Extend Microsoft RMS protection to Non-Office Files


Extend RMS protection to Non-Office File Extensions


First off let me just say something that you wont hear very often out of a sys admin’s mouth in a non sarcastic way, but thank you Microsoft.  Thank you for finally expanding on the development of your Rights Management Service (RMS) solution. I couldn’t tell you how many months I spent researching, meeting with 3rd party vendors, and pouring over pages upon pages of blogs, developer notes, and KB articles trying to find a solution to protect non-office documents.

Microsoft released their RMS Sharing Application last year which supported the ability to apply RMS templates to both Supported and Non-Supported Microsoft office documents. Only down side was that the RMS Sharing Application has no public command line parameters, so automating the application was out of the question. Good thing to note here is automation is awesome, in today’s world if you are working with technology manual then your doing it wrong.

I do have a confession though I basically stalked Gagen Gulati, a Microsoft RMS developed on TechNet and other blogs. I was able to find a link on one of his blogs that directed me to a PowerShell cmdlet from the RMS team at Microsoft.  This cmdlet is essentially the command line version of the RMS Sharing Application I talked about earlier.

This cmdlet can be run using FSRM to automate jobs and apply RMS templates to files and folders and really just about any file you can image. Keep in mind though you can encrypt almost any document, but you will need a compatible viewer in order to view the encrypted document.

Please note that in order to view a a file, encrypted by the RMS PowerShell plugin you will need a supported program to view the files with.  So naturally office files are supported by word or powerpoint…etc but pdf documents must be opened with the RMS Sharing Application or some other RMS supported view such as FoxIT or Gigatrust.  If you try to open a encrypted PDF with Adobe it wont work. Funny thing here though is that the RMS Sharing App is really just a dumb version on the expensive FoxIT reader.  Really, if you look at the RMS Sharing App’s system files you will see FoxIT dll files.

What are you going to need

You are going to need three sets of tool for this integration to work properly.  The first is the Microsoft.Protection CTP2 binaries located here.  The other application you will need is the RMS Sharing Applcation located here. And last is the AD RMS Client 2.1 located here

The RMS Sharing Application requires an internet connect to install and for the system to reboot once installed. (Go Microsoft Reboots!)

Once you have both of these files download and ready to be deployed on your system you can launch the installation process.


Installing the Microsoft.Protection PowerShell cmdlets

In order to install the Microsoft.Protection cmdlets your account needs permissions to r/w permission to the RMS servers “ServerCertification.asmx” located usually in “C:\inetpub\wwwroot\_wmcs\certification”

Before proceeding make sure you have .NET3.5 or higher and the AD RMS Client 2.1 install. (AD RMS Client does not come built in to server 2012/8 like it did in 2008/7 systems) After verify that .NET and the RMS client are installed you will need to allow the execution of the cmdlets you just downloaded.

Allowing PowerShell Scripts

Admin PS> Set-ExecutionPolicy Unrestricted

After the prep-work you can get to installing the Microsoft.Protection cmdlets. Right-Click and “Run with PowerShell the Install.ps1 file. You will get asked if you really want to run the script in PowerShell so type in “R” and move on. After this it will take less than minute to install onto your system


After install the Microsoft.Protection cmdlets you can run a few commands in PowerShell to test out your new cmdlets.

Allowing PowerShell Scripts

Admin PS>Add-PSSnapin Microsoft.Protection
(For any command, you can use Get-Help 


Installing the new RMS Sharing App (Required to view encrypted .ppdf files)

This is very simple, so after downloading the RMS Sharing App from Microsoft’s portal double click the setup.exe and click next a few times.

(Click here to learn how to silent install the Application and see its Administrators guide)


Implementing the new Microsoft.Protection cmdlets with FSRM

Creating file management task’s in FSRM is very similar to the ones created when applying RMS templates. Go through the normal steps of the creating a new file management task though when you get to actions drop down the menu and instead of selecting RMS Encryption choose Custom.


Executable: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Arguments:   Protect-RMSFile -Folder C:\TestRMS\PDF_3 -templateID 'b3886996-f784-48e7-9758-4d41b0116ba2'

To break down what this is doing is simple.  I want the executable “PowerShell” to run a command with special arguments.

Protect-RMSFile (Module for protection files or folders)  -Folder (I want to protect a folder and all of its content) (Folder Location) templateID (the GUID of the template I want to apply to the folder “Can be acquired via the Get-RMSTemplate”)


Supported file Types and File name Extensions

The following table lists file types that are natively supported by Microsoft Rights Management sharing application. For these file types, the original file name extension is changed when native protected is applied, and these files become read-only.

In addition, when the RMS sharing application natively protects a Word, Excel, or PowerPoint file that users protect by sharing, this action automatically creates a second file that is a copy of the original with the same file name but with a .ppdf file name extension. This version of the file ensures that recipients who install the RMS sharing application can always open the file that has native protection applied.

For files that are generically protected, the original file name extension is always changed to .pfile.


If you have firewalls, web proxies, or security software that inspect and take action according to file name extensions, you might need to reconfigure these to support these new file name extensions.
Original file name extension RMS-protected file name extension
.txt .ptxt
.xml .pxml
.jpg .pjpg
.jpeg .ppng
.pdf .ppdf
.png .ppng
.tiff .ptiff
.bmp .pbmp
.gif .pgif
.giff .pgiff
.jpe .pjpe
.jfif .pjfif
.jif .pjif

The following table lists the file types that the Microsoft Rights Management sharing application natively supports in Microsoft Office 2013 and Office 2010. For these files, the file name extension remains the same after the file is protected by RMS.

File types supported by Office File types supported by Office













Referenced Articles:







Leave a Reply