AD RMS and Client Design

Applies To: Windows Server 2008, Windows Server 2008 R2

The AD RMS client is built into the Windows Vista with SP1 operating system so that the AD RMS client is no longer a separate installation. Operating systems prior to Windows Vista with SP1require installation of the AD RMS client software. The activation process establishes a lockbox and computer certificate for the currently logged-on user. Activation is a local process and does not require a network connection. Once activation is successful, the first use of AD RMS by an enabled application obtains a user certificate for the user.

Deploying these software components to clients can be a challenge for large AD RMS deployments, where manually installing client software is a non-option. The following software distribution technologies can be used to deploy the AD RMS client components:

  • Microsoft Systems Management Server (SMS) 2003 or Microsoft System Center Configuration Manager 2007. Organization running SMS 2003 or Configuration Manager 2007 can deploy the AD RMS client to Windows XP, Windows 2000, and Windows 2003.

  • Group Policies (GPOs).. Active Directory GPOs can be used to deploy software packages packaged using Windows Installer.

The client deployment can be achieved using software distribution infrastructure such as Microsoft Systems Management Server 2003, System Center Configuration Manager 2007 or Active Directory Group Policy (Software Distribution). It is recommended to distribute the AD RMS client ahead of or at the same time as any deployment of Office so that the AD RMS users who try to use the IRM functionality will not be asked to download and install the AD RMS client software.

For information on how to deploy the AD RMS client see AD RMS Client Deployment and Usage Considerations (, (AD RMS Client Requirements (, and AD RMS and Microsoft Office Deployment Considerations (