Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2012-09-24

Some legacy PBX telephony systems allow the caller to mark a voice mail message as private, blocking the intended recipient of the message from forwarding it to others when they listen to the message. In integrated voice mail systems, a voice message can be accessed in multiple ways, which makes it more of a challenge to prevent voice messages marked private from being exposed to unintended listeners.

Unified Messaging (UM) in Exchange Server 2010 can be configured to use Active Directory Rights Management Services (AD RMS) to protect voice messages for an organization. This feature is known as Protected Voice Mail.

When a voice message is protected, the recipient is not only blocked from forwarding the message, but UM also assures that only the intended recipient or recipients of the message can access its content. Protected voice messages can be accessed by using Microsoft Office Outlook 2010, Office Outlook Web App, and Exchange Server 2010 Outlook Voice Access.


Overview of Protected Voice Mail

Overview of Active Directory Rights Management Services

Client Support and End User Features

Protected Voice Mail Structure

Composing a Protected Voice Mail Message

UM Mailbox Policies

SMS Notifications and Protected Voice Mail

Overview of Protected Voice Mail

The Protected Voice Mail feature is available with Exchange 2010 Unified Messaging (UM). It can be configured on a UM mailbox policy, and all Protected Voice Mail settings can be configured using the Exchange Management Console (EMC) or cmdlets in the Exchange Management Shell.

In a deployment where both Exchange 2010 servers and Microsoft Exchange Server 2007 servers exist, Voice Mail Preview isn't available to UM-enabled users who have an Exchange 2007 mailbox.

Protected Voice Mail is implemented by applying Information Rights Management (IRM) to voice messages. When voice messages are protected by UM:

  • Users can reply to protected voice messages.

  • Recipients of a voice message can't forward it.

  • Users can't save a copy of the voice message.

  • Users can't save or copy the attached audio of the voice message.

  • A voice mail message can be opened only by the intended recipient or recipients.

Both call answering voice mail messages and interpersonal voice messages (voice messages that are sent to a user using Outlook Voice Access) can be protected by UM. However, protection won't be applied to the following types of messages:

  • Fax messages.

  • Non-voice messages. For example, e-mail messages or meeting requests, even when they're created using Outlook Voice Access (voice replies).

Overview of Active Directory Rights Management Services

AD RMS, a component of Windows Server 2008, is available to help protect files so that only the users who the sender intends to view a file can do so. AD RMS protects a file by specifying the rights that a user must have to access the file. Rights can be configured to allow a user to open, modify, print, forward, or take other actions with the rights-managed information. With AD RMS, you can safeguard data when it's distributed outside your network.

An AD RMS system has both a server and a client component, including the following:

  • A Windows Server 2008 R2–based server running the Active Directory Rights Management Services server role, which handles certificates and licensing.

  • A database server.

  • The AD RMS client. The latest version of the AD RMS client is included as part of the Windows 7 and Windows Vista operating systems.

The server component is made up of several Web services that run on a Microsoft server such as Windows Server 2008. The client component can be run on either a client or server operating system and includes functions that enable an application to encrypt and decrypt content, retrieve templates and revocation lists, and acquire licenses and certificates from a server.

By using AD RMS and the AD RMS client, you can augment an organization's security strategy by protecting information through persistent usage policies that remain with the information, regardless of where it's moved. You can use AD RMS to help prevent sensitive information—such as financial reports, product specifications, customer data, and confidential e-mail and voice mail messages—from intentionally or accidentally getting into the wrong hands. For detailed information, see AD RMS Overview.

In Exchange 2010, you can use Information Rights Management (IRM) features to apply persistent protection to messages and attachments. IRM uses AD RMS, an information protection technology in Windows Server 2008 and Windows Server 2008 R2. To use IRM to implement Protected Voice Mail, you need Windows Server 2008 R2 with AD RMS.

Using the IRM features in Exchange 2010, and Protected Voice Mail, your organization and your users can control the rights recipients have to access e-mail and voice mail messages. IRM can be also used to restrict recipient actions such as forwarding a message to other recipients, printing a message or attachment, or extracting message or attachment content by copying and pasting. For details, see Understanding Information Rights Management.

IRM Requirements

Before you can implement IRM in Exchange 2010, you must first deploy and configure your AD RMS infrastructure. For detailed information, see Active Directory Rights Management Services. To implement IRM to support Protected Voice Mail in your Exchange 2010 organization, your deployment must meet the following requirements.

Return to top

Server Requirement

AD RMS Cluster

  • Windows Server 2008 Service Pack 2 (SP2) with the following hotfix. For more information, see A hotfix is available for the Active Directory Rights Management Services role in Windows Server 2008.

