移轉階段 3 - 用戶端設定Migration phase 3 - client-side configuration

*適用于: Active Directory Rights Management Services、 Azure 資訊保護Office 365**Applies to: Active Directory Rights Management Services, Azure Information Protection, Office 365*

*適用于AIP 統一標籤用戶端和傳統用戶端**Relevant for: AIP unified labeling client and classic client*

針對從 AD RMS 移轉至 Azure Information Protection 的第 3 階段使用下列資訊。Use the following information for Phase 3 of migrating from AD RMS to Azure Information Protection. 這些程序涵蓋從 AD RMS 移轉至 Azure 資訊保護的步驟 7。These procedures cover step 7 from Migrating from AD RMS to Azure Information Protection.

步驟 7:Step 7. 重新設定 Windows 電腦使用 Azure 資訊保護Reconfigure Windows computers to use Azure Information Protection

使用下列其中一種方法,將您的 Windows 電腦重新設定為使用 Azure 資訊保護:Reconfigure your Windows computers to use Azure Information Protection using one of the following methods:

  • DNS 重新導向。DNS redirection. 最簡單和慣用的方法(如果支援的話)。Simplest and preferred method, when supported.

    支援使用 Office 2016 或更新版本的桌面應用程式的 Windows 電腦,包括:Supported for Windows computers that use Office 2016 or later click-to-run desktop apps, including:

    • Microsoft 365 應用程式Microsoft 365 apps
    • Office 2019Office 2019
    • 按一下以執行傳統型應用程式的 Office 2016Office 2016 click to run desktop apps

    要求您建立新的 SRV 記錄,並為 AD RMS 發佈端點上的使用者設定 NTFS 拒絕許可權。Requires you to create a new SRV record and set an NTFS deny permission for users on the AD RMS publishing endpoint.

    如需詳細資訊,請參閱使用 DNS 重新導向重新設定 用戶端For more information, see Client reconfiguration by using DNS redirection.

  • 登錄 編輯Registry edits. 適用于所有支援的環境,包括:Relevant for all supported environments, including both:

    • 使用 Office 2016 或更新版本的桌面應用程式的 Windows 電腦,如上所列Windows computers that use Office 2016 or later click-to-run desktop apps, as listed above
    • 使用其他應用程式的 Windows 電腦Windows computers that use other apps

    手動進行必要的登錄變更,或編輯和部署可下載的腳本,為您進行登錄變更。Make the required registry changes manually, or edit and deploy downloadable scripts to make the registry changes for you.

    如需詳細資訊,請參閱 使用登錄編輯來重新設定用戶端For more information, see Client reconfiguration by using registry edits.


如果您有混合的 Office 版本,而且無法使用 DNS 重新導向,您可以使用 DNS 重新導向和編輯登錄的組合,或是將登錄編輯為所有 Windows 電腦的單一方法。If you have a mixture of Office versions that can and cannot use DNS redirection, you can either use a combination of DNS redirection and editing the registry, or edit the registry as a single method for all Windows computers.

使用 DNS 重新導向來重新設定用戶端Client reconfiguration by using DNS redirection

此方法僅適用于執行 Microsoft 365 apps 和 Office 2016 (或更新版本的 Windows 用戶端) 隨需執行的桌面應用程式。This method is suitable only for Windows clients that run Microsoft 365 apps and Office 2016 (or later) click-to-run desktop apps.

  1. 請使用下列格式建立 DNS SRV 記錄:Create a DNS SRV record using the following format:

    _rmsredir._http._tcp.<AD RMS cluster>. <TTL> IN SRV <priority> <weight> <port> <your tenant URL>.

    針對 <AD RMS cluster> ,指定 AD RMS 叢集的 FQDN。For <AD RMS cluster>, specify the FQDN of your AD RMS cluster. 例如 rmscluster.contoso.comFor example, rmscluster.contoso.com.

    或者,如果您在該網域中只有一個 AD RMS 叢集,可以直接指定 AD RMS 叢集的網域名稱。Alternatively, if you have just one AD RMS cluster in that domain, you can specify just the domain name of the AD RMS cluster. 在我們的範例中,即為 contoso.comIn our example, that would be contoso.com. 當您在此記錄中指定網域名稱時,重新導向會套用到該網域中的所有 AD RMS 用戶端。When you specify the domain name in this record, the redirection applies to any and all AD RMS clusters in that domain.

    <port> 會忽略此數位。The <port> number is ignored.

    若為 <your tenant URL> ,請為您的租使用者指定您自己的 Azure RIGHTS MANAGEMENT 服務 URLFor <your tenant URL>, specify your own Azure Rights Management service URL for your tenant.

    若您在 Windows Server 使用 DNS 伺服器角色,可以使用下表當成在 DNS 管理員主控台中指定 SRV 記錄屬性的範例。If you use the DNS Server role on Windows Server, you can use the following table as an example how to specify the SRV record properties in the DNS Manager console.

