Rights Management Service 用戶端部署注意事項Rights Management Service client deployment notes

*適用于: Active Directory Rights Management Services、 Azure 資訊保護、Windows 8、Windows 8.1、Windows 10、Windows Server 2012、windows Server 2012 R2、windows server 2016 **Applies to: Active Directory Rights Management Services, Azure Information Protection, Windows 8, Windows 8.1, Windows 10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016*

*適用于AIP 統一標籤用戶端和傳統用戶端。 **Relevant for: AIP unified labeling client and classic client.*


為了提供一致且簡化的客戶體驗,在 2021 年3月 31 日起,Azure 入口網站中 Azure 資訊保護傳統用戶端標籤管理 即將 淘汰To provide a unified and streamlined customer experience, Azure Information Protection classic client and Label Management in the Azure Portal are being deprecated as of March 31, 2021. 此時間範圍可讓所有目前的 Azure 資訊保護客戶使用 Microsoft 資訊保護統一標籤平台轉換至我們統一的標籤解決方案。This time-frame allows all current Azure Information Protection customers to transition to our unified labeling solution using the Microsoft Information Protection Unified Labeling platform. 在正式的淘汰通知 (英文) 中深入了解。Learn more in the official deprecation notice.

Rights Management Service 用戶端 (RMS 用戶端) 第 2 版也稱為 MSIPC 用戶端。The Rights Management Service client (RMS client) version 2 is also known as the MSIPC client. 它是 Windows 電腦軟體,可在內部部署上或雲端中與 Microsoft Rights Management Service 通訊,以在資訊流過應用程式和裝置時,在您組織的界限內或那些受管理界限外,協助保護資訊的存取和使用。It is software for Windows computers that communicates with Microsoft Rights Management services on-premises or in the cloud to help protect access to and usage of information as it flows through applications and devices, within the boundaries of your organization, or outside those managed boundaries.

除了 Azure 資訊保護的統一標籤用戶端外,RMS 用戶端也可 做為選擇性下載 ,可透過確認並接受其授權合約,與協力廠商軟體一起自由散發,讓用戶端可以保護和取用受 Rights Management 服務保護的內容。In addition to shipping with the Azure Information Protection unified labeling client, the RMS client is available as an optional download that can, with acknowledgment and acceptance of its license agreement, be freely distributed with third-party software so that clients can protect and consume content that has been protected by Rights Management services.

轉散發 RMS 用戶端Redistributing the RMS client

RMS 用戶端可以免費轉散發,並與其他應用程式和 IT 解決方案組成套件。The RMS client can be freely redistributed and bundled with other applications and IT solutions. 如果您是應用程式開發人員或解決方案提供者,而且想要轉散發 RMS 用戶端,則您有兩個選項:If you are an application developer or solution provider and want to redistribute the RMS client, you have two options:

  • 建議:將 RMS 用戶端安裝程式嵌入您的應用程式安裝,並以無訊息模式執行 (/quiet 參數,下一節會詳加說明)。Recommended: Embed the RMS client installer in your application installation and run it in silent mode (the /quiet switch, detailed in the next section).

  • 使 RMS 用戶端成為應用程式的必要條件。Make the RMS client a prerequisite for your application. 使用此選項時,您可能需要為使用者提供其他指示,讓他們可以取得、安裝和更新其電腦與用戶端,然後再使用您的應用程式。With this option, you might need to provide users with additional instructions for them to obtain, install, and update their computers with the client before they can use your application.

安裝 RMS 用戶端Installing the RMS client

RMS 用戶端包含在名為 setup_msipc_ <arch>.exe 的安裝程式可執行檔中,其中 <arch>x86 (針對 32 位元用戶端電腦) 或 x64 (針對 64 位元用戶端電腦)。The RMS client is contained in an installer executable file named setup_msipc_ <arch>.exe, where <arch> is either x86 (for 32-bit client computers) or x64 (for 64-bit client computers). 64位 (x64) 安裝程式套件會安裝32位執行時間可執行檔,以相容于在64位作業系統安裝上執行的32位應用程式,以及可支援內建的64位應用程式的64位執行時間可執行檔。The 64-bit (x64) installer package installs both a 32-bit runtime executable for compatibility with 32-bit applications that run on a 64-bit operating system installation, as well as a 64-bit runtime executable for supporting built-in 64-bit applications. 32 位元 (x86) 安裝程式無法執行於 64 位元的 Windows 安裝上。The 32-bit (x86) installer does not run on a 64-bit Windows installation.


您必須具備較高的權限,才能安裝 RMS 用戶端,例如本機電腦上的 Administrators 群組成員。You must have elevated privileges to install the RMS client, such as a member of the Administrators group on the local computer.

