Exclude Lockbox Versions

Applies To: Windows Server 2008

Lockboxes are used to store a user's private key. If a vulnerability is found in a certain version of a lockbox, a new lockbox is released by Microsoft. You can ensure that clients use a minimum version of the Active Directory Rights Management Services (AD RMS) client software by using the lockbox version associated with the client to exclude the previous versions of the AD RMS client software. When you enable this feature, you specify the latest minimum lockbox version that was signed by the Microsoft Activation Service. You then enable lockbox exclusion on the each AD RMS cluster on which you want it to take effect. All certification and licensing requests are checked to make sure that the lockbox meets the minimum version criteria.

If you have enabled an exclusion based on lockbox version, clients that are using a version of the lockbox software earlier than the specified version cannot acquire rights account certificates (RACs) or use licenses because their requests will be denied. These clients must install a new version of the AD RMS client software to acquire a new lockbox that uses the current version of the software.

If a user who has an excluded lockbox was previously issued licenses for content, the user can still consume that content without acquiring a new lockbox.

Membership in the local AD RMS Enterprise Administrators, or equivalent, is the minimum required to complete this procedure.

To exclude lockbox versions

  1. Open the Active Directory Rights Management Services console and expand the AD RMS cluster.

  2. In the console tree, expand Exclusion Policies, and then select Lockbox.

  3. Click Enable Lockbox Exclusion to exclude lockbox versions.

  4. Click Change minimum lockbox version. The Lockbox properties sheet opens.

  5. In the Minimum lockbox version box, type 5.1.0000.0. By setting lockbox exclusion to that minimum version, you will force the Windows RMS clients in your organization to upgrade to the Windows RMS client for SP2 to consume rights-protected content. Click OK.

To stop excluding lockbox versions

  1. Open the Active Directory Rights Management Services console and expand the AD RMS cluster.

  2. In the console tree, expand Exclusion Policies, and then select Lockbox.

  3. Click Disable Lockbox Exclusion to stop excluding lockbox versions.

Additional references