File Classification Infrastructure (FCI) is a built-in feature on Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 that helps IT admins to manage their organization's data on file servers by providing automatic classification processes. Using rules which are constructed with regular expressions, PowerShell, and/or .NET or native modules, FCI can identify sensitive files and perform actions such as encrypting Microsoft Office documents with Rights Management Services (RMS), expiring files that have passed a defined date limit, or other custom action (defined through a script/program). FCI provides an extensible infrastructure that enables organizations to construct rich end-to-end classification solutions built upon Windows. For more information on FCI please check this blog post.

By default, FCI's built-in tasks can only encrypt Microsoft Office documents with Rights Management Services (RMS). By using a custom FCI task and the Rights Management (Microsoft.Protection) cmdlets, IT admins can apply RMS protection to any file in a file share. Once the files are protected, only authorized users will be able access those files even if they are copied to another location.

Install the Microsoft.Protection PowerShell Cmdlets

  1. Install the AD RMS Client. This can be done using PowerShell with the following commands:
    > Invoke-WebRequest -OutFile setup_msipc_x64.exe
    > .\setup_msipc_x64.exe /quiet
  2. Download the Microsoft.Protection PowerShell cmdlets (available in CTP through Microsoft Connect; nonetheless, fully supported in production environments):
    1. Navigate to Microsoft Connect and sign in with your Microsoft Account.
    2. Register with the Rights Management project for the Microsoft.Protection PowerShell cmdlets (if you have already done this, please skip to step C). Search on the front page of Microsoft Connect for Rights Management Services. The appropriate program to 'join' is "Rights Management Services SDK".
    3. Download the Microsoft.Protection PowerShell cmdlets from HERE.
    4. Unzip the Microsoft.Protection zip file and run the following commands as an administrator (in the newly unzipped folder):
      > Set-ExecutionPolicy Unrestricted -Force
      > Get-ChildItem | Foreach-Object { Remove-Item $  _.Name -Stream Zone.Identifier -ErrorAction Ignore }
      > .\Install.ps1
  3. Add the necessary registry keys and values to the registry to allow non-Office files to be encrypted by the Microsoft.Protection. This can be done automatically with the following PowerShell commands:
    > New-Item -Path HKLM:\Software\Microsoft\MSIPC\FileProtection\*
    > New-ItemProperty -Path HKLM:\Software\Microsoft\MSIPC\FileProtection\* -Name Encryption -PropertyType String -Value Pfile
  4. Reboot your server before continuing on.

Configure the Microsoft.Protection Cmdlets to be used with Azure RMS

The Microsoft.Protection Cmdlets can be used with either the on-prem version of RMS or with Azure RMS. If you intend to use FCI with the on-prem version of RMS, you may skip this section. To enables Azure RMS, do the following steps:

  1. Enable Azure Rights Management Service:
    1. Download the Microsoft Online Services Sign-In Assistant from here.
      > Invoke-WebRequest -OutFile msoidcli_64.msi
      > .\msoidcli_64.msi /quiet
    2. Download and install the Azure Rights Management Administration Tool from here.
      > Invoke-WebRequest -OutFile WindowsAzureADRightsManagementAdministration_x64.exe
      > .\WindowsAzureADRightsManagementAdministration_x64.exe /quiet
    3. Import the Azure RMS module by using the following cmdlet:
      > Import-Module AADRM
    4. Connect to the service with your administrator credentials (will prompt for credentials):
      > Connect-AadrmService -Verbose
    5. Enable Azure RMS in your organization:
      > Enable-Aadrm
    6. Capture the AADRM Configuration:
      > $  AadrmConfig = Get-AadrmConfiguration
  2. Services need to use service principals (also known as service identities), which are a type of credentials that are configured globally for access control. Service principals allow your service to authenticate directly with Microsoft Azure AD and to protect information using the Microsoft Azure AD Rights Management Service. To create a service principal:
    1. Install the Microsoft Azure AD Module for Windows PowerShell from here.
      > Invoke-WebRequest -OutFile AdministrationConfig-en.msi
      > .\AdministrationConfig-en.msi /quiet
    2. Import the Microsoft Azure AD module using the following cmdlet:
      > Import-Module MSOnline
    3. Connect to your online service with your administrator credentials (will prompt for credentials):
      > Connect-MsolService
    4. Create a new service principal by running:
      > $  ServicePrincipal = New-MsolServicePrincipal -DisplayName ExampleServicePrincipal
    5. Make note of the symmetric key that is written out to the window. We will need it going forward, and the symmetric key is only available when it is created.
  3. Configure the Microsoft.Protection cmdlets to work with Azure RMS:
    > Set-RmsServerAuthentication -Key <PASTE SYMMETRIC KEY HERE> -AppPrincipalId $  ServicePrincipal -BposTenantId $  AadrmConfig.BPOSId