您可以使用下列其中一 種安裝方法來安裝 RMS 用戶端:You can install the RMS client by using either of the following installation methods:

  • 無訊息模式。Silent mode. 使用 /quiet 參數作為命令列選項的一部分,您可以用無訊息方式在電腦上安裝 RMS 用戶端。By using the /quiet switch as part of the command-line options, you can silently install the RMS client on computers. 下列範例顯示 64 位元用戶端電腦上 RMS 用戶端的無訊息模式安裝:The following example shows a silent mode installation for the RMS client on a 64-bit client computer:

    setup_msipc_x64.exe /quiet
  • 互動模式。Interactive mode. 或者,您也可以使用 [RMS 用戶端安裝精靈] 所提供的 GUI 安裝程式來安裝 RMS 用戶端。Alternately, you can install the RMS client by using the GUI-based setup program that's provided by the RMS Client Installation wizard. 若要以互動方式安裝,請按兩下 RMS 用戶端安裝程式套件 (setup_msipc_ <arch> .Exe) 在本機電腦上複製或下載該套件的資料夾中。To install interactively, double-click the RMS client installer package (setup_msipc_ <arch>.exe) in the folder to which it was copied or downloaded on your local computer.

有關 RMS 用戶端的問題與回答Questions and answers about the RMS client

下節包含有關 RMS 用戶端的常見問題集,以及它們的回答。The following section contains frequently asked questions about the RMS client and the answers to them.

哪些作業系統支援 RMS 用戶端?Which operating systems support the RMS client?

下列作業系統支援 RMS 用戶端:The RMS client is supported with the following operating systems:

Windows 伺服器作業系統Windows Server Operating System Windows 用戶端作業系統Windows Client Operating System
Windows Server 2016Windows Server 2016 Windows 10Windows 10
Windows Server 2012 R2Windows Server 2012 R2 Windows 8.1Windows 8.1
Windows Server 2012Windows Server 2012 Windows 8Windows 8
Windows Server 2008 R2Windows Server 2008 R2 Windows 7 (至少含 SP1)Windows 7 with minimum of SP1

哪些處理器或平台支援 RMS 用戶端?Which processors or platforms support the RMS client?

x86 和 x64 運算平台支援 RMS 用戶端。The RMS client is supported on x86 and x64 computing platforms.

安裝 RMS 用戶端的位置?Where is the RMS client installed?

依預設,RMS 用戶端安裝在 %ProgramFiles%\Active Directory Rights Management Services Client 2.<minor version number> 中。By default, the RMS client is installed in %ProgramFiles%\Active Directory Rights Management Services Client 2.<minor version number>.

哪些檔案與 RMS 用戶端軟體與相關聯?What files are associated with the RMS client software?

下列檔案會安裝為 RMS 用戶端軟體的一部分:The following files are installed as part of the RMS client software:

  • Msipc.dllMsipc.dll

  • Ipcsecproc.dllIpcsecproc.dll

  • Ipcsecproc_ssp.dllIpcsecproc_ssp.dll

  • MSIPCEvents.manMSIPCEvents.man

除了這些檔案外,RMS 用戶端還會安裝 44 種語言的多語系使用者介面 (MUI) 支援檔案。In addition to these files, the RMS client also installs multilingual user interface (MUI) support files in 44 languages. 若要確認支援的語言,請執行 RMS 用戶端安裝,並在安裝完成時,檢閱預設路徑下多語系支援資料夾的內容。To verify the languages supported, run the RMS client installation and when the installation is complete, review the contents of the multilingual support folders under the default path.

當安裝支援的作業系統時,預設會包含 RMS 用戶端嗎?Is the RMS client included by default when I install a supported operating system?

不正確。No. 這個版本的 RMS 用戶端是以選擇性下載項目提供,可個別安裝在執行支援的 Microsoft Windows 作業系統版本的電腦上。This version of the RMS client ships as an optional download that can be installed separately on computers running supported versions of the Microsoft Windows operating system.

Microsoft update 會自動更新 RMS 用戶端嗎?Is the RMS client automatically updated by Microsoft Update?

如果您已使用無訊息安裝選項來安裝此 RMS 用戶端,則 RMS 用戶端會繼承目前的 Microsoft Update 設定。If you installed this RMS client by using the silent installation option, the RMS client inherits your current Microsoft Update settings. 如果您已使用 GUI 安裝程式安裝 RMS 用戶端,則 RMS 用戶端安裝精靈會提示您啟用 Microsoft Update。If you installed the RMS client by using the GUI-based setup program, the RMS client installation wizard prompts you to enable Microsoft Update.

RMS 用戶端設定RMS client settings

下節包含有關 RMS 用戶端的設定資訊。The following section contains settings information about the RMS client. 如果您有使用 RMS 用戶端的應用程式或服務方面的問題,這項資訊可能很有幫助。This information might be helpful if you have problems with applications or services that use the RMS client.


某些設定取決於啟用 RMS 的應用程式是以用戶端模式應用程式執行 (例如 Microsoft Word 和 Outlook,或含 Windows 檔案總管的 Azure 資訊保護用戶端),還是以伺服器模式應用程式執行 (例如 SharePoint 和 Exchange)。Some settings depend on whether the RMS-enlightened application runs as a client mode application (such as Microsoft Word and Outlook, or the Azure Information Protection client with Windows File Explorer), or server mode application (such as SharePoint and Exchange). 在下列資料表中,這些設定會分別識別為 用戶端模式伺服器模式In the following tables, these settings are identified as Client Mode and Server Mode, respectively.

