is included, the file can then be viewed by the Rights Management Add-on for IE
Exists in Office 11:Yes
Exists in Office 12:Yes
Can Be Set by GPO in Office 11:Yes
Can Be Set by GPO in Office 12:Yes
GPO Path and Name:
User Configuration\Microsoft Office 2007\Manage Restricted Permissions\Allow Users With Earlier Version of Office to Read With Browsers
Notes:
In Office 11, this regkey simply sets the default value for the "Allow users with earlier version of Office . . ." checkbox. In Office 12, that checkbox has been removed. This is the only way to determine if the HTML stream is included. By default, Office 12 sets this regkey to 0.

Select whether to encrypt document properties for IRM content
Location:HKCU\Software\Microsoft\Office\12.0\Common\Security\
DWORD:DRMEncryptProperty
Value:
When this DWORD is set to 1, the metadata is encrypted. When set to 0, the metadata is stored in clear text. The default value is 0.
Description:
For Office "12's" new Office Open XML file formats (e.g. doxc, xlxx, pptx) users will have the ability to decide whether to encrypt the Office metadata stored inside an IRM protected "Metro" file. They can either encrypt all Office metadata (including hyperlink references) or leave it in the clear so other applications can access the data. Users make this choice by setting a registry key. Corporate IT departments can automatically set-up a default option within their organization using this registry setting.
Note that the choice is not granular: users either encrypt the entire metadata package or none of it. In addition, this registry setting does not determine whether other, non-Office client metadata storages - such as the special storage SharePoint creates - are encrypted. Finally, this choice does not apply to the Office 2003 or other previous file formats. Office "12" will handle these formats in the same manner as Office 2003.
Exists in Office 11:No
Exists in Office 12:Yes
Can Be Set by GPO in Office 11:No
Can Be Set by GPO in Office 12:Yes
GPO Path and Name:
User Configuration\Microsoft Office 2007\Security Settings\Protecting document metadata for rights managed Office Open XML Files.
Notes:
Only applies to Open XML Documents
Because all metadata properties are encrypted, SharePoint will be unable to promote/demote metadata from IRM documents created with this regkey set. Not only does this make the documents harder to find, it also leads to several issues. As such, if you want to set this regkey you should a) not be using SharePoint or b) use SharePoint, but only upload IRM documents to an IRM-enabled SharePoint document library (in which case, WSS can access the encrypted properties and will promote/demote them).

Set RMS Licensing URL
Location:HKLM\Software\Microsoft\Office\12.0\Common\DRM
String:CorpLicenseServer
Value:URL of the licensing server
Description:
This setting allows the administrator to override the location of the Windows Rights Management Server specified in the Active Directory.
Exists in Office 11:Yes
Exists in Office 12:Yes
Can Be Set by GPO in Office 11:No
Can Be Set by GPO in Office 12:No
Notes:
Generally, this key is not used. The AD should specify the RMS server.

Set downlevel text for IRM email messages
Location:HKCU\Software\Microsoft\Office\12.0\Common\DRM
String:DownlevelText
Value:The text that appears in the wrapper email.
Description:
Using this setting, users can set the text of the "wrapper" email message that is sent with their IRM email. This is the message that will appear when users via the IRM email in a non-IRM aware client. By default, this regkey is not present and the default message is sent: If you are not running an e-mail application that supports messages with restricted permission, such as Microsoft Office Outlook 2003 or 2007, you can view this message by downloading the Rights Management Add-on for Microsoft Internet Explorer from http://r.office.microsoft.com/r/rlidRestrictedPermissionViewer?clid=1033." The CLID in the hyperlink is localized to the default language of the sender.
Exists in Office 11:Yes
Exists in Office 12:Yes
Can Be Set by GPO in Office 11:Yes
Can Be Set by GPO in Office 12:Yes
GPO Path and Name:
User Configuration\Microsoft Office 2007\Manage Restricted Permissions\Message displayed to users who cannot view a rights-managed e-mail


Set downlevel template path for IRM documents
Location:HKCU\Software\Microsoft\Office\12.0\Common\DRM
String:DownlevelTemplatePath
Value: The path to a directory that stores templates. Templates are just normal Office documents.
Description:
For rights managed files, the actual encrypted data is stored inside a unencrypted "wrapper" file. This wrapper file can inform someone who is not using Office 2003 or later that they need to view the file in an IRM aware application.This key specifies the location of the template directory.
Exists in Office 11:Yes
Exists in Office 12:Yes
Can Be Set by GPO in Office 11:Yes
Can Be Set by GPO in Office 12:Yes
GPO Path and Name:
User Configuration\Microsoft Office 2007\Manage Restricted Permissions\URL for location of document templates displayed when applications do not recognize rights-managed documents.

