The following list contains links to the help topics for the Microsoft Rights Management services (RMS) Protection cmdlets, which are installed with the RMS Protection Tool. The RMS Protection tool is now replaced by the Azure Information Protection client, which includes a new PowerShell module, AzureInformationProtection.

In turn, the RMS Protection Tool replaced the AD RMS Bulk Protection Tool. Support for the AD RMS Bulk Protection Tool will stop March 1, 2017.

These RMS Protection cmdlets can be used with Azure Rights Management (Azure RMS) data protection from Azure Information Protection, or with Active Directory Rights Management Services (AD RMS) and these cmdlets supplement other PowerShell modules for these Rights Management deployments. Use these RMS Protection cmdlets to bulk protect and unprotect files for any file type.

The current version of the RMS Protection PowerShell module is If you have previously downloaded the tool and installed this module, run the following command to check the version: (Get-Module RMSProtection -ListAvailable).Version.


If you want to automatically protect files on a file share by using Windows Server File Resource Manager and File Classification Infrastructure, see the step-by-step instructions in RMS Protection with Windows Server File Classification Infrastructure (FCI).

The current release of the RMS Protection module has the following limitations:

  • You can unprotect Outlook personal folders (.pst files), but you cannot currently natively protect these files or other container files by using the RMS Protection Tool.

  • You can unprotect Outlook protected email messages (.rpmsg files) when they are in a Outlook personal folder (.pst), but you cannot unprotect .rpmsg files outside a personal folder.

  • For Azure Rights Management only:

    • By default, the cmdlets are not supported outside North America. As a workaround, you can edit the registry, as documented in about_RMSProtection_AzureRMS. Without this registry change, authentication to the Azure Rights Management service fails outside the Azure North America region.
  • For Windows 7 SP1 and Windows Server 2012:

    • The RMS Protection module does not automatically import when you first run the cmdlets in a Windows PowerShell session. For these operating system versions, you must manually import the module before you run the cmdlets: Import-Module "%ProgramFiles%\WindowsPowerShell\Modules\RMSProtection\RMSProtection.dll"

    • If the %ProgramFiles% environment variable does not work for you, specify the full path. For example, Import-Module "C:\Program Files\WindowsPowerShell\Modules\RMSProtection\RMSProtection.dll".

To unprotect container files (.msf, .pst, .rar, .pst, .zip, and .7z), and to use multi-factor authentication with Azure Rights Management, you must have at least version of the RMS Protection module. To unprotect .eml files requires a minimum version of

Breaking change in version If you are upgrading from a previous version of the RMS Protection module, version introduces the new InPlace parameter, which overwrites the existing file if you do not specify an output folder. In previous versions, this was the default behavior. To retain the same behavior as before, you might need to add the InPlace parameter to commands and scripts.


To use these cmdlets, you must have the following installed on your computer. The RMS Protection Tool does not check for all these prerequisites:

  • One of the client or server operating system versions listed on the RMS Protection Tool download page, in the System Requirements section.

  • A minimum version of the Microsoft .NET Framework 4.5. This version of the Microsoft .NET Framework is included with the later operating systems but if the RMS Protection Tool installer detects that this minimum version is not installed, it will tell you so that you can download and install it, and then rerun the installation.

  • Windows PowerShell version 4.0, which might need to be installed on older operating systems. For more information, see How to Install Windows PowerShell 4.0. To confirm the version of Windows PowerShell that you are running, type $PSVersionTable in a Windows PowerShell session.

  • The Rights Management Client 2.1, which you can install by itself, or install with the Rights Management sharing application. The setup program does not check that this client is installed and if necessary, you can install it after you have installed the RMS Protection Tool.

Before you start to use these cmdlets, see the documentation that corresponds to your deployment of Rights Management for additional prerequisites and instructions:

The .dll file for this module is RMSProtection.dll.



Clears credentials for a user who is authenticated to the Azure RMS service.


Gets the RMS protection status of a specified file.


Gets a list of RMS servers that can issue templates.


Gets the status of your service principal authentication to Azure RMS.


Gets a list of RMS templates.


Creates an ad-hoc rights policy for RMS protection.


Protects a specified file or the files in a specified folder by using RMS.


Sets the service principal authentication credentials for Azure RMS.


Unprotects a file that is currently protected by RMS.