The following list contains links to the help topics for the Microsoft Rights Management services (RMS) Protection cmdlets, which are installed with the Rights Management Protection Tool.

The Rights Management Protection Tool is being replaced by the Azure Information Protection client. Support for the RMS Protection tool will retire on February 10th 2018. The Azure Information Protection client includes the PowerShell module, AzureInformationProtection.

The RMS Protection cmdlets can be used with Azure Rights Management (Azure RMS) data protection from Azure Information Protection, or with Active Directory Rights Management Services (AD RMS). Use these RMS Protection cmdlets to bulk protect and unprotect files for any file type.

The current version of the RMS Protection PowerShell module is If you have previously downloaded the tool and installed this module, run the following command to check the version: (Get-Module RMSProtection -ListAvailable).Version.


If you want to automatically protect files on a file share by using Windows Server File Resource Manager and File Classification Infrastructure, see the step-by-step instructions in RMS Protection with Windows Server File Classification Infrastructure (FCI).

This release of the RMS Protection module has the following limitations:

  • You can unprotect Outlook personal folders (.pst files), but you cannot currently natively protect these files or other container files by using the RMS Protection Tool.

  • You can unprotect Outlook protected email messages (.rpmsg files) when they are in a Outlook personal folder (.pst), but you cannot unprotect .rpmsg files outside a personal folder.

  • To protect or unprotect files for AD RMS, you must use your user account interactively. To run the cmdlets non-interactively with AD RMS (for example, with Windows Server FCI), upgrade to the AzureInformationProtection module that installs with the current preview version of the Azure Information Protection client. To support non-interactive sessions for AD RMS, in this newer module, specify the IntegratedAuth parameter for the Set-RMSServerAuthentication cmdlet.

  • For Azure Rights Management only:

    • By default, the cmdlets are not supported outside North America. As a workaround, you can edit the registry, as documented in about_RMSProtection_AzureRMS. Without this registry change, service discovery to the Azure Rights Management service fails outside the Azure North America region.
  • For Windows 7 SP1 and Windows Server 2012:

    • The RMS Protection module does not automatically import when you first run the cmdlets in a Windows PowerShell session. For these operating system versions, you must manually import the module before you run the cmdlets: Import-Module "%ProgramFiles%\WindowsPowerShell\Modules\RMSProtection\RMSProtection.dll"

    • If the %ProgramFiles% environment variable does not work for you, specify the full path. For example, Import-Module "C:\Program Files\WindowsPowerShell\Modules\RMSProtection\RMSProtection.dll".

To unprotect container files (.msf, .pst, .rar, .pst, .zip, and .7z), and to use multi-factor authentication with Azure Rights Management, you must have at least version of the RMS Protection module. To unprotect .eml files requires a minimum version of

Breaking change in version If you are upgrading from a previous version of the RMS Protection module, version introduces the new InPlace parameter, which overwrites the existing file if you do not specify an output folder. In previous versions, this was the default behavior. To retain the same behavior as before, you might need to add the InPlace parameter to commands and scripts.


To use these cmdlets, you must have the following installed on your computer. The RMS Protection Tool does not check for all these prerequisites:

  • One of the client or server operating system versions listed on the RMS Protection Tool download page, in the System Requirements section.

  • A minimum version of the Microsoft .NET Framework 4.5. This version of the Microsoft .NET Framework is included with the later operating systems but if the RMS Protection Tool installer detects that this minimum version is not installed, it will tell you so that you can download and install it, and then rerun the installation.

  • Windows PowerShell version 4.0, which might need to be installed on older operating systems. For more information, see How to Install Windows PowerShell 4.0. To confirm the version of Windows PowerShell that you are running, type $PSVersionTable in a Windows PowerShell session.

  • The Rights Management Client 2.1, which you can install by itself, or install with the Rights Management sharing application. The setup program does not check that this client is installed and if necessary, you can install it after you have installed the RMS Protection Tool.

Before you start to use these cmdlets, see the documentation that corresponds to your deployment of Rights Management for additional prerequisites and instructions:

The .dll file for this module is RMSProtection.dll.



Clears credentials for a user who is authenticated to the Azure RMS service.


Gets the RMS protection status of a specified file.


Gets a list of RMS servers that can issue templates.


Gets the status of your service principal authentication to Azure RMS.


Gets a list of RMS templates.


Creates an ad-hoc rights policy for RMS protection.


Protects a specified file or the files in a specified folder by using RMS.


Sets the service principal authentication credentials for Azure RMS.


Unprotects a file that is currently protected by RMS.