用戶端電腦上 RMS 用戶端儲存授權的位置Where the RMS client stores licenses on client computers

RMS 用戶端會在本機磁碟上儲存授權,也會快取 Windows 登錄中的某些資訊。The RMS client stores licenses on the local disk and also caches some information in the Windows registry.

描述Description 用戶端模式路徑Client Mode Paths 伺服器模式路徑Server Mode Paths
授權存放區位置License store location %localappdata%\Microsoft\MSIPC%localappdata%\Microsoft\MSIPC %allusersprofile%\Microsoft\MSIPC\Server\<SID>%allusersprofile%\Microsoft\MSIPC\Server\<SID>
範本存放區位置Template store location %localappdata%\Microsoft\MSIPC\Templates%localappdata%\Microsoft\MSIPC\Templates %allusersprofile%\Microsoft\MSIPC\Server\<SID>%allusersprofile%\Microsoft\MSIPC\Server\<SID>
\Local Settings\Local Settings


*<SID*> 是執行伺服器應用程式之帳戶的安全識別碼 (SID)。*<SID*> is the secure identifier (SID) for the account under which the server application is running. 例如,如果應用程式是在內建的網路服務帳戶下執行,請 <SID> 以該帳戶的已知 SID 值取代 (S-1-5-20) 。For example, if the application is running under the built-in Network Service account, replace <SID> with the value of the well-known SID for that account (S-1-5-20).

RMS 用戶端的 Windows 登錄設定Windows registry settings for the RMS client

您可以使用 Windows 登錄機碼,來設定或修改某些 RMS 用戶端組態。You can use Windows registry keys to set or modify some RMS client configurations. 例如,作為與 AD RMS 伺服器通訊並啟用 RMS 之應用程式的系統管理員,您可能會想要更新企業服務位置 (覆寫目前為發行所選取的 AD RMS 伺服器),取決於您的 Active Directory 拓撲內用戶端電腦的目前位置而定。For example, as an administrator for RMS-enlightened applications that communicate with AD RMS servers, you might want to update the enterprise service location (override the AD RMS server that is currently selected for publishing) depending on the client computer's current location within your Active Directory topology. 或者,您可能想要在用戶端電腦啟用 RMS 追蹤,以協助疑難排解啟用 RMS 的應用程式的問題。Or, you might want to enable RMS tracing at the client computer, to help troubleshoot a problem with an RMS-enlightened application. 請使用下表來識別您可以對 RMS 用戶端變更的登錄設定。Use the following table to identify the registry settings that you can change for the RMS client.

TaskTask 設定Settings
如果用戶端是 1.03102.0221 版或更新版本:If the client is version 1.03102.0221 or later:

控制應用程式資料收集To control application data collection
重要:身為系統管理員,為表示尊重使用者隱私權,您必須先徵求使用者的同意才能啟用資料收集。Important: In order to honor user privacy, you as the administrator, must ask the user for consent before enabling data collection.

如果您啟用資料收集,即同意透過網際網路將資料傳送給 Microsoft。If you enable data collection, you are agreeing to send data to Microsoft over the internet. Microsoft 會使用此資訊來提供並改善 Microsoft 產品和服務的品質、安全性與完整性。Microsoft uses this data to provide and improve the quality, security, and integrity of Microsoft products and services. 比方說,Microsoft 會分析效能及可靠性,例如使用了哪些功能、功能的回應速度、裝置效能、使用者介面互動,以及任何使用產品時的情況。For example, Microsoft analyzes performance and reliability, such as what features you use, how quickly the features respond, device performance, user interface interactions, and any problems you experience with the product. 資料也會包含您的軟體設定的相關資訊,例如目前正在執行的軟體以及 IP 位址。Data also includes information about the configuration of your software, such as the software that you are currently running, and the IP address.

若為 1.0.3356 版或更新版本:For version 1.0.3356 or later:

REG_DWORD:DiagnosticAvailabilityREG_DWORD: DiagnosticAvailability

若為 1.0.3356 之前的版本:For versions before 1.0.3356:

REG_DWORD: DiagnosticStateREG_DWORD: DiagnosticState

:0用於定義的應用程式 (預設) 使用環境屬性 IPC_EI_DATA_COLLECTION_ENABLED,1為停用,2為啟用Value: 0 for Application defined (default) by using the environment property IPC_EI_DATA_COLLECTION_ENABLED, 1 for Disabled, 2 for Enabled

注意:如果在 64 位元版本的 Windows 上執行 32 位元的 MSIPC 應用程式,位置會在 HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MSIPC。Note: If your 32-bit MSIPC-based application is running on a 64-bit version of Windows, the location is HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MSIPC.
僅限 AD RMS:AD RMS only:

更新用戶端電腦的企業服務位置To update the enterprise service location for a client computer
更新下列登錄機碼:Update the following registry keys:

REG_SZ:defaultREG_SZ: default

:: <http or https> //RMS_Cluster_Name/_wmcs/certificationValue:<http or https>://RMS_Cluster_Name/_wmcs/Certification

REG_SZ:defaultREG_SZ: default

:: <http or https> //RMS_Cluster_Name/_wmcs/licensingValue: <http or https>://RMS_Cluster_Name/_wmcs/Licensing
啟用和停用追蹤To enable and disable tracing 更新下列登錄機碼:Update the following registry key:


