The RMS Protection Tool is a great PowerShell tool for encrypting, decrypting, or getting encryption status on files. It can be used manually or via script.


  • .NET 3.5
  • AD RMS Client 2.1
  • ServerCertification permissions change: The PowerShell tool runs in server box mode (of MSIPC) you need EXECUTE permissions on ServerCertification.asmx of your AD-RMS server



Download the RMS Protection Tool

If you have issues installing you can look at the contents of the log file for the C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.Protection\Microsoft.Protection.InstallLog



  • Get-RMSServer
  • Get-RMSServerAuthentication
  • Set-RMSServerAuthentication
  • Get-RMSTemplate
  • Get-RMSFileStatus
  • Protect-RMSFile
  • Unprotect-RMSFile
  • New-RMSProtectionLicense


Useful Examples

There are lots of good examples in tool help (Get-Help SpecificCommand –examples), but a few useful commands are not covered explicitly.

Ad-Hock Protection

When using Protect-RMSFile you need to either provide a template or a license object.

When doing Ad-Hoc (specifying specific user permissions) you will need to first run New-RMSProtectionLicense. A convenient way to do this is to set a variable with the license object first, then pass the variable when running Protect-RMSFile.


$lic = New-RMSProtectionLicense -OwnerEmail -UserEmail -Permission EDIT
Protect-RMSFile -License $lic -folder c:\rmstest\ -Recurse

(notice that the above example also uses the –folder switch and –Recurse so that all files within that folder and below are rights protected)

Determine what files are rights protected

You can use Get-RMSFileStatus to point to a specific file to determine if it’s RMS protected. It’s unclear how to do this for an entire folder or UNC path, however. The below example works with either:


foreach ($file in (Get-ChildItem -Path c:\rmstest\ -Recurse -Force | where {!$_.PSIsContainer})) {Get-RMSFileStatus -f $file.PSPath}

Another handy variation if you want to look for specific file types within that directory (docx in this example):

foreach ($file in (Get-ChildItem -Path c:\rmstest\ -Recurse -Force | where {!$_.PSIsContainer} | Where-Object {$_.Extension -eq ".docx"})) {Get-RMSFileStatus -f $file.PSPath}