FCI Integration with the Microsoft.Protection Cmdlets

To protect non-Office files with RMS, we need to create a PowerShell script that will utilize the Microsoft.Protection cmdlets. Here is a working sample script that will encrypt non-Office documents. You may wish to modify it to perform more advance functions (such as emailing the owner to notify him that his file was encrypted):

# Parameters to set in the File Management Task in File Server Resource Manager
param([string]$  FileToEncrypt, [string]$  RmsTemplate="", [string]$  RmsServer="", [string]$  OwnerEmail)

# Main Routine Begin 
Add-PSSnapin Microsoft.Protection

# Double check $  RmsServer matches an existing server
if ($  RmsServer.Trim() -ne "") {
    $  count = (Get-RMSServer | Where-Object { $  _.DisplayName -eq $  RmsServer.Trim() }).Count
    if ($  count -ne 1) {
        throw [System.ArgumentException] "RmsServer does not match any visible RMS Servers"
        exit -1

# Lookup RMS Template ID
if ($  RmsTemplate.Trim() -ne "") {
    if ($  RmsServer.Trim() -ne "") {
        $  template = (Get-RMSTemplate -RmsServer $  RmsServer.Trim() | Where-Object { $  _.Name -eq $  RmsTemplate.Trim() })
    else {
        $  template = (Get-RMSTemplate | Where-Object { $  _.Name -eq $  RmsTemplate })

    if ($  template -ne $  null) {
        $  RmsTemplateId = $  template.TemplateId
    else {
        throw [System.ArgumentException] "The RmsTemplate provided does not match any visible RMS Templates"
        exit -1
else {
    throw [System.ArgumentException] "The RmsTemplate provided is empty"
    exit -1

# Do not attempt to reencrypt files
if ($  FileToEncrypt -like "*.pfile") {
	exit 0

$  EncryptedFile = ""

try {
	# Encrypt file 
	$  out = Protect-RMSFile -File $  FileToEncrypt -TemplateID $  RmsTemplateId -OwnerEmail $  OwnerEmail
	$  EncryptedFile = $  out.EncryptedFile
catch {
	$  ExceptionMessage = "Encryption of " + $  FileToEncrypt + " failed."
	throw [System.Exception] $  ExceptionMessage
    exit -1

#exit 0

Copy the above script to a new file called C:\Windows\System32\FciRmsFileProtection.ps1.

The following PowerShell commands will create a custom file management task that will use this script to RMS encrypt a file whenever the file is classified as HBI. You may also create a custom file management task from the FSRM GUI. Replace the RMS Template with one that matches a template in your organization (more information about how to find this below; Get-RMSTemplate):

$  Command = "C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe"
$  CommandParameters = "C:\Windows\System32\FciRmsFileProtection.ps1 -FileToEncrypt [Source File Path] -RmsTemplate 'Contoso All - All Rights' -OwnerEmail [Source File Owner Email]"
$  Action = New-FSRMFmjAction -Type Custom -Command $  Command -CommandParameters $  CommandParameters -SecurityLevel LocalSystem -WorkingDirectory "C:\Windows\System32\WindowsPowerShell\v1.0\"

$  Condition = New-FsrmFmjCondition -Property "Impact_MS" -Condition Equal -Value 3000

$  Schedule = New-FsrmScheduledTask -Time (Get-Date) -Weekly Sunday

New-FsrmFileManagementJob -Name "Test RMS Encrypt" -Namespace "C:\Shares" -Action $  Action -Condition $  Condition -Schedule $  Schedule -Continuous