Set path to RMS templates
Location:HKCU\Software\Microsoft\Office\12.0\Common\DRM
REG_EXPAND_SZ:AdminTemplatePath
Value:The path to the RMS templates. All templates should be stored in the same directory.
Description:
This string contains the path to the folder containing RMS Permission Templates.
Exists in Office 11:Yes
Exists in Office 12:Yes
Can Be Set by GPO in Office 11:Yes
Can Be Set by GPO in Office 12:Yes
GPO Path and Name:
User Configuration\Microsoft Office 2007\Manage Restricted Permissions\Specify Permission Policy Path

Set RMS certification URL
Location:HKLM\Software\Microsoft\Office\12.0\Common\DRM
String:CorpCertificationServer
Value:URL to corporate certification server.
Description:
This setting allows the administrator to override the location of the Windows Rights Management Server specified in the AD for certification
Exists in Office 11:Yes
Exists in Office 12:Yes
Can Be Set by GPO in Office 11:No
Can Be Set by GPO in Office 12:No
GPO Path and Name:
Notes:
Generally, the AD should be used to specify the RMS server.

Disable Microsoft Passport Server for content with restricted permission
Location:HKCU\Software\Microsoft\Office\12.0\Common\DRM
DWORD:DisablePassportCertification
Value:
0 - No functionality impacted by this regkey
1 - Disable passport
Description:
This key disables passport as a valid auth choice
Exists in Office 11:Yes
Exists in Office 12:Yes
Can Be Set by GPO in Office 11:Yes
Can Be Set by GPO in Office 12:Yes
GPO Path and Name:
User Configuration\Microsoft Office 2007\Manage Restricted Permissions\Disable Microsoft Passport service for content with restricted permission
Notes:


Additional permissions request URL
Location:HKCU\Software\Microsoft\Office\12.0\Common\DRM
String:RequestPermissionURL
Value:
The URL (most likely amailto:someone@company.com) of the person who can grant additional permissions.
Description:
This string value contains the default value for the "Users can request additional permissions from" control
Exists in Office 11:Yes
Exists in Office 12:Yes
Can Be Set by GPO in Office 11:Yes
Can Be Set by GPO in Office 12:Yes
GPO Path and Name:
User Configuration\Microsoft Office 2007\Manage Restricted Permissions\Additional Permissions Request URL

Always require users to connect to verify permission
Location:HKCU\Software\Microsoft\Office\12.0\Common\DRM
DWORD:RequireConnection
Value:
1 = box is checked by default and a connection is required.
0 = box is unchecked, users do not need a connection
Description:
The key determines the default value for the "Require a connection to verify a user's permission" checkbox.
Exists in Office 11:Yes
Exists in Office 12:Yes
Can Be Set by GPO in Office 11:Yes
Can Be Set by GPO in Office 12:Yes
GPO Path and Name:
User Configuration\Microsoft Office 2007\Manage Restricted Permissions\Always require users to connect to verify permissions

Toggle Request Additional Permissions
Location:HKCU\Software\Microsoft\Office\12.0\Common\DRM
DWORD:RequestPermission
Value:
1 = The box will be checked.
0 = The box is unchecked.
Description:
This toggles the default value of the "Users can request additional permissions from" checkbox.
Exists in Office 11:Yes
Exists in Office 12:Yes
Can Be Set by GPO in Office 11:No
Can Be Set by GPO in Office 12:No

Toggle whether Outlook will automatically acquire a EUL when syncing messages
Location:HKCU\Software\Microsoft\Office\12.0\Common\DRM
DWORD:DoNotAcquireDRMLicenseOnSync
Value:
If the value is set to one, Outlook will not try to acquire licenses during the message synchronization.
If set to zero, the license will be automatically acquired.

Description:
When Outlook downloads an IRM email, it can automatically acquire an EUL for the content.
Exists in Office 11:Yes
Exists in Office 12:Yes
Can Be Set by GPO in Office 11:No
Can Be Set by GPO in Office 12:No

Toggle whether groups can be added to an issuance license for IRM documents
Location:HKCU\Software\Microsoft\Office\12.0\Common\DRM
DWORD:NeverAllowDLs
Value:
0 = Allow DLs
1 = Disable DLs
Description:
If this key is set, users will not be able to add groups as consumers of IRM content
Exists in Office 11:Yes
Exists in Office 12:Yes
Can Be Set by GPO in Office 11:Yes
Can Be Set by GPO in Office 12:Yes
GPO Path and Name:
User Configuration\Microsoft Office 2007\Manage Restricted Permissions\Never allow users to specify groups when restricting permission for documents

