ADM: “Compliance”- IRM (English)

Print Friendly, PDF & Email

IRM provides persistent online and offline protection of email messages and attachments by applying the information protection technology AD RMS. IRM protection is configured by applying an AD RMS rights policy template. You can use policy templates to control permissions that recipients have on a message.

1.1. AD RMS Rights Policy Templates

Exchange 2010 ships with the Do Not Forward template. When this template is applied to a message, only the recipients addressed in the message can decrypt the message, and these recipients cannot forward the message to anyone else, copy content from the message, or print the message. You can create additional RMS templates on the AD RMS server in your organization (if installed) to meet your IRM protection requirements.

The following EMS command retrieves the list of active rights management services policy templates that are currently available to the Exchange Server 2010 server on which the command is run:


1.2. Applying IRM Protection

IRM protection can be applied to messages manually by Outlook users. This process uses the IRM functionality in Outlook, but you can use Exchange to take actions (such as applying transport protection rules) that enforce your organization’s messaging policy. OWA users can protect messages they send and view IRM-protected messages they receive.

In Outlook 2010, you can create Outlook protection rules that automatically IRM-protect messages. Outlook 2010 applies IRM protection when a user is composing a message. You can create transport protection rules on Hub Transport servers.

1.3. Configuring IRM Features and Testing IRM Configuration

You can use the EMS but not the EMC to configure IRM features. The Set-IRMConfiguration cmdlet is used to enable or disable IRM for internal messages and to enable or disable transport decryption, journal report decryption, IRM for Exchange Search, and IRM in OWA.

The following command enables licensing and hence enables IRM features for messages sent to internal recipients (assuming that external licensing is currently disabled). Necesita que se instale un servidor MRS

Set-IRMConfiguration -InternalLicensingEnabled $true


The following command enables licensing and hence enables IRM features for messages sent to external recipients if external licensing is currently disabled:

Set-IRMConfiguration -ExternalLicensingEnabled $true


Journal report decryption attaches a decrypted copy of an IRM-protected message to the journal report. The following command enables Journal report decryption if it is currently disabled:

Set-IRMConfiguration -JournalReportDecryptionEnabled $true


IRM features are enabled in OWA by default. The following command disables IRM features in OWA:

Set-IRMConfiguration -OWAEnabled $false


The following command enables IRM features in OWA if they have previously been disabled:

Set-IRMConfiguration -OWAEnabled $true


If transport decryption is mandatory, any message that cannot be decrypted is rejected, and a non-delivery report (NDR) is returned to the sender. The following command sets transport decryption to mandatory:

Set-IRMConfiguration -TransportDecryptionSetting mandatory


If transport decryption is disabled, no attempt is made to decrypt internal or external messages before delivery. The following command sets transport decryption to disabled:

Set-IRMConfiguration -TransportDecryptionSetting disabled


Setting transport decryption to optional provides a best effort approach to decryption. Messages are decrypted if possible but are delivered even if decryption fails. The following command sets transport decryption to optional:

Set-IRMConfiguration -TransportDecryptionSetting optional

If you want to view the current IRM configuration—either the default values before you configure it or the values after configuration—you enter the following command:

Get-IRMConfiguration | FL


The following command tests the IRM configuration for messages Kim Akers sends to Don Hall:

Test-IRMConfiguration -Sender -Recipient


1.4. Using Transport Protection Rules

These are transport rules that implement messaging policies by inspecting message content, encrypting sensitive email content, and using rights management to control access. Transport protection rules apply an AD RMS rights policy template to protect messages through IRM.

You can use either the New Transport Rule Wizard in the EMC or the New-TransportRule EMS cmdlet to create a transport protection rule. To use the EMS to create a transport protection rule, your first step is to discover what rights management templates are available. The following command generates a list of available templates (note that this command does not list the pre-installed Do Not Forward template):

Get-RMSTemplate | FL


You then use a command that creates a transport protection rule. For example, if you wanted to create a rule named Protect-Confidential that IRM-protects messages that contain the word “Confidential” in the Subject field using the Do Not Forward template, you would use the following command:

New-TransportRule -Name "Protect-Confidential" -SubjectContainsWords "Confidential"
-ApplyRightsProtectionTemplate "Do Not Forward"


1.5. Protecting Outlook and OWA Messages

Outlook protection rules help an organization protect against the risk of information leakage by automatically applying IRM protection to messages. In Outlook 2010, messages are IRM-protected before they leave the Outlook client. This protection is also applied to any attachments using supported file formats. When you create Outlook protection rules on an Exchange Server 2010 server, these rules are automatically distributed to Outlook 2010 by Exchange Web Services.

You can use the EMS but not the EMC to create an Outlook protection rule. For example, the following command creates the Outlook protection rule MyProject. This rule protects messages sent to the TechnicalAuthors distribution group with the AD RMS template Protect-Confidential:

New-OutlookProtectionRule -Name "MyProject" -SentTo "TechnicalAuthors"
-ApplyRightsProtectionTemplate "Protect-Confidential"


You can use the Get-OutlookProtectionRule EMS cmdlet to obtain the configuration of an existing Outlook protection rule and the Set-OutlookProtectionRule EMS cmdlet to change that configuration. You can also use the Remove-OutlookProtectionRule EMS cmdlet to remove an Outlook protection rule. For example, the following command removes the MyProject Outlook protection rule:

Remove-OutlookProtectionRule -Identity "MyProject"

1.6. Enabling or Disabling IRM in OWA

You can use commands based on the Set-IRMConfiguration EMS cmdlet to enable or disable IRM in OWA for your entire Exchange Server 2010 organization. You can also enable or disable IRM for an OWA virtual directory using the Set-OWAVirtualDirectory cmdlet and setting the IRMEnabled parameter to $true (the default) or $false. Alternatively, you can enable or disable IRM for an OWA mailbox policy using the Set-OWAMailboxPolicy cmdlet and setting the IRMEnabled parameter to $true (the default) or $false.

The following command enables IRM in OWA for an entire Exchange Server 2010 organization:

Set-IRMConfiguration -OWAEnabled $true


The following command disables IRM in OWA for the virtual directory MyVirtualDirectory on Client Access server VAN-EX2:

Set-OWAVirtualDirectory -Identity VAN-EX2\MyVirtualDirectory -IRMEnabled $false



Note that the Set-IRMConfiguration cmdlet supports the OWAEnabled parameter, whereas the Set-OWAVirtualDirectory and Set-OWAMailboxPolicy cmdlets support the IRMEnabled parameter.


Be the first to comment

Leave a Reply