This Exchange Wiki page lists Information Rights Management (IRM) features in Microsoft Exchange 2007 SP3 and later versions and provides guidance about the Exchange Server and Active Directory Rights Management Services (AD RMS) configuration necessary to implement each of those features.

Exchange Features

Implementing Prelicensing

You can use the Active Directory Rights Management Services (AD RMS) Prelicensing agent to certify the Microsoft Office Outlook recipient's authenticity so that the recipient can open messages without receiving a credential prompt on every attempt. The AD RMS Prelicensing Agent requires the Hub Transport server role of Exchange Server 2007 or later and, if Exchange Server is running on Windows Server 2003, installing the Windows Rights Management Server client. No special configuration of Windows Rights Management Services or AD RMS is required to enable prelicensing.

To implement prelicensing, follow the instructions in the following documents:

• Understanding Information Rights Management: http://technet.microsoft.com/en-us/library/dd638140.aspx
• AD RMS Microsoft Exchange Server 2010 Integration Guide: http://technet.microsoft.com/en-us/library/ee849857%28WS.10%29.aspx
• Enable or Disable IRM for Internal Messages: http://technet.microsoft.com/en-us/library/bb124077.aspx
• Planning for Hub Transport Servers: http://technet.microsoft.com/en-us/library/aa998616%28EXCHG.80%29.aspx
• Transport: http://technet.microsoft.com/en-us/library/dd351247.aspx
• Planning for the Integration of the Rights Management Services Prelicensing Agent: http://technet.microsoft.com/en-us/library/aa996825%28EXCHG.80%29.aspx
• Understanding the AD RMS Prelicensing Agent: http://technet.microsoft.com/en-us/library/aa996600%28EXCHG.80%29.aspx
• Deploying Server Roles: http://technet.microsoft.com/en-us/library/aa997610%28EXCHG.80%29.aspx (Exchange 2007), or Deploying Server Roles: http://technet.microsoft.com/en-us/library/dd351084.aspx (Exchange 2010)
• Managing the AD RMS Prelicensing Agent: http://technet.microsoft.com/en-us/library/aa997453%28EXCHG.80%29.aspx (Exchange 2007), or Enable or Disable IRM for Internal Messages: http://technet.microsoft.com/en-us/library/bb124077.aspx (Exchange 2010).

Implementing OWA IRM

In Exchange 2010, IRM in Outlook Web App (OWA) allows your users to access the rich IRM functionality offered by Exchange to apply persistent IRM-protection to messaging content. OWA IRM requires the Prelicensing service, and the CAS and Mailbox server roles of Exchange Server 2010. In addition, AD RMS must be configured to support OWA IRM.

To implement OWA IRM, follow the instructions in Implementing Prelicensing and then follow the instructions in the following documents:

• Planning for Client Access Servers: http://technet.microsoft.com/en-us/library/bb232184%28EXCHG.80%29.aspx
• Client Access: http://technet.microsoft.com/en-us/library/dd298114.aspx
• Planning for Mailbox Servers: http://technet.microsoft.com/en-us/library/bb201699%28EXCHG.80%29.aspx
• Mailbox: http://technet.microsoft.com/en-us/library/dd351040.aspx
• Deploying Server Roles: http://technet.microsoft.com/en-us/library/dd351084.aspx
• Managing Outlook Web App: http://technet.microsoft.com/en-us/library/aa996373.aspx
• Understanding Information Rights Management in Outlook Web App: http://technet.microsoft.com/en-us/library/dd876891.aspx
• Managing Information Rights Management: http://technet.microsoft.com/en-us/library/dd351212.aspx

Implementing IRM in Windows Mobile

Organizations can use Information Rights Management (IRM) to apply persistent protection to messaging content.

In Microsoft Exchange Server 2010 RTM, use of IRM on mobile devices has the following requirements:

• A mobile device running Windows Mobile 6.0 or later.
• Enable Certification of mobile devices.
• Users must connect the device to a computer and activate it for IRM using one of the following methods:
  • On computers running Windows 7 or Windows Vista by using the Windows Mobile Device Center
  • On computers running Windows XP by using Microsoft ActiveSync client application

To implement IRM in ActiveSync and Windows Mobile, follow the instructions in Implementing Prelicensing and then follow the instructions in the following documents:

• Planning for Client Access Servers: http://technet.microsoft.com/en-us/library/bb232184%28EXCHG.80%29.aspx
• Client Access: http://technet.microsoft.com/en-us/library/dd298114.aspx
• Deploying Server Roles: http://technet.microsoft.com/en-us/library/dd351084.aspx
• Understanding Information Rights Management in Exchange ActiveSync: http://technet.microsoft.com/en-us/library/ff657743.aspx
• Enable Certification of Mobile Devices: http://technet.microsoft.com/en-us/library/ff657743.aspx
• Managing Information Rights Management: http://technet.microsoft.com/en-us/library/dd351212.aspx

Implementing IRM Search

In Microsoft Exchange Server 2010, you can provision personal archives for your users, helping you reduce or eliminate the use of .pst files. This results in more mailbox data being stored by a user, and it makes searching across the user's primary and archive mailboxes an important productivity tool.