Learn more about the Microsoft.Protection Cmdlets

  • To get the RMS server name to be used, run this command:
    Name: Get-RMSServer
    Synopsis: Returns the list of all AD RMS servers that can issue templates for the user.
    Syntax: Get-RMSServer [<CommonParameters>]
    Description: The Get-RMSServer cmdlet returns a list of all AD RMS servers that can issue templates for the current user.
  • To get the RMS template GUID to be used, run this command:
    Name: Get-RMSTemplate
    Synopsis: Returns a list of AD RMS templates.
    Syntax: Get-RMSTemplate [-Force ] [-RMSServer ] []
    Description: The Get-RMSTemplate cmdlet returns a list of templates.
  • To protect a file:
    Name: Protect-RMSFile
    Synopsis: Protects using RMS encryption the specified file or the files in specified folder.
    Syntax: Protect-RMSFile -File [-DoNotPersistEncryptionKey ] [-OutputFolder ] [-TemplateId ] []
    Description: The Protect-RMSFile cmdlet protects and encrypts a specified file or the files in a specified folder if they were previously unprotected. The Protect-RMSFile cmdlet will run and execute in the following modes:
    1. Encrypt a file and let it be encrypted in the default location.
    2. Encrypt a file and let the encrypted file be placed at a new location.
    3. Encrypt a folder. All files inside the folder will be encrypted.

RMS Protected Files on Non-Windows Machines

Files protected by the Cmdlets are accessible by users on all platforms (Android, iOS, Mac, Windows Phone, and Windows) using the RMS sharing apps.

The Storage Team at Microsoft – File Cabinet Blog

{ Comments on this entry are closed }

OAB Improvements in Exchange 2013 Cumulative Update 7

October 30, 2014

Note: Cumulative Update 7 (CU7) for Exchange Server 2013 will be released soonTM. Back in May, I discussed the changes we introduced in Exchange 2013 Cumulative Update 5. Specifically with CU5 and later, an OAB can only be assigned (or linked) to a single OAB generation mailbox. This architectural change addressed two deficiencies in the […]

Read the full article →

Protect SQL Server 2014 using DPM 2012 R2

October 29, 2014

We are pleased to announce support for SQL Server 2014 as a workload in DPM 2012 R2 Update Rollup 4(UR4). Existing users of DPM will be delighted to know that there is no change in the user experience or SQL Server protection and recovery scenarios supported. Thus users can continue to backup SQL Server 2014 […]

Read the full article →

Microsoft Adds IoT Streaming Analytics, Data Production and Workflow Services to Azure

October 29, 2014

This blog post is authored by Joseph Sirosh, Corporate Vice President of Machine Learning at Microsoft. Today, I am excited to announce three new services: Azure Stream Analytics, Azure Data Factory and Azure Event Hubs. These services continue to make Azure the best cloud platform for our customers to build big data solutions. Azure Stream Analytics […]

Read the full article →

Mozilla Wants Firefox OS to Have a Feed on Raspberry Pi

October 28, 2014

Mozilla is hoping its Firefox OS can capture the interest of developers building media players and robotics with Raspberry Pi boards. OSNews

Read the full article →

Announcing the MultiPoint Services Role in Window Server vNext Technical Preview

October 28, 2014

Hello! I am Tanmay Bhagwat, a Program Manager on the Remote Desktop team working on Windows MultiPoint Server, Remote Desktop Session Host, Desktop Experience, and Azure RemoteApp. With the release of the Windows Server Technical Preview, we are excited to share that we will be adding a new role called MultiPoint Services to Windows Server. […]

Read the full article →

Mobile Games Need Their Artists

October 27, 2014

 With mobile having relatively stabilized the question is what the next generation of games for the platform will look like, and how the industry needs a patron class of publisher to facilitate more creative games. Otherwise mobile may well stall. Read More TechCrunch

Read the full article →

How to Hadoop: 4 Resources to Learn and Try Cloud Big Data

October 25, 2014

Are you curious about how to begin working with big data using Hadoop? Perhaps you know you should be looking into big data analytics to power your business, but you’re not quite sure about the various big data technologies available to you, or you need a tutorial to get started.   If you want a quick overview on why you […]

Read the full article →

Understanding ATQ performance counters, yet another twist in the world of TLAs

October 25, 2014

Hello again, this is guest author Herbert from Germany. If you worked an Active Directory performance issue, you might have noticed a number of AD Performance counters for NTDS and “Directory Services” objects including some ATQ related counters. In this post, I provide a brief overview of ATQ performance counters, how to use them and […]

Read the full article →

LG G Watch R review

October 25, 2014

Moto 360, a futuristic watch scooped up its share of praise before it’d even landed on store shelves. The now there’s also the LG G Watch R, a device which tackles the smartwatch problem from a slightly different angle. Read the review here. OSNews

Read the full article →