Applies to: Exchange Server 2013
Topic Last Modified: 2012-12-04
Enabling transport decryption allows the Transport Rules agent on Microsoft Exchange Server 2013 Mailbox servers to access content in messages protected by Information Rights Management (IRM). As a result, other transport agents can access message content and possibly make changes to it. For example, the Transport Rules agent may need to inspect message content and apply transport rules (such as rules that apply a disclaimer to the message). To successfully decrypt IRM-protected messages, you must add the Federated Delivery mailbox to the super users group configured on your Active Directory Rights Management Services (AD RMS) server.
Important: |
---|
Members of the super users group are granted an owner use license when they request a license from the AD RMS cluster. This allows them to decrypt all RMS-protected content created by that AD RMS cluster. |
When enabling transport decryption, you can specify the following settings:
- Mandatory Rejects messages that can't
be decrypted and returns a non-delivery report (NDR) to the
sender.
- Optional Uses a best-effort approach to
decryption. If possible, messages are decrypted, but they're
delivered even if decryption fails.
To learn more about transport decryption, see Transport Decryption.
For additional management tasks related to IRM, see Information Rights Management Procedures.
What do you need to know before you begin?
- Estimated time to complete: 5 minutes.
- You need to be assigned permissions before you can perform this
procedure or procedures. To see what permissions you need, see the
"Rights protection" entry in the Messaging Policy and
Compliance Permissions topic.
- An AD RMS server exists in the Active Directory forest and
is accessible.
- The Federated Delivery mailbox has been added to the
AD RMS super users group. For details, see Add the Federation
Mailbox to the AD RMS Super Users Group.
- You can't use the Exchange Administration Center (EAC) to
enable transport decryption. You must use the Shell.
- For information about keyboard shortcuts that may apply to the
procedures in this topic, see Keyboard Shortcuts in
the Exchange Admin Center.
Tip: |
---|
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection |
What do you want to do?
Use the Shell to enable transport decryption
This example enables transport decryption for the Exchange 2013 organization. Messages that can't be decrypted are rejected and an NDR is returned to the sender.
Copy Code | |
---|---|
Set-IRMConfiguration -TransportDecryptionSetting Mandatory |
For detailed syntax and parameter information, see Set-IRMConfiguration.
Use the Shell to disable transport decryption
This example disables transport decryption for the Exchange 2013 organization.
Copy Code | |
---|---|
Set-IRMConfiguration -TransportDecryptionSetting Disabled |
For detailed syntax and parameter information, see Set-IRMConfiguration.
How do I know this worked?
To verify that you have enabled or disabled transport decryption, use the Get-IRMConfiguration cmdlet and check the value of the JournalDecryptionEnabled property.
For an example of how to check the IRM configuration, see Examples in Get-IRMConfiguration.