With Exchange Search, new items are indexed almost immediately after they're created or delivered to the mailbox, providing users with a fast, stable, and more reliable way of searching mailbox data. In Exchange 2010 and Exchange Server 2007, content indexing is enabled by default on all mailbox databases, and there's no initial setup or configuration required.

Messages protected using Information Rights Management (IRM) are indexed by Exchange Search and included in search results. Messages must be protected by using an AD RMS server in the same Active Directory forest as the Exchange 2010 Mailbox server.

To implement the ability to search IRM-protected items, follow the instructions in Implementing Prelicensing and then follow the instructions in the following documents:

• Planning for Hub Transport Servers: http://technet.microsoft.com/en-us/library/aa998616%28EXCHG.80%29.aspx
• Transport: http://technet.microsoft.com/en-us/library/dd351247.aspx
• Planning for Mailbox Servers: http://technet.microsoft.com/en-us/library/bb201699%28EXCHG.80%29.aspx
• Mailbox: http://technet.microsoft.com/en-us/library/dd351040.aspx
• Deploying Server Roles: http://technet.microsoft.com/en-us/library/dd351084.aspx
• Understanding Exchange Search: http://technet.microsoft.com/en-us/library/bb232132.aspx
• Managing Information Rights Management: http://technet.microsoft.com/en-us/library/dd351212.aspx

Implementing OWA WebReady Document Viewing

In Exchange 2010 SP1, users can view supported IRM-protected attachments by using WebReady Document Viewing. This allows users to view supported attachments without having to download the attachment by using the associated application.

To implement OWA WebReady Document Viewing, follow the instructions in Implementing Prelicensing and then follow the instructions in the following documents:

• Planning for Client Access Servers: http://technet.microsoft.com/en-us/library/bb232184%28EXCHG.80%29.aspx
• Client Access: http://technet.microsoft.com/en-us/library/dd298114.aspx
• Planning for Mailbox Servers: http://technet.microsoft.com/en-us/library/bb201699%28EXCHG.80%29.aspx
• Mailbox: http://technet.microsoft.com/en-us/library/dd351040.aspx
• · Managing Outlook Web App: http://technet.microsoft.com/en-us/library/aa996373.aspx
• Understanding Information Rights Management in Outlook Web App: http://technet.microsoft.com/en-us/library/dd876891.aspx
• Understanding File and Data Access for Outlook Web App: http://technet.microsoft.com/en-us/library/dd298113.aspx
• Configure WebReady Document Viewing: http://technet.microsoft.com/en-us/library/aa995967.aspx
• Managing Information Rights Management: http://technet.microsoft.com/en-us/library/dd351212.aspx

Implementing Transport Protection Rules

In Exchange Server 2010, you can use transport protection rules to implement messaging policies that help protect sensitive information by inspecting message content, encrypting sensitive e-mail content, and using rights management to control access to the content. Transport protection rules allow you to use transport rules to IRM-protect messages by applying an AD RMS rights policy template.

To implement transport protection rules, following the instructions in the following documents:

• Understanding Information Rights Management: http://technet.microsoft.com/en-us/library/dd638140.aspx
• AD RMS Microsoft Exchange Server 2010 Integration Guide: http://technet.microsoft.com/en-us/library/ee849857%28WS.10%29.aspx
• Enable or Disable IRM for Internal Messages: http://technet.microsoft.com/en-us/library/bb124077.aspx
• Planning for Hub Transport Servers: http://technet.microsoft.com/en-us/library/aa998616%28EXCHG.80%29.aspx
• Transport: http://technet.microsoft.com/en-us/library/dd351247.aspx
• Transport Rules: http://technet.microsoft.com/en-us/library/aa995961.aspx
• Understanding Transport Protection Rules: http://technet.microsoft.com/en-us/library/dd298166.aspx
• Create a Transport Protection Rule: http://technet.microsoft.com/en-us/library/dd302432.aspx
• Managing Information Rights Management: http://technet.microsoft.com/en-us/library/dd351212.aspx

Implementing Transport Decryption

Transport decryption allows you to decrypt IRM-protected messages in transit. IRM-protected messages are decrypted by the Decryption agent. The Decryption agent decrypts the following types of IRM-protected messages:

• Messages IRM-protected by the user in Outlook Web App.
• Messages IRM-protected by the user in Outlook 2010.
• Messages IRM-protected automatically by Outlook protection rules in Outlook 2010.