:1可啟用追蹤,0可停用追蹤 (預設) Value: 1 to enable tracing, 0 to disable tracing (default)
變更以天為單位的頻率來重新整理範本To change the frequency in days to refresh templates 如果未設定 TemplateUpdateFrequencyInSeconds 值,下列登錄值會指定在使用者電腦上重新整理範本的頻率。The following registry values specify how often templates refresh on the user's computer if the TemplateUpdateFrequencyInSeconds value is not set. 如果都未設定這些值,則使用 RMS 用戶端 (版本 1.0.1784.0) 下載範本之應用程式的預設重新整理間隔為 1 天。If neither of these values are set, the default refresh interval for applications using the RMS client (version 1.0.1784.0) to download templates is 1 day. 先前的版本具有每 7 天的預設值。Prior versions have a default value of every 7 days.

用戶端模式Client Mode:

HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\MSIPCHKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\MSIPC
REG_DWORD: TemplateUpdateFrequencyREG_DWORD: TemplateUpdateFrequency

:指定下載之間 (最少 1) 天數的整數值。Value: An integer value that specifies the number of days (minimum of 1) between downloads.

伺服器模式Server Mode:

REG_DWORD: TemplateUpdateFrequencyREG_DWORD: TemplateUpdateFrequency

:指定下載之間 (最少 1) 天數的整數值。Value: An integer value that specifies the number of days (minimum of 1) between downloads.
變更以秒為單位的頻率來重新整理範本To change the frequency in seconds to refresh templates

重要:如指定此設定,則會忽略重新整理範本的值 (天)。Important: If this setting is specified, the value to refresh templates in days is ignored. 指定其中一個或另一個,不能同時指定兩者。Specify one or the other, not both.
下列登錄值指定在使用者電腦上重新整理範本的頻率。The following registry values specify how often templates refresh on the user's computer. 如果未設定此值或變更以天為單位之頻率 (TemplateUpdateFrequency) 的值,則使用 RMS 用戶端 (版本 1.0.1784.0) 下載範本之應用程式的預設重新整理間隔為 1 天。If this value or the value to change the frequency in days (TemplateUpdateFrequency) is not set, the default refresh interval for applications using the RMS client (version 1.0.1784.0) to download templates is 1 day. 先前的版本具有每 7 天的預設值。Prior versions have a default value of every 7 days.

用戶端模式Client Mode:

HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\MSIPCHKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\MSIPC
REG_DWORD: TemplateUpdateFrequencyInSecondsREG_DWORD: TemplateUpdateFrequencyInSeconds

:指定下載之間最少 1) (秒數的整數值。Value: An integer value that specifies the number of seconds (minimum of 1) between downloads.

伺服器模式Server Mode:

REG_DWORD: TemplateUpdateFrequencyInSecondsREG_DWORD: TemplateUpdateFrequencyInSeconds

:指定下載之間最少 1) (秒數的整數值。Value: An integer value that specifies the number of seconds (minimum of 1) between downloads.
僅限 AD RMS:AD RMS only:

在下次發佈要求時立即下載範本To download templates immediately at the next publishing request
在測試和評估期間,您可能想要 RMS 用戶端盡快下載範本。During testing and evaluations, you might want the RMS client to download templates as soon as possible. 若要進行此設定,請移除下列登錄機碼,RMS 用戶端將在下次發佈要求時立即下載範本,而不會等到 TemplateUpdateFrequency 登錄設定所指定的時間:For this configuration, remove the following registry key and the RMS client then downloads templates immediately at the next publishing request rather than wait for the time specified by the TemplateUpdateFrequency registry setting:

HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\MSIPC\ < 伺服器名稱> \templateHKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\MSIPC\<Server Name>\Template

注意: <Server Name> 可能同時有外部 (corprights.contoso.com) 和內部 (corprights) url,因此有兩個不同的專案。Note: <Server Name> could have both external (corprights.contoso.com) and internal (corprights) URLs and therefore two different entries.
僅限 AD RMS:AD RMS only:

啟用同盟驗證的支援To enable support for federated authentication
如果 RMS 用戶端電腦使用同盟信任連接至 AD RMS 叢集,您必須設定同盟主領域。If the RMS client computer connects to an AD RMS cluster by using a federated trust, you must configure the federation home realm.

REG_SZ: FederationHomeRealmREG_SZ: FederationHomeRealm

:此登錄專案的值是 federation SERVICE (URI) 的統一資源識別項 (例如 " http://TreyADFS.trey.net/adfs/services/trust " ) 。Value: The value of this registry entry is the uniform resource identifier (URI) for the federation service (for example, "http://TreyADFS.trey.net/adfs/services/trust").