    欄位Field Value
    網域Domain _tcp.rmscluster.contoso.com_tcp.rmscluster.contoso.com
    服務Service _rmsredir_rmsredir
    通訊協定Protocol _http_http
    優先順序Priority 00
    WeightWeight 00
    連接埠號碼Port number 8080
    提供此服務的主機Host offering this service 5c6bb73b-1038-4eec-863d-49bded473437.rms.na.aadrm.com5c6bb73b-1038-4eec-863d-49bded473437.rms.na.aadrm.com
  2. 針對執行 Microsoft 365 應用程式或 Office 2016 (或更新版本) 的使用者,設定 AD RMS 發佈端點的 [拒絕] 許可權:Set a deny permission on the AD RMS publishing endpoint for users running Microsoft 365 apps or Office 2016 (or later):

    a.a. 在叢集的其中一個 AD RMS 伺服器上,啟動 Internet Information Services (IIS) 管理員主控台。On one of your AD RMS servers in the cluster, start the Internet Information Services (IIS) Manager console.

    b.b. 流覽至 [ 預設的網站 ],然後展開 [ _wmcs]。Navigate to Default Web Site and expand _wmcs.

    c.c. 以滑鼠右鍵按一下 [ 授權 ],然後選取 [ 切換至內容視圖]。Right-click licensing and select Switch to Content View.

    d.d. 在詳細資料窗格中,以滑鼠右鍵按一下 [ license] > 屬性 > 編輯In the details pane, right-click license.asmx > Properties > Edit

    e.e. 在 [ 許可權 ] 對話方塊中,如果您想要設定所有使用者的重新導向,請選取 [ 使用者 ],或按一下 [ 新增 ],然後指定包含您想要重新導向之使用者的群組。In the Permissions for license.asmx dialog box, either select Users if you want to set redirection for all users, or click Add and then specify a group that contains the users that you want to redirect.

    即使所有使用者都使用支援 DNS 重新導向的 Office 版本,也建議您一開始先指定一小組使用者來分階段移轉。Even if all your users are using a version of Office that supports DNS redirection, you might prefer to initially specify a subset of users for a phased migration.

    f.f. 為您選取的群組,在 [Read & Execute] (讀取與執行) 和 [讀取] 權限選取 [拒絕],然後按兩下 [確定]。For your selected group, select Deny for the Read & Execute and the Read permission, and then click OK twice.

    g.g. 若要確認此設定會如預期般執行,請直接從瀏覽器嘗試連線到 licensing.asmx 檔案。To confirm this configuration is working as expected, try to connect to the licensing.asmx file directly from a browser. 您應該會看到下列錯誤訊息,這會觸發執行 Microsoft 365 應用程式或 Office 2019 或 Office 2016 的用戶端尋找 SRV 記錄:You should see the following error message, which triggers the client running Microsoft 365 apps or Office 2019 or Office 2016 to look for the SRV record:

    錯誤訊息 401.3:您無權使用您提供的認證檢視此目錄或頁面 (因存取控制清單而拒絕存取)。Error message 401.3: You do not have permissions to view this directory or page using the credentials you supplied (access denied due to Access Control Lists).

使用登錄編輯重新設定用戶端Client reconfiguration by using registry edits

此方法適用于所有 Windows 用戶端,如果它們沒有執行 Microsoft 365 應用程式或 Office 2016 (或更新版本的) ,則應使用此方法。This method is suitable for all Windows clients and should be used if they do not run Microsoft 365 apps, or Office 2016 (or later). 此方法使用移轉兩個移轉指令碼來重新設定 AD RMS 用戶端:This method uses two migration scripts to reconfigure AD RMS clients:

  • Migrate-Client.cmdMigrate-Client.cmd

  • Migrate-User.cmdMigrate-User.cmd

用戶端設定指令碼 (Migrate-Client.cmd) 會在登錄中設定電腦層級設定,這表示它必須在可進行這些變更的安全性內容中執行。The client configuration script (Migrate-Client.cmd) configures computer-level settings in the registry, which means that it must run in a security context that can make those changes. 這通常表示下列其中一種方法:This typically means one of the following methods:

  • 使用群組原則,將指令碼執行為電腦啟動指令碼。Use group policy to run the script as a computer startup script.

  • 使用群組原則軟體安裝,將指令碼指派給電腦。Use group policy software installation to assign the script to the computer.

  • 使用軟體部署解決方案,將指令碼部署至電腦。Use a software deployment solution to deploy the script to the computers. 例如,使用 System Center Configuration Manager 套件和程式For example, use System Center Configuration Manager packages and programs. 在套件和程式屬性的 [執行模式] 下,指定在裝置上以系統管理權限執行指令碼。In the properties of the package and program, under Run mode, specify that the script runs with administrative permissions on the device.

  • 如果使用者具有本機系統管理員權限,請使用登入指令碼。Use a logon script if the user has local administrator privileges.

使用者設定指令碼 (Migrate-User.cmd) 會設定使用者層級設定,並清除用戶端授權存放區。The user configuration script (Migrate-User.cmd) configures user-level settings and cleans up the client license store. 這表示此指令碼必須在實際使用者內容中執行。This means that this script must run in the context of the actual user. 例如:For example:

  • 使用登入指令檔。Use a logon script.