To implement transport decryption, following the instructions in the following documents:

• Understanding Information Rights Management: http://technet.microsoft.com/en-us/library/dd638140.aspx
• AD RMS Microsoft Exchange Server 2010 Integration Guide: http://technet.microsoft.com/en-us/library/ee849857%28WS.10%29.aspx
• Enable or Disable IRM for Internal Messages: http://technet.microsoft.com/en-us/library/bb124077.aspx
• Planning for Hub Transport Servers: http://technet.microsoft.com/en-us/library/aa998616%28EXCHG.80%29.aspx
• Transport: http://technet.microsoft.com/en-us/library/dd351247.aspx
• Understanding Transport Decryption: http://technet.microsoft.com/en-us/library/dd638122.aspx
• Enable or Disable Transport Decryption: http://technet.microsoft.com/en-us/library/dd638126.aspx
• Managing Information Rights Management: http://technet.microsoft.com/en-us/library/dd351212.aspx

Implementing Journal Report Decryption

Journal report decryption allows you to save a clear-text copy of IRM-protected messages in journal reports, along with the original, IRM-protected message. If the IRM-protected message contains any supported attachments that were protected by the AD RMS cluster in your organization, the attachments are also decrypted.

Decryption is performed by the Journal Report Decryption agent. The agent decrypts the following types of IRM-protected messages:

• Messages that were IRM-protected by the user in Outlook Web App.
• Messages that were IRM-protected by the user in Outlook 2010.
• Messages that were IRM-protected automatically in Outlook 2010 by using Outlook protection rules.
• Messages that were IRM-protected automatically in transit by using transport protection rules.

To implement journal report pipeline decryption, following the instructions in the following documents:

• Understanding Information Rights Management: http://technet.microsoft.com/en-us/library/dd638140.aspx
• AD RMS Microsoft Exchange Server 2010 Integration Guide: http://technet.microsoft.com/en-us/library/ee849857%28WS.10%29.aspx
• Enable or Disable IRM for Internal Messages: http://technet.microsoft.com/en-us/library/bb124077.aspx
• Planning for Hub Transport Servers: http://technet.microsoft.com/en-us/library/aa998616%28EXCHG.80%29.aspx
• Transport: http://technet.microsoft.com/en-us/library/dd351247.aspx
• Understanding Journal Report Decryption: http://technet.microsoft.com/en-us/library/dd876936.aspx
• Enable or Disable Journal Report Decryption: http://technet.microsoft.com/en-us/library/dd638092.aspx
• Managing Information Rights Management: http://technet.microsoft.com/en-us/library/dd351212.aspx

Implementing IRM over Exchange ActiveSync

In Exchange 2010 SP1, IRM in Exchange ActiveSync allows your users to access the rich IRM functionality offered by Exchange on any supported Exchange ActiveSync device without tethering the device to a computer and activating it for IRM.

Using IRM in Exchange ActiveSync, mobile device users can:

• Create IRM-protected messages
• Read IRM-protected messages
• Reply to and forward IRM-protected messages

To implement IRM over Exchange ActiveSync, follow the instructions in the following documents:

• Understanding Information Rights Management: http://technet.microsoft.com/en-us/library/dd638140.aspx
• AD RMS Microsoft Exchange Server 2010 Integration Guide: http://technet.microsoft.com/en-us/library/ee849857%28WS.10%29.aspx
• Enable or Disable IRM for Internal Messages: http://technet.microsoft.com/en-us/library/bb124077.aspx
• Planning for Client Access Servers: http://technet.microsoft.com/en-us/library/bb232184%28EXCHG.80%29.aspx
• Client Access: http://technet.microsoft.com/en-us/library/dd298114.aspx
• Planning for Mailbox Servers: http://technet.microsoft.com/en-us/library/bb201699%28EXCHG.80%29.aspx
• Mailbox: http://technet.microsoft.com/en-us/library/dd351040.aspx
• Deploying Server Roles: http://technet.microsoft.com/en-us/library/dd351084.aspx
• Understanding Information Rights Management in Exchange ActiveSync: http://technet.microsoft.com/en-us/library/ff657743.aspx
• Enable Certification of Mobile Devices: http://technet.microsoft.com/en-us/library/ff657743.aspx
• Understanding Exchange ActiveSync Mailbox Policies: http://technet.microsoft.com/en-us/library/bb123484.aspx
• Managing Information Rights Management: http://technet.microsoft.com/en-us/library/dd351212.aspx