  • Service connection point (SCP)   Exchange 2010 and AD RMS-aware applications use the SCP registered in Active Directory to discover AD RMS clusters and URLs. AD RMS allows you to register the SCP within AD RMS setup. If the account used to set up AD RMS isn't a member of the Enterprise Admins security group, SCP registration can be performed after setup. There is only one SCP for AD RMS in an Active Directory forest.

  • Permissions   Servers in the Exchange servers group or individual Exchange servers must be assigned Read and Execute permissions to the AD RMS server certification pipeline (The default path is \inetpub\wwwroot\_wmcs\certification\ServerCertification.asmx on AD RMS servers).

  • AD RMS super users   To enable transport decryption, journal report decryption, IRM in Outlook Web App, and IRM for Exchange Search, you must add the Federated Delivery Mailbox, a system mailbox created by Exchange 2010 Setup, to the AD RMS super users group on the AD RMS cluster. For detailed information, see Add the Federation Mailbox to the AD RMS Super Users Group.

Exchange Server

Configuring and Testing IRM

You must use the Shell to configure IRM features in Exchange 2010. To configure individual IRM features, use the Set-IRMConfiguration cmdlet. For more information about how to configure IRM features, see Managing Information Rights Management.

After you've set up an Exchange 2010 server, you can use the Test-IRMConfiguration cmdlet to perform end-to-end tests of your IRM deployment. This cmdlet verifies the IRM configuration for an organization and should be run before enabling Protected Voice Mail. The Test-IRMConfiguration cmdlet performs the following tests:

  • Inspects the IRM configuration for your Exchange 2010 organization

  • Checks the AD RMS server for version and hotfix information

  • Verifies whether an Exchange server can be activated for RMS by retrieving a Rights Account Certificate and Client Licensor Certificate (CLC)

  • Acquires AD RMS rights policy templates from the AD RMS server

  • Verifies that the specified sender can send IRM-protected messages

  • Retrieves a super user use license for the specified recipient

  • Acquires a pre-license for the specified recipient

Client Support and End User Features

The e-mail client software that's used to listen to a Protected Voice Mail message must support IRM and know how to read a UM-protected voice message. E-mail clients that are supported include Microsoft Outlook 2010, Outlook Web App, and Exchange 2010 Outlook Voice Access. The following table contains a list of e-mail clients and whether or not they're supported.

E-mail client Description

Microsoft Outlook

  • Protected voice messages are supported in Outlook 2010 only.

Outlook Web App

  • Outlook Web App in Exchange 2010 supports Protected Voice Mail messages. Earlier versions of Outlook Web App or Microsoft Outlook Web Access don't support them.

Outlook Voice Access

  • Outlook Voice Access in Exchange 2010 supports Protected Voice Mail. Outlook Voice Access included with Exchange 2007 doesn't support Protected Voice Mail.

  • The user's mailbox must reside on an Exchange 2010 Mailbox server.

Windows Mobile

  • Windows Mobile doesn't currently support Protected Voice Mail.

Other e-mail clients

  • Protected Voice Mail isn't supported.

Return to top

Protected Voice Message Structure

There are actually two messages involved for each Protected Voice Mail message. The first message is the outer message, which isn't encrypted. It contains an attachment named message.rpmsg. The attachment contains the IRM-protected voice message and internal rights management control data. The Rights Management Control data includes a content key, and rights information that specifies who can access the voice message and how those users can access it.

Protected voice messages are shown in the user's Inbox in the Voice Mail search folder. The user can listen to the voice messages by using the embedded audio player just as they would listen to a regular voice message, except that the Forward button will be disabled and a note will be shown at the top of the message stating that it's protected and that it can't be forwarded.

Outlook 2010 Protected Voice Mail Protected Voice Mail in Outlook Web App

For e-mail clients that don't support Protected Voice Mail, the body of the outer message will be displayed. Default text is provided by UM when the protected voice message is being created. Administrators can overwrite this text by using the UM mailbox policy configuration objects.

If the user is using an e-mail client that doesn't support Protected Voice Mail, the following default text will appear on the user's client application e-mail form: "Your e-mail program doesn't support opening voice messages that are sent with restricted permission. To listen to this message, use Outlook 2010 or Outlook Web App in Exchange 2010. Or, if you're using Exchange 2010 Unified Messaging, you can use Outlook Voice Access."

You can customize the default text that's included in the e-mail message by configuring a UM mailbox policy. For example, you could configure the UM mailbox policy with customized text such as, "You can't open this voice mail message because it's protected. To view or listen to this voice message, sign in to your mailbox at or call +1 (425) 555-1234 to call in to Outlook Voice Access."

