The current AD RMS guidance for decommissioning the service does not work with newer Office versions. By newer versions I am referring to Office 2010 and newer. These versions do not support the decommissioning pipeline. The documentation to which I am referring is: Decommission AD RMS.

The decommissioning process that I've been sharing with users involve Office registry settings to prevent the creation of new content. After giving end users opportunity to unprotect their content use another registry setting in Office to disable all RMS functionality. Use a super user to recover any data end users did not unprotect. 

"Decommission"

  1. Roll out the DisableCreation registry setting to the clients. (This prevents the creation of new content but allows the consumption of protected content)
  2. Inform users that AD RMS is going away. State they need to start removing any protection applied to content. Provide an end date.
  3. After the end date arrives, start rolling out new registry settings to the clients. (This prevents the users from creating or opening any RMS content)
    1. Set DisableCreation to 0.
    2. Create/set Disable to 1.
  4. If users are unable to open content you may user a superuser to decrypt if for them. The super users cannot have the Disable setting if using Office applications to do the decryption.

Bulk Decryption Tools

  1. Download the AIP client.
  2. Install only the AIP PowerShell module.
    1. AzInfoProtection.exe PowerShellOnly=true
  3. Test using the Unprotect-RMSFile cmdlet (Get-Help Unprotect-RMSFile -Full).

Registry Settings


Disable creation of IRM protected content in all Office applications


Office 2010: HKCU\Software\Microsoft\Office\14.0\Common\DRM
Office 2013: HKCU\Software\Microsoft\Office\15.0\Common\DRM
Office 2016: HKCU\Software\Microsoft\Office\16.0\Common\DRM
  Name:  DisableCreation
  Type:  DWORD
  Value: 0/1
  0 = No functionality affected by this registry key
  1 = IRM protection options are removed; you can still consume protected files.

Disable all Office IRM functionality


Office 2010: HKCU\Software\Microsoft\Office\14.0\Common\DRM
Office 2013: HKCU\Software\Microsoft\Office\15.0\Common\DRM
Office 2016: HKCU\Software\Microsoft\Office\16.0\Common\DRM
  Name:  Disable
  Type:  DWORD
  Value: 0/1
  0 = No functionality affected by this registry key
  1 = All IRM functionality is removed; IRM is disabled