Set RMS certification URL for Passport
Location:HKLM\Software\Microsoft\Office\12.0\Common\DRM
String:CloudCertificationServer
Value:
URL to custom cloud certification server
Description:
This setting allows the administrator to override the location of the Passport server for certification
Exists in Office 11:Yes
Exists in Office 12:Yes
Can Be Set by GPO in Office 11:No
Can Be Set by GPO in Office 12:No

Set RMS Licensing URL for Passport
Location:HKLM\Software\Microsoft\Office\12.0\Common\DRM
String:CloudLicenseServer
Value:
URL of the licensing server
Description:
This setting allows the administrator to override the location of the Passport server for licensing
Exists in Office 11:Yes
Exists in Office 12:Yes
Can Be Set by GPO in Office 11:No
Can Be Set by GPO in Office 12:No

Alerts
Location:HKCU\Software\Microsoft\Office\12.0\Common\DRM
String:Alerts
Value:??
Description:
It's a mystery. :)
Exists in Office 11:Yes
Exists in Office 12:Yes
Can Be Set by GPO in Office 11:No
Can Be Set by GPO in Office 12:No

DefaultUser
Location:HKCU\Software\Microsoft\Office\12.0\Common\DRM
String:DefaultUser
Value:??
Description:
I'm sure that this is used if you have multiple user accounts, and want one to take precedence over another.
Exists in Office 11:Yes
Exists in Office 12:Yes
Can Be Set by GPO in Office 11:No
Can Be Set by GPO in Office 12:No

CachedCorpLicenseServer
Location:HKCU\Software\Microsoft\Office\12.0\Common\DRM
String:CachedCorpLicenseServer
Value:URL to your licensing server
Description:
This reg entry exists, but does not need to be set by users.
Exists in Office 11:Yes
Exists in Office 12:Yes
Can Be Set by GPO in Office 11:No
Can Be Set by GPO in Office 12:No

PermissionDialogSize
Location:HKCU\Software\Microsoft\Office\12.0\Common\DRM
??:PermissionDialogSize
Value:??
Description:
Another mystery, but as the name indicates probably used to set the size of the permission dialog that pops up.
Exists in Office 11:Yes
Exists in Office 12:Yes
Can Be Set by GPO in Office 11:No
Can Be Set by GPO in Office 12:No

ActivationServer
Location:HKCU\Software\Microsoft\Office\12.0\Common\DRM
String:ActivationServer
Value:NOT NEEDED /w SP1 +
Description:
This reg entry exists, but does not need to be set by users.
Exists in Office 11:Yes
Exists in Office 12:Yes
Can Be Set by GPO in Office 11:No
Can Be Set by GPO in Office 12:No
Notes:
With RMS SP1, we no longer need to contact a server to activate the machine.

LicenseServerRedirection
Location:HKCU\Software\Microsoft\Office\12.0\Common\DRM\LicenseServerRedirection
String:http://url.to.old.licensing.server/licensing
Value:http://url.to.new.licensing.server/licensing
Description:
It has been said that you can fix the sins of the past with this key, essentially overriding the PL of your old content to point to a new licensing server.
UPDATE: 01/22/2007. I actually tested this one out and it works fine. Make sure that you export the publishing cert from your old licensing server, into the new licensing server, via the RMS Admin Trust Policies UI.
Exists in Office 11:Yes
Exists in Office 12:Yes
Can Be Set by GPO in Office 11:No
Can Be Set by GPO in Office 12:No

Decommission

Location:HKCU\Software\Microsoft\Office\12.0\Common\DRM\Decommission
String:http://url.to.licensing.server/_wmcs/licensing
Value:http://url.to.decommission.server/_wmcs/decommission
Description:
This key exists, but does not need to be set by users.
Exists in Office 11:Yes
Exists in Office 12:Yes
Can Be Set by GPO in Office 11:No
Can Be Set by GPO in Office 12:No

URL to RMS Client
Location:HKLM\Software\Microsoft\Office\12.0\Common\DRM\DRM Setup
String:DRMPostSetupURL
Value:URL of RMS client
Description:
This reg entry points to the URL where the RMS client bits can be found. If Office detects that the RMS client is not installed, it will point the user to this URL
Exists in Office 11:Yes
Exists in Office 12:Yes
Can Be Set by GPO in Office 11:No
Can Be Set by GPO in Office 12:Yes
GPO Path and Name:
User Configuration\Microsoft Office 2007\Manage Restricted Permissions\URL where users can download the Windows Rights Management Services client.
Notes:
This is typically used by customers who do not want downloads from outside their corporate firewall