Composing a Protected Voice Mail Message

There are two situations in which protected voice messages can be created:

  • Call Answering   Call answering occurs when a caller calls a UM-enabled user, but the user isn't available to answer the call or forwards it directly to his or her voice mail. In call answering scenarios, the voice mail system will play a series of voice prompts after the caller records their voice mail message.

    The caller can then choose from additional message options, including the option to mark the voice message as private by pressing the pound (#) key. If the caller pressed the # key, they can follow the instructions provided by UM to mark the message as private, remove the private marking from the private voice message, or mark the voice message with High importance. The following diagram shows the menu options that are available to callers when they leave a private voice message for a user.

    For call answering calls, the Protected Voice Mail settings on the UM mailbox policy of the intended recipient of the message are used by UM, because the caller isn't authenticated.
    Create protected voice mail using call answering

  • Outlook Voice Access   Outlook Voice Access lets UM-enabled users access their Exchange 2010 mailbox using analog, digital, or cellular telephones by dialing their Outlook Voice Access number. There are two Exchange 2010 Unified Messaging user interfaces available to UM-enabled users: the telephone user interface (TUI) and the voice user interface (VUI).

    Outlook Voice Access users can search for contacts in the directory and send them voice messages. If Protected Voice Mail has been enabled for the UM-enabled recipients, callers can mark the messages as private after they're recorded. Alternatively, administrators can configure a UM mailbox policy to ensure that all voice messages sent by authenticated users are protected by UM.

    If a caller is authenticated, the Protected Voice Mail settings on the UM mailbox policy that is linked to the caller are applied, regardless the UM mailbox policy settings for the intended recipient of the voice mail message.
    Create protected voice mail using voice interface

    Create protected voice mail using touchtone input

Return to top

UM Mailbox Policies

You can create a Unified Messaging mailbox policy to apply a common set of UM policy settings, such as PIN policy settings, dialing restrictions, and Protected Voice Mail settings to a collection of UM-enabled mailboxes. To learn more about UM mailbox policies, see Managing UM Mailbox Policies.

You can use the EMC or the Exchange Set-UMMailboxPolicy cmdlet to configure Protected Voice Mail options. The following table lists the settings that can be configured for Protected Voice Mail.

Protected Voice Mail settings

Shell Parameter Setting available in EMC? Description



The ProtectAuthenticatedVoiceMail parameter specifies whether UM-enabled users can send protected voice messages when they're accessing their mailbox using Outlook Voice Access. The default setting is None. This means that no protection is applied when voice mail messages are composed and that callers won't have the option to mark voice messages as Private. If the value is set to Private, only messages marked as Private by the caller are protected. If the value is set to All, every voice message is protected, regardless of the option chosen by the caller.



The ProtectUnauthenticatedVoiceMail parameter specifies whether the Unified Messaging servers that answer calls for UM-enabled users associated with a UM mailbox policy create protected voice messages. This setting also applies when a message is sent from a UM auto attendant to a UM-enabled user. The default setting is None. This means that no protection is applied to voice messages and that the caller won't be offered the option to mark the message as Private. If the value is set to Private, only messages marked as Private by the caller are protected. If the value is set to All, every voice message is protected, regardless of whether if the message has been marked as private by the caller.



The ProtectedVoiceMailText parameter specifies the text to be included in the body of the outer message of a Protected Voice Mail message. This text will be shown in all e-mail client applications that don't support Protected Voice Mail messages. Note that a default message is always provided by UM when this property is set to Null or is empty.



The RequireProtectedPlayOnPhone parameter specifies whether users associated with the UM mailbox policy will be forced to listen to the protected voice message over the phone (using Play On Phone). The default value is $false. When the value is set to $true, the audio media player on Protected Voice Mail forms in Outlook or Outlook Web App will be shown as disabled. Note that the preview text for the voice message can always be accessed. The user can't play the audio file using any media player software or use the embedded media player to listen to the voice message.



The AllowVoiceResponseToOtherMessageTypes parameter specifies whether callers who have authenticated to Outlook Voice Access to access their e-mail will be able to compose a voice reply to e-mails and meeting requests.

For more information about how to manage Protected Voice Mail settings, see the following topics:

Return to top

SMS Notifications and Protected Voice Mail

Users who configure their UM account to send SMS (also called text message) notifications to their mobile phone when voice messages are received will also receive audio transcription (Voice Mail Preview) text as part of the body of the text message. However, for protected voice messages, this represents a security issue because the content of the voice messages should always be protected.

When UM creates a text message notification for a voice message that's protected, it checks whether the voice message is marked as Private. If so, it won't add the transcribed audio text to the text message that it sends to the mobile phone. The following text will be included in the text message instead: "Use Outlook Voice Access to access this protected voice mail message."