  • 使用群組原則軟體安裝,發佈供使用者執行的指令碼。Use group policy software installation to publish the script for the user to run.

  • 使用軟體部署解決方案,將指令碼部署給使用者。Use a software deployment solution to deploy the script to the users. 例如,使用 System Center Configuration Manager 套件和程式For example, use System Center Configuration Manager packages and programs. 在套件和程式屬性的 [執行模式] 下,指定以使用者權限執行指令碼。In the properties of the package and program, under Run mode, specify that the script runs with the permissions of the user.

  • 要求使用者在登入其電腦時執行指令碼。Ask the user to run the script when they are signed in to their computer.

兩個指令碼都包含版本號碼,而且除非此版本號碼變更,否則不會重新執行。The two scripts include a version number and do not rerun until this version number is changed. 這表示在移轉完成之前,您可以讓指令碼保留在原地。This means that you can leave the scripts in place until the migration is complete. 不過,如果您變更想要電腦和使用者在其 Windows 電腦上重新執行的指令碼,請將這兩個指令碼中的下行更新為更高的值:However, if you do make changes to the scripts that you want computers and users to rerun on their Windows computers, update the following line in both scripts to a higher value:

SET Version=20170427

使用者設定指令碼設計成在用戶端設定指令碼之後執行,並在這項檢查中使用版本號碼。The user configuration script is designed to run after the client configuration script, and uses the version number in this check. 如果尚未執行具有相同版本的用戶端設定指令碼,則會停止。It stops if the client configuration script with the same version has not run. 這項檢查可確保這兩個指令碼都以正確的順序執行。This check ensures that the two scripts run in the right sequence.

當您無法一次移轉所有 Windows 用戶端時,請執行下列程序以產生用戶端批次。When you cannot migrate all your Windows clients at once, run the following procedures for batches of clients. 對於具有您要在批次中移轉之 Windows 電腦的每位使用者,將此使用者新增至您稍早建立的 AIPMigrated 群組。For each user who has a Windows computer that you want to migrate in your batch, add the user to the AIPMigrated group that you created earlier.

為登錄編輯修改指令碼Modifying the scripts for registry edits

  1. 返回移轉指令碼 Migrate-Client.cmdMigrate-User.cmd,這些指令碼是您先前在 準備階段下載這些指令碼時進行解壓縮。Return to the migration scripts, Migrate-Client.cmd and Migrate-User.cmd, which you extracted previously when you downloaded these scripts in the preparation phase.

  2. 遵循 Migrate-Client.cmd 中的指示來修改指令碼,使其包含租用戶的 Azure Rights Management Service URL,以及 AD RMS 叢集外部網路授權 URL 和內部網路授權 URL 的伺服器名稱。Follow the instructions in Migrate-Client.cmd to modify the script so that it contains your tenant's Azure Rights Management service URL, and also your server names for your AD RMS cluster extranet licensing URL and intranet licensing URL. 然後,如前所述遞增指令碼版本。Then, increment the script version, which was previously explained. 追蹤腳本版本的良好做法是使用今天的日期,格式如下: YYYYMMDDA good practice for tracking script versions is to use today's date in the following format: YYYYMMDD


    如前所述,請小心不要在位址前後有額外的空格。As before, be careful not to introduce additional spaces before or after your addresses.

    此外,如果 AD RMS 伺服器使用 SSL/TLS 伺服器憑證,請檢查授權 URL 值在字串中是否包含通訊埠編號 443In addition, if your AD RMS servers use SSL/TLS server certificates, check whether the licensing URL values include the port number 443 in the string. 例如: https://rms.treyresearch.net:443/_wmcs/licensingFor example: https://rms.treyresearch.net:443/_wmcs/licensing. 當您按一下叢集名稱並檢視 [叢集詳細資料] 資訊時,您會在 Active Directory Rights Management Services 主控台中找到此資訊。You can find this information in the Active Directory Rights Management Services console when you click the cluster name and view the Cluster Details information. 如果 URL 中有連接埠號碼 443,修改指令碼請包含此值。If you see the port number 443 included in the URL, include this value when you modify the script. 例如,https://rms.treyresearch.net:443For example, https://rms.treyresearch.net:443.

    如果您需要取出 < 租使用者 url> > 的 azure Rights Management 服務 url,請返回以 找出您的 azure Rights Management 服務 urlIf you need to retrieve your Azure Rights Management service URL for <YourTenantURL>, refer back to To identify your Azure Rights Management service URL.

  3. 使用此步驟開頭的指示,設定指令碼部署方法,以在 AIPMigrated 群組成員所使用的 Windows 用戶端電腦上執行 Migrate-Client.cmdMigrate-User.cmdUsing the instructions at the beginning of this step, configure your script deployment methods to run Migrate-Client.cmd and Migrate-User.cmd on the Windows client computers that are used by the members of the AIPMigrated group.

後續步驟Next steps

若要繼續移轉,請移至階段 4 - 支援服務設定To continue the migration, go to phase 4 -supporting services configuration.