注意:對於此值,請務必指定 http,而非 https。Note: It is important that you specify http and not https for this value. 此外,如果在 64 位元版本的 Windows 上執行 32 位元的 MSIPC 應用程式,位置會在 HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MSIPC\Federation。In addition, if your 32-bit MSIPC-based application is running on a 64-bit version of Windows, the location is HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MSIPC\Federation. 如需範例組態,請參閱 使用 Active Directory Federation Services 部署 Active Directory Rights Management ServicesFor an example configuration, see Deploying Active Directory Rights Management Services with Active Directory Federation Services.
僅限 AD RMS:AD RMS only:

支援需要使用者輸入進行表單型驗證的夥伴同盟伺服器To support partner federation servers that require forms-based authentication for user input
根據預設,RMS 用戶端會以無訊息模式運作,因此不需要使用者輸入。By default, the RMS client operates in silent mode and user input is not required. 不過,夥伴同盟伺服器可能會設定為需要使用者輸入,例如藉由表單型驗證。Partner federation servers, however, might be configured to require user input such as by way of forms-based authentication. 在此情況下,您必須設定 RMS 用戶端忽略無訊息模式,讓同盟驗證表單出現在瀏覽器視窗,並升級使用者進行驗證。In this case, you must configure the RMS client to ignore silent mode so that the federated authentication form appears in a browser window and the user is promoted for authentication.

REG_DWORD: EnableBrowserREG_DWORD: EnableBrowser

注意:如果同盟伺服器已設定為使用表單型驗證,則需要此金鑰。Note: If the federation server is configured to use forms-based authentication, this key is required. 如果同盟伺服器已設定為使用整合式 Windows 驗證,則不需要此金鑰。If the federation server is configured to use integrated Windows authentication, this key is not required.
僅限 AD RMS:AD RMS only:

封鎖 ILS 服務取用To block ILS service consumption
根據預設,RMS 用戶端會啟用 ILS 服務所保護的取用內容,但您可以設定下列登錄機碼,將用戶端設定為封鎖這項服務。By default, the RMS client enables consuming content protected by the ILS service but you can configure the client to block this service by setting the following registry key. 如果此登錄機碼設定為封鎖 ILS 服務,只要嘗試開啟並取用由 ILS 服務保護的內容,就會傳回下列錯誤:If this registry key is set to block the ILS service, any attempts to open and consume content protected by the ILS service returns the following error:

HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\MSIPCHKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\MSIPC
REG_DWORD: DisablePassportCertificationREG_DWORD: DisablePassportCertification

:1可封鎖 ils 耗用量,0以允許 (預設) 的 ils 耗用量Value: 1 to block ILS consumption, 0 to allow ILS consumption (default)

管理 RMS 用戶端的範本散發Managing template distribution for the RMS client

範本讓使用者和系統管理員能夠輕鬆快速地套用 Rights Management 保護,並且使 RMS 用戶端可以自動從其 RMS 伺服器或服務下載範本。Templates make it easy for users and administrators to quickly apply Rights Management protection and the RMS client automatically downloads templates from its RMS servers or service. 若您將範本置於下列資料夾位置,RMS 用戶端就不會從預設位置下載任何範本,反而會下載您置於此資料夾的範本。If you put the templates in the following folder location, the RMS client does not download any templates from its default location and instead, download the templates that you have put in this folder. RMS 用戶端可能會繼續從其他可用的 RMS 伺服器下載範本。The RMS client might continue to download templates from other available RMS servers.

用戶端模式:%localappdata%\Microsoft\MSIPC\UnmanagedTemplatesClient Mode: %localappdata%\Microsoft\MSIPC\UnmanagedTemplates

伺服器模式:%allusersprofile%\Microsoft\MSIPC\Server\UnmanagedTemplates\<SID>Server Mode: %allusersprofile%\Microsoft\MSIPC\Server\UnmanagedTemplates\<SID>

當您使用此資料夾時,不需要任何特殊命名慣例,但範本應由 RMS 伺服器或服務發行,而且它們必須具有.xml 副檔名。When you use this folder, there is no special naming convention required except that the templates should be issued by the RMS server or service and they must have the .xml file name extension. 例如,Contoso Confidential.xml 或 Contoso ReadOnly.xml 是有效的名稱。For example, Contoso-Confidential.xml or Contoso-ReadOnly.xml are valid names.

僅限 AD RMS:限制 RMS 用戶端使用信任的 AD RMS 伺服器AD RMS only: Limiting the RMS client to use trusted AD RMS servers

RMS 用戶端可以限制為只使用特定信任的 AD RMS 伺服器,方法為對本機電腦上的 Windows 登錄進行下列變更。The RMS client can be limited to using only specific trusted AD RMS servers by making the following changes to the Windows registry on local computers.

啟用將 RMS 用戶端限制為僅使用信任的 AD RMS 伺服器To enable limiting RMS client to use only trusted AD RMS servers

  • HKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\TrustedServersHKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\TrustedServers\


    :如果指定非零值,RMS 用戶端只會信任 TrustedServers 清單和 Azure Rights Management 服務中所設定的指定伺服器。Value: If a non-zero value is specified, the RMS client trusts only the specified servers that are configured in the TrustedServers list and the Azure Rights Management service.

將成員加入至信任的 AD RMS 伺服器的清單To add members to the list of trusted AD RMS servers

  • HKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\TrustedServersHKEY_LOCAL_MACHINE\Software\Microsoft\MSIPC\TrustedServers\


    :此登錄機碼位置中的字串值可以是 DNS 功能變數名稱格式 (例如, adrms.contoso.com) 或信任 AD RMS 伺服器的完整 url (例如 https://adrms.contoso.com) 。Value: The string values in this registry key location can be either DNS domain name format (for example, adrms.contoso.com) or full URLs to trusted AD RMS servers (for example, https://adrms.contoso.com). 若指定的 URL 開頭為 https://,則 RMS 用戶端會使用 SSL 或 TLS 來連絡指定的 AD RMS 伺服器。If a specified URL starts with https://, the RMS client uses SSL or TLS to contact the specified AD RMS server.

RMS 服務探索RMS service discovery

RMS 服務探索可讓 RMS 用戶端在保護內容之前,檢查要與哪一個 RMS 伺服器或服務通訊。RMS service discovery lets the RMS client check which RMS server or service to communicate with before protecting content. RMS 用戶端取用保護內容時,也可能會發生服務探索,但是很少發生,原因是附加至內容的原則包含慣用的 RMS 伺服器或服務。Service discovery might also happen when the RMS client consumes protected content, but this type of discovery is less likely to happen because the policy attached to the content contains the preferred RMS server or service. 只有在這些來源不成功時,用戶端才會執行服務探索。Only if those sources are unsuccessful does the client then run service discovery.

若要執行服務探索,RMS 用戶端會檢查下列情況:To perform service discovery, the RMS client checks the following:

  1. 本機電腦上的 Windows 登錄:如果已在登錄中設定服務探索設定,則會先嘗試這些設定。The Windows registry on the local computer: If service discovery settings are configured in the registry, these settings are tried first.

    根據預設,這些設定不會在登錄中設定,但管理員可為 AD RMS 加以設定,如下列章節所述。By default, these settings are not configured in the registry but an administrator can configure them for AD RMS as documented in a following section. 管理員通常會在 AD RMS 至 Azure 資訊保護的移轉程序期間,設定 Azure Rights Management 服務的這些設定。An administrator typically configures these settings for the Azure Rights Management service during the migration process from AD RMS to Azure Information Protection.

  2. Active Directory Domain Services:已加入網域的電腦會查詢 Active Directory,以取得服務連線點 (SCP)。Active Directory Domain Services: A domain-joined computer queries Active Directory for a service connection point (SCP).

    如果已依照下列章節所述登錄 SCP,則 AD RMS 伺服器的 URL 會傳回給 RMS 用戶端,供其使用。If an SCP is registered as documented in the following section, the URL of the AD RMS server is returned to the RMS client to use.

  3. Azure Rights Management 探索服務:RMS 用戶端連線到 https://discover.aadrm.com,它會提示使用者進行驗證。The Azure Rights Management discovery service: The RMS client connects to https://discover.aadrm.com, which prompts the user to authenticate.

    驗證成功時,驗證的使用者名稱 (及網域) 會用來識別要使用的 Azure 資訊保護租用戶。When authentication is successful, the user name (and domain) from the authentication is used to identify the Azure Information Protection tenant to use. 該使用者帳戶所要使用的 Azure 資訊保護 URL 會傳回至 RMS 用戶端。The Azure Information Protection URL to use for that user account is returned to the RMS client. URL 的格式如下: HTTPs:// <YourTenantURL> /_wmcs/licensingThe URL is in the following format: https://<YourTenantURL>/_wmcs/licensing

    例如︰5c6bb73b-1038-4eec-863d-49bded473437.rms.na.aadrm.com/_wmcs/licensingFor example: 5c6bb73b-1038-4eec-863d-49bded473437.rms.na.aadrm.com/_wmcs/licensing

    <YourTenantURL> 格式如下: {GUID}. rms. [Region]. aadrm .com。當您執行 AipServiceConfiguration Cmdlet 時,您可以藉由識別 RightsManagementServiceId 值來尋找此值。<YourTenantURL> has the following format: {GUID}.rms.[Region].aadrm.com.You can find this value by identifying the RightsManagementServiceId value when you run the Get-AipServiceConfiguration cmdlet.


此服務探索流程有四個重要例外:There are four important exceptions for this service discovery flow:

  • 行動裝置最適合使用雲端服務,因此,根據預設它們會針對 Azure Rights Management 服務 (https://discover.aadrm.com)使用服務探索 。Mobile devices are best suited to use a cloud service, so by default they use service discovery for the Azure Rights Management service (https://discover.aadrm.com). 若要覆寫此預設值,以便行動裝置能使用 AD RMS,而不使用 Azure Rights Management 服務,請在 DNS 中指定 SRV 記錄,並安裝行動裝置延伸模組,如 Active Directory Rights Management Services 行動裝置延伸模組中所述。To override this default so that mobile devices use AD RMS rather than the Azure Rights Management service, specify SRV records in DNS and install the mobile device extension as documented in Active Directory Rights Management Services Mobile Device Extension.

  • Azure 資訊保護標籤叫用 Rights Management 服務時,即不會執行服務探索。When the Rights Management service is invoked by an Azure Information Protection label, service discovery is not performed. 相反地,URL 會直接在 Azure 資訊保護原則中所設定的標籤設定中指定。Instead, the URL is specified directly in the label setting that is configured in the Azure Information Protection policy.