Auto Expand DLs in Permission Dialog
Location:HKCU\Software\Microsoft\Office\12.0\Common\DRM\AutoExpandDLs
DWORD:AutoExpandDLsEnable
Value:
0 = Do not expand DLs, disabled
1 = Expand DLs in Permissions dialog
Description:
This reg key toggles whether DL are auto expanded when entered in the Permissions dialog
Exists in Office 11:Yes
Exists in Office 12:Yes
Can Be Set by GPO in Office 11:Yes
Can Be Set by GPO in Office 12:Yes
GPO Path and Name:
User Configuration\Microsoft Office 2007\Manage Restricted Permissions\Always expand groups in Office when restricting permissions for documents

AdsSearchPrefTimeLimitSecs
Location:HKCU\Software\Microsoft\Office\12.0\Common\DRM\AutoExpandDLs
DWORD:AdsSearchPrefTimeLimitSecs
Value:??
Description:
This reg entry exists, but does not need to be set by users. I suspect you can set the timeout for SCP discovery with this.
Exists in Office 11:Yes
Exists in Office 12:Yes
Can Be Set by GPO in Office 11:No
Can Be Set by GPO in Office 12:No

AdsSearchPrefTimeOutSecs
Location:HKCU\Software\Microsoft\Office\12.0\Common\DRM\AutoExpandDLs
DWORD:AdsSearchPrefTimeOutSecs
Value:??
Description:
See above.
Exists in Office 11:Yes
Exists in Office 12:Yes
Can Be Set by GPO in Office 11:Yes
Can Be Set by GPO in Office 12:Yes
GPO Path and Name:
User Configuration\Microsoft Office 2007\Manage Restricted Permissions\Active Directory timeout for querying one entry for group expansion

DisableCertificateValidation
Location:HKCU\Software\Microsoft\Office\12.0\Common\DRM
DWORD:DisableCertificateValidation
Value:
0 - Off
1 - On
Description:
Still looking for an answer for this one.
Exists in Office 11:Yes
Exists in Office 12:Yes
Can Be Set by GPO in Office 11:No
Can Be Set by GPO in Office 12:No

DisableRepair
Location:HKCU\Software\Microsoft\Office\12.0\Common\DRM
DWORD:DisableRepair
Value:
0 = Repair works normally
1 = Repair is disabled
Description:
Office can detect invalid configuration of the RMS environment and attempt to repair the problem. This key can be used to disable the repair process
Exists in Office 11:Yes
Exists in Office 12:Yes
Can Be Set by GPO in Office 11:Yes
Can Be Set by GPO in Office 12:Yes
GPO Path and Name:
User Configuration\Microsoft Office 2007\Manage Restricted Permissions\Do not allow users to upgrade Information Rights Management configuration
Notes:
There is a disconnect between the description here and what GP says the reg key does. This key is legacy and is not used anymore.

DoNotUseOutlookByDefault
Location:HKCU\Software\Microsoft\Office\12.0\Common\DRM
DWORD:DoNotUseOutlookByDefault
Value:
0 = Outlook is used
1 = Outlook is not used
Description:
The permissions dialog uses Outlook to validate email addresses entered in that dialog. This causes an instance of Outlook to be started when restricting permissions. Users can disable this option using this key
Exists in Office 11:Yes
Exists in Office 12:Yes
Can Be Set by GPO in Office 11:No
Can Be Set by GPO in Office 12:No

Reset PONT dialog for acquiring license
Location:HKCU\Software\Microsoft\Office\12.0\Common\DRM\LicenseServers
Key/Hive:LicenseServers
Value:
This key contains DWORD values. The name of the DWORD should be set to the server URL. If the value of the DWORD is 1, then Office will not prompt to acquire a license (it will just get it). If the value is zero or there is no reg entry for that server, Office will prompt for a license
Description:
This registry key contains DWORD values that have the name of a license server. If the value is set to 1 then the user will not see a message telling them that they need to acquire a license. If the value is 0 then the user will see the message. For example, if `http://contoso/_wmcs/licensing = 1' was one of the values then a user that was attempting to acquire a license from that server would not be prompted.
Exists in Office 11:Yes
Exists in Office 12:Yes
Can Be Set by GPO in Office 11:No
Can Be Set by GPO in Office 12:No

Comments
  • >>DefaultUser

    >>Location:HKCU\Software\Microsoft\Office\12.0\Common\DRM

    I have key "DefaultUser" on my comp.

    And it`s set to "Windows:<username>@<domain>".

    I think that it use to set owner or main (or last logged on) user of the comp.

    -------Soooory 4 my Enghhhlish =)

  • E' possibile customizzare il comportamento di RMS tramite delle chiavi di registro. Questo blog le elenca:

  • Within RMS, can we limit the abilities of administrators (domain and server) by server, user, or data content?   Specifically, if we have a sensitive data enclave that needs to be controlled and managed by certain administrators, can we exclude all other administrators from accessing this area or assuming the identity of the cleared users \ administrators?

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment