Andrzej Kaźmierczak

Get IT solutions today!

Azure RMS Templates #4, Tests

Share this post to your SOCIAL MEDIA!

After getting required subscriptions described in “Azure RMS Templates #2, Subscription Scenarios” part and enabling Azure RMS and configuring test client in “Azure RMS Templates #3, Enable Azure RMS and Prepare Environment” part, this article is a playground for Azure RMS Templates.

Configuration of Custom Templates for Azure Rights Management has been described in TechNet article .

However, let me guide you:

  • Go to Windows Azure portal, Active Directory, Rights Management, choose your tenant and you should see 2 options – to create and to manage rights policy templates.

  • Currently (August 2014), when you click manage, you should see 2 default RMS (Confidential and Confidential View Only) templates that CAN NOT be edited, but can be archived.

  • Go back and click on Create new template. Select Language, provide the name of the template that will be visible for users and informative description so that users can chose this template based on its description.
  • Once you are done, go to Manage your right policy templates again. By default, new templates have status Archived.

What do those statuses mean?

  • Published – RMS template is available for all users and users can use this template to secure their documents.
  • Archived – RMS template will not be available for protecting new documents, but those, who had used this template, can still open their protected documents.

If you delete your template, and you want to open document that had been secured with this template… well, you will probably encounter a lot of issues. That’s why it is better to think what you are doing and publish only templates that will be used in the future. Remember: always do archive instead of delete!

  • To adjust your template, click on it and go through the 3 steps of configuration wizard (instead you can click Rights or Configure buttons to go directly to those settings). Start with Configure rights for users and groups.

  • Select users or groups you want to give specific permission using this RMS template. Assign rights to selected users and groups (f.e. Reviewer). If you click Custom, you’ll get a third page with very granular, custom settings as shown on the figure below.

  • Once giving permissions is done, you can go through the step 2 Publish your template and then step 3 Additional configuration. Instead of that you can click on Configure button.

  • On the Configuration page you should choose:
  1. To publish a template,
  2. Content expiration settings,
  3. Offline access.
  • Once done, click Save. That’s all – you have configured your template!


Ok, but wait! If I go to Microsoft Word document, I can still only see the 2 default templates!! How can I make my client refresh? I’ve got a news for you: Microsoft claims that by default it takes up to 7 days for RMS templates to update! So how can I enforce my client machine to download and “see” newly created RMS template ASAP?

If you look across the Internet, you’ll probably find this TechNet site and this section: Office 2013 only: How to force a refresh for a changed custom template. Unfortunately the solution described there didn’t work for my Windows 7 client – neither removing all %localappdata%\Microsoft\MSIPC\Templates and reboot nor Account sign out, reboot, sing in again. I have also created HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\MSIPC DWORD TemplateUpdateFrequency with value 0 or 1. It didn’t work as well.

What worked for me was to manually delete the LastUpdatedTime in HCU\Software\Classes\Local Settings\Software\Microsoft\MSIPC\{your RMS tenant URL}\Template registry as follows:

After deleting, enforcing new templates doesn’t require computer reboot, but you need to close and reopen your word or excel. Then you see your new RMS template.

If you want to update all your templates so that you will not see old and already deleted templates, you need to remove all .xml files from %localappdata%\Microsoft\MSIPC\Templates and remove LastUpdatedTime registry key as well to get those updated with the only templates that are available (have Published status).


So now you know how to secure Microsoft Office Suite, but what about PDF files? How can you secure those?

As we speak (August 2014) you have 2 options in general:

  • You can use 3rd parties (Secure Islands, GigaTrust, etc.) to extend Microsoft RMS capabilities – including .pdf files support,
  • You can use Microsoft RMS Sharing App integrated both, with Microsoft Azure RMS and Microsoft AD RMS. For Microsoft Azure RMS, RMS Sharing App works out of the box, but for the second one (AD RMS integration) you need Microsoft Windows Server 2012 R2, ADFS 3.0 and Mobile Device Extensions from the Microsoft Connect.

RMS Sharing App allows you to protect .pdf files, but you’ll need a paid software (Foxit Reader or Nitro PDF) to be able to read that secured .pdf file. It doesn’t work with Adobe PDF reader. Yet.

RMS Sharing App lets you protect files in two different ways:

  • Office suite + PDF files – those will use RMS and put encryption and enforce policies (like do not copy or do not print). Works like a regular RMS (encryption + policies) but to read .pdf files you need Foxit or Nitro PDF.
  • Any kind of files – when you use that option, a .pfile will be created based on any file that you want to protect. You can thing about this .pfile as a zipped file that is password protected. So you need a RMS Sharing App (on the PC or on the mobile devices) to open this encrypted file (your username and password will unprotect the file) and once you open this file it can be viewed in any native file viewer – f.e. in Adobe PDF reader. Unfortunately, no granular policies can be applied to such “unzipped” file – once opened (unzipped) you can redistribute, copy, print, etc. with that file.

I will focus rather on the RMS Sharing App templates and how to get them working. Let’s get started!

  • Run the installer and go through the setup – it will require Internet connection.
  • After installation has completed, restart your workstation.

  • To use Custom RMS Template you have configured, right click on the document you want to protect, and from the context menu choose Protect in-place and Company-defined Protection…

  • You will be asked to provide your credentials. You can use same account you created earlier in Office 365 (the one that has Azure RMS and Office ProPlus licenses assigned). Even if you enable Remember me and Remember my password options you will be asked for your password about 3 times. Don’t worry – you haven’t mistyped your password, just put it there as many times as you will be asked to do so.

  • When click on Select permission, you will be able to see all 3 Azure RMS templates (2 default and a custom one created manually).

  • The next time you right click your document and select Protect in-place from the context menu, you will see your Azure RMS templates.


What about enforcing new Azure RMS templates to the context menu of RMS Sharing App? It is said that “for Windows computers that use the RMS sharing application, templates are automatically downloaded (and refreshed if necessary) without additional configuration required. This is also the case for mobile devices that use the RMS sharing app or other apps that are RMS-enlightened”. Unfortunately it didn’t work for me.

What I had to do to see newly create Azure RMS templates was:

  • Delete %localappdata%\Microsoft\MSIPC\Templates,
  • Delete MinimumRequiredVersionLastUpdateTime key from HCU\Software\Classes\Local Settings\Software\Microsoft\IPViewer registry,
  • Protect in place with one of currently available RMS templates. RMS Sharing App will update Azure RMS template list during protection.

That’s it! Now you know how to get Azure RMS templates working. You can go to the next, final article (Azure RMS Templates #5, Helpful Tips) to get some helpful tips.

Andrzej Kazmierczak

About Andrzej Kazmierczak

Andrzej Kaźmierczak is an IT professional with many years of IT security experience to his credit. As a certified Architect and Systems Engineer in the field of Microsoft security solutions, Andrzej expands on his vast knowledge of the industry working with many major worldwide corporations and organizations from a wide variety of industry fields. Andrzej is also a published author of many security articles and blogs. His key specialties include the architecture, design, implementation and support for Identity Federation, Azure and Cloud, work in the field of Public Key Infrastructure and smart cards, as well as a wide array of Information Protection and Rights Management. Follow on twitter: @ANDKAZM View all posts by Andrzej Kazmierczak →
This entry was posted in Azure RMS and tagged , , , , , . Bookmark the permalink.

One Response to Azure RMS Templates #4, Tests

  1. Kalith Guruge

    A very descriptive article! Wonderful!

Leave a Comment

Your email address will not be published. Required fields are marked *