  • 使用者起始從 Office 應用程式登入時,驗證的使用者名稱 (及網域) 會用來識別要使用的 Azure 資訊保護租用戶。When a user initiates sign in from an Office application, the user name (and domain) from the authentication is used to identify the Azure Information Protection tenant to use. 在此情況下,不需要登錄設定,且不會檢查 SCP。In this case, registry settings are not needed and the SCP is not checked.

  • 當您已針對 Office 隨選即用傳統型應用程式設定 DNS 重新導向時,RMS 用戶端會拒絕存取先前找到的 AD RMS 叢集,藉以尋找 Azure 版權管理服務。When you have configured DNS redirection for Office click-to-run desktop apps, the RMS client finds the Azure Rights Management service by being denied access to the AD RMS cluster that it previously found. 這個拒絕動作會觸發用戶端尋找 SRV 記錄,而此記錄可將用戶端重新導向至您租用戶的 Azure Rights Management 服務。This deny action triggers the client to look for the SRV record, which redirects the client to the Azure Rights Management service for your tenant. 此 SRV 記錄還可讓 Exchange Online 解密受 AD RMS 叢集保護的電子郵件。This SRV record also lets Exchange Online decrypt emails that have been protected by your AD RMS cluster.

僅限 AD RMS:使用 Active Directory 啟用伺服器端服務探索AD RMS only: Enabling server-side service discovery by using Active Directory

如果您的帳戶具有足夠的權限 (AD RMS 伺服器的 Enterprise Admins 和本機系統管理員),則您在安裝 AD RMS 根叢集伺服器時,可以自動登錄服務連線點 (SCP)。If your account has sufficient privileges (Enterprise Admins and local administrator for the AD RMS server), you can automatically register a service connection point (SCP) when you install the AD RMS root cluster server. 如果 SCP 已存在於樹系中,您必須先刪除現有的 SCP 才可登錄新的 SCP。If an SCP already exists in the forest, you must first delete the existing SCP before you can register a new one.

在安裝 AD RMS 之後,您可以使用下列程序,登錄並刪除 SCP。You can register and delete an SCP after AD RMS is installed by using the following procedure. 在開始之前,請確定您的帳戶具有必要的權限 (AD RMS 伺服器的 Enterprise Admins 和本機系統管理員)。Before you start, make sure that your account has the required privileges (Enterprise Admins and local administrator for the AD RMS server).

在 Active Directory 中登錄 SCP 以啟用 AD RMS 服務探索To enable AD RMS service discovery by registering an SCP in Active Directory

  1. 在 AD RMS 伺服器開啟 Active Directory Management Service 主控台:Open the Active Directory Management Services console at the AD RMS server:

    • 若為 windows server 2012 R2 或 windows server 2012,請在伺服器管理員中,選取 [工具] > Active Directory Rights Management ServicesFor Windows Server 2012 R2 or Windows Server 2012, in Server Manager, select Tools > Active Directory Rights Management Services.

    • 若為 Windows Server 2008 R2,請選取 [啟動 系統 > 管理工具 > Active Directory Rights Management Services]。For Windows Server 2008 R2, select Start > Administrative Tools > Active Directory Rights Management Services.

  2. 在 AD RMS 主控台中,以滑鼠右鍵按一下 AD RMS 叢集, 然後按一下 [ 內容]。In the AD RMS console, right-click the AD RMS cluster, and then click Properties.

  3. 按一下 [SCP] 索引標籤。Click the SCP tab.

  4. 選取 [變更 SCP] 核取方塊。Select the Change SCP check box.

  5. 選取 [設定 SCP 為目前的憑證叢集] 選項,然後再按一下 [確定]。Select the Set SCP to current certification cluster option, and then click OK.

使用 Windows 登錄啟用用戶端服務探索Enabling client-side service discovery by using the Windows registry

作為使用 SCP 或 SCP 不存在時的替代方案,您可以在用戶端電腦上設定登錄,讓 RMS 用戶端可以找出其 AD RMS 伺服器。As an alternative to using an SCP or where an SCP does not exist, you can configure the registry on the client computer so that the RMS client can locate its AD RMS server.

使用 Windows 登錄啟用用戶端 AD RMS 服務探索To enable client-side AD RMS service discovery by using the Windows registry

  1. 開啟 Windows 登錄編輯程式 Regedit.exe:Open the Windows registry editor, Regedit.exe:

    • 在用戶端電腦的 [執行] 視窗中,輸入 regedit,然後按 Enter 鍵以開啟登錄編輯器。On the client computer, in the Run window, type regedit, and then press Enter to open the Registry Editor.
  2. 在登錄編輯器中,瀏覽至 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSIPCIn Registry Editor, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSIPC.


    如果您在 64 位元的電腦上執行 32 位元的應用程式,請瀏覽至 HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MSIPCIf you are running a 32-bit application on a 64-bit computer, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MSIPC

  3. 若要建立 ServiceLocation 子機碼,請以滑鼠右鍵按一下 [MSIPC]、指向 [新增]、按一下 [機碼],然後輸入 [ServiceLocation]。To create the ServiceLocation subkey, right-click MSIPC, point to New, click Key, and then type ServiceLocation.

  4. 若要建立 EnterpriseCertification 子機碼,請以滑鼠右鍵按一下 [ServiceLocation]、指向 [新增]、按一下 [機碼],然後輸入 [EnterpriseCertification]。To create the EnterpriseCertification subkey, right-click ServiceLocation, point to New, click Key, and then type EnterpriseCertification.

