Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2012-11-19

Use the Set-IRMConfiguration cmdlet to configure Information Rights Management (IRM) features.

Important:
Configuring and using IRM features requires Active Directory Rights Management Services (AD RMS).

Syntax

Set-IRMConfiguration [-Identity <OrganizationIdParameter>] [-ClientAccessServerEnabled <$true | $false>] [-Confirm [<SwitchParameter>]] [-DomainController <Fqdn>] [-EDiscoverySuperUserEnabled <$true | $false>] [-ExternalLicensingEnabled <$true | $false>] [-Force <SwitchParameter>] [-InternalLicensingEnabled <$true | $false>] [-JournalReportDecryptionEnabled <$true | $false>] [-LicensingLocation <MultiValuedProperty>] [-PublishingLocation <Uri>] [-RefreshServerCertificates <SwitchParameter>] [-SearchEnabled <$true | $false>] [-ServiceLocation <Uri>] [-TransportDecryptionSetting <Disabled | Optional | Mandatory>] [-WhatIf [<SwitchParameter>]]

Detailed Description

IRM requires the use of an on-premises AD RMS server or the ILS service. IRM features can be selectively enabled or disabled.

You need to be assigned permissions before you can run this cmdlet. Although all parameters for this cmdlet are listed in this topic, you may not have access to some parameters if they're not included in the permissions assigned to you. To see what permissions you need, see the "Rights protection" entry in the Messaging Policy and Compliance Permissions topic.

Parameters

Parameter Required Type Description

Identity

Optional

Microsoft.Exchange.Configuration.Tasks.OrganizationIdParameter

The Identity parameter is reserved for internal Microsoft use.

ClientAccessServerEnabled

Optional

System.Boolean

The ClientAccessServerEnabled parameter specifies whether to enable IRM in Microsoft Office Outlook Web App and in Microsoft Exchange ActiveSync. Both of these features are enabled by default. To disable them, set the parameter to $false.

Important:
Enabling IRM in Outlook Web App requires additional configuration on AD RMS servers. For more information, see Understanding Information Rights Management in Outlook Web App.

Confirm

Optional

System.Management.Automation.SwitchParameter

The Confirm switch causes the command to pause processing and requires you to acknowledge what the command will do before processing continues. You don't have to specify a value with the Confirm switch.

DomainController

Optional

Microsoft.Exchange.Data.Fqdn

The DomainController parameter specifies the fully qualified domain name (FQDN) of the domain controller that writes this configuration change to Active Directory.

EDiscoverySuperUserEnabled

Optional

System.Boolean

The EDiscoverySuperUserEnabled parameter specifies whether members of the Discovery Management role group can access IRM-protected messages that were returned by a discovery search and are residing in a discovery mailbox. To enable IRM-protected message access to the Discovery Management role group, set the value to $true. For more information about discovery and IRM-protected messages, see Understanding Multi-Mailbox Search.

ExternalLicensingEnabled

Optional

System.Boolean

The ExternalLicensingEnabled parameter specifies whether to enable IRM features for messages sent to external recipients. In on-premises deployments, licensing is disabled for external messages by default. To enable licensing, set the value to $true.

Force

Optional

System.Management.Automation.SwitchParameter

The Force switch specifies whether to suppress the confirmation prompt that appears when you modify the InternalLicensingEnabled parameter.

InternalLicensingEnabled

Optional

System.Boolean

The InternalLicensingEnabled parameter specifies whether to enable IRM features for messages sent to internal recipients. In on-premises deployments, licensing is disabled for internal messages by default. To enable licensing, set the value to $true.

Note:
If the InternalLicensingEnabled parameter is set to $false, no AD RMS templates are returned when you use the Get-RMSTemplate cmdlet.

JournalReportDecryptionEnabled

Optional

System.Boolean

The JournalReportDecryptionEnabled parameter specifies whether to enable journal report decryption. When enabled, journal report decryption attaches a decrypted copy of an IRM-protected message to the journal report. Journal report decryption is enabled by default. To disable journal report decryption, set the value to $false.

Important:
Enabling journal report decryption requires additional configuration on AD RMS servers. For more information, see Understanding Journal Report Decryption.

LicensingLocation

Optional

Microsoft.Exchange.Data.MultiValuedProperty

The LicensingLocation parameter specifies one or more additional AD RMS licensing URLs in on-premises deployments. It isn't required to populate this parameter if the organization doesn't have cross-forest deployment of licensing servers.

PublishingLocation

Optional

System.Uri

This parameter applies to objects in the cloud-based service. It isn’t available for on-premises deployments.

The PublishingLocation parameter specifies one or more AD RMS publishing URLs.

RefreshServerCertificates

Optional

System.Management.Automation.SwitchParameter

The RefreshServerCertificates switch clears all Rights Account Certificates (RACs), Computer Licensor Certificates (CLCs), and cached AD RMS templates from all Microsoft Exchange Server 2010 Hub Transport, Client Access, Mailbox, and Unified Messaging servers in the organization. Clearing RACs, CLCs, and cached templates may be required during troubleshooting or in the event of a change of keys on the AD RMS cluster in your organization. For more information about RACs and CLCs, see Understanding AD RMS Certificates.

SearchEnabled

Optional

System.Boolean

The SearchEnabled parameter specifies whether to enable searching IRM-encrypted messages in Outlook Web App. Valid values include:

  • $true (default)   Enables search of IRM-encrypted messages in Outlook Web App.

  • $false   Disables search of IRM-encrypted messages in Outlook Web App.

ServiceLocation

Optional

System.Uri

This parameter applies to objects in the cloud-based service. It isn’t available for on-premises deployments.

The ServiceLocation parameter specifies the AD RMS service URL.

TransportDecryptionSetting

Optional

Microsoft.Exchange.Data.Directory.SystemConfiguration.TransportDecryptionSetting

The TransportDecryptionSetting parameter specifies the transport decryption configuration. Valid values include one of the following:

  • Disabled   Transport decryption is disabled for internal and external messages.

  • Mandatory   Messages that can't be decrypted are rejected, and a non-delivery report (NDR) is returned.

  • Optional   This parameter value provides a best effort approach to decryption. Messages are decrypted if possible, but delivered even if decryption fails.

WhatIf

Optional

System.Management.Automation.SwitchParameter

The WhatIf switch instructs the command to simulate the actions that it would take on the object. By using the WhatIf switch, you can view what changes would occur without having to apply any of those changes. You don't have to specify a value with the WhatIf switch.

Input Types

To see the input types that this cmdlet accepts, see Cmdlet Input and Output Types. If the Input Type field for a cmdlet is blank, the cmdlet doesn’t accept input data.

Return Types

To see the return types, which are also known as output types, that this cmdlet accepts, see Cmdlet Input and Output Types. If the Output Type field is blank, the cmdlet doesn’t return data.

Examples

EXAMPLE 1

This example enables journal report decryption.

Copy Code
Set-IRMConfiguration -JournalReportDecryptionEnabled $true

EXAMPLE 2

This example enables transport decryption and enforces decryption. When decryption is enforced, messages that can't be decrypted are rejected, and an NDR is returned.

Copy Code
Set-IRMConfiguration -TransportDecryptionSetting Mandatory

EXAMPLE 3

This example enables licensing for external messages.

Copy Code
Set-IRMConfiguration -ExternalLicensingEnabled $true