  5. 若要設定企業憑證授權 URL,請按兩下 EnterpriseCertification 子機碼下的 [(預設)] 值。To set the enterprise certification URL, double-click the (Default) value, under the EnterpriseCertification subkey. 出現 [編輯字串] 對話方塊時,請為 [數值資料] 鍵入 <http or https>://<AD RMS_cluster_name>/_wmcs/Certification,然後按一下 [確定]。When the Edit String dialog box appears, for Value data, type <http or https>://<AD RMS_cluster_name>/_wmcs/Certification, and then click OK.

  6. 若要建立 EnterprisePublishing 子機碼,請以滑鼠右鍵按一下 [ServiceLocation]、指向 [新增]、按一下 [機碼],然後輸入 EnterprisePublishingTo create the EnterprisePublishing subkey, right-click ServiceLocation, point to New, click Key, and then type EnterprisePublishing.

  7. 若要設定企業發佈 URL,請按兩下 EnterprisePublishing 子機碼下的 [(預設)] 值。To set the enterprise publishing URL, double-click (Default) under the EnterprisePublishing subkey. 出現 [編輯字串] 對話方塊時,請為 [數值資料] 鍵入 <http or https>://<AD RMS_cluster_name>/_wmcs/Licensing,然後按一下 [確定]。When the Edit String dialog box appears, for Value data, type <http or https>://<AD RMS_cluster_name>/_wmcs/Licensing, and then click OK.

  8. 關閉登錄編輯器。Close Registry Editor.

若 RMS 用戶端無法透過查詢 Active Directory 找到 SCP,且未在登錄中予以指定,則 AD RMS 的服務探索呼叫將會失敗。If the RMS client can't find an SCP by querying Active Directory and it's not specified in the registry, service discovery calls for AD RMS fails.

重新導向授權伺服器流量Redirecting licensing server traffic

在某些情況下,您可能需要在服務探索期間重新導向流量,例如,當兩個組織合併,而且某個組織中的舊授權伺服器已停用,因此用戶端需要重新導向至新的授權伺服器時。In some cases, you might need to redirect traffic during service discovery, for example, when two organizations are merged and the old licensing server in one organization is retired and clients need to be redirected to a new licensing server. 或者,從 AD RMS 移轉至 Azure RMS。Or, you migrate from AD RMS to Azure RMS. 若要啟用授權重新導向,請使用下列程序。To enable licensing redirection, use the following procedure.

使用 Windows 登錄啟用 RMS 授權重新導向To enable RMS licensing redirection by using the Windows registry

  1. 開啟 Windows 登錄編輯程式 Regedit.exe。Open the Windows registry editor, Regedit.exe.

  2. 在登錄編輯器中,瀏覽至下列其中一項:In Registry Editor, navigate to one of the following:

    • x64 平台上的 64 位元版本 Office︰HKLM\SOFTWARE\Microsoft\MSIPC\ServicelocationFor 64-bit version of Office on x64 platform: HKLM\SOFTWARE\Microsoft\MSIPC\Servicelocation

    • x64 平台上的 32 位元版本 Office︰HKLM\SOFTWARE\Wow6432Node\Microsoft\MSIPC\ServicelocationFor 32-bit version of Office on x64 platform: HKLM\SOFTWARE\Wow6432Node\Microsoft\MSIPC\Servicelocation

  3. 建立一個 LicensingRedirection 子機碼,方法為以滑鼠右鍵按一下 [Servicelocation]、指向 [新增]、按一下 [機碼],然後輸入 [LicensingRedirection]。Create a LicensingRedirection subkey, by right-clicking Servicelocation, point to New, click Key, and then type LicensingRedirection.

  4. 若要設定授權重新導向,請以滑鼠右鍵按一下 [LicensingRedirection] 子機碼,選取 [新增],然後選取 [字串值]。To set the licensing redirection, right-click the LicensingRedirection subkey, select New, and then select String value. 對於 [名稱],請指定先前伺服器授權 URL,對於 [值],請指定新的伺服器授權 URL。For Name, specify the previous server licensing URL and for Value specify the new server licensing URL.

    例如,若要將授權從 Contoso.com 的伺服器重新導向至 Fabrikam.com 的伺服器,您可能要輸入下列值:For example, to redirect licensing from a server at Contoso.com to one at Fabrikam.com, you might enter the following values:

    名稱https://contoso.com/_wmcs/licensingName: https://contoso.com/_wmcs/licensing

    https://fabrikam.com/_wmcs/licensingValue: https://fabrikam.com/_wmcs/licensing


    如果舊授權伺服器同時指定了內部網路和外部網路 URL,則必須在 LicensingRedirection 機碼下,對這兩個 URL 設定新的名稱和值對應。If the old licensing server has both intranet and extranet URLs specified, a new name and value mapping must be set for both these URLs under the LicensingRedirection key.

  5. 針對需要重新導向的所有伺服器重複上一個步驟。Repeat the previous step for all servers that need to be redirected.

  6. 關閉 [登錄編輯程式]。Close the Registry Editor.