Lockboxes are used to store a user's private key. If a vulnerability is found in a certain version of a lockbox, a new lockbox is released by Microsoft. You can ensure that clients use a minimum version of the Active Directory Rights Management Services (AD RMS) client software by using the lockbox version associated with the client to exclude the previous versions of the AD RMS client software. When you enable this feature, you specify the latest minimum lockbox version that was signed by the Microsoft Activation Service. You then enable lockbox exclusion on the each AD RMS cluster on which you want it to take effect. All certification and licensing requests are checked to make sure that the lockbox meets the minimum version criteria.

If you have enabled an exclusion based on lockbox version, clients that are using a version of the lockbox software earlier than the specified version cannot acquire rights account certificates (RACs) or use licenses because their requests will be denied. These clients must install a new version of the AD RMS client software to acquire a new lockbox that uses the current version of the software.

If a user who has an excluded lockbox was previously issued licenses for content, the user can still consume that content without acquiring a new lockbox.

Membership in the local AD RMS Enterprise Administrators, or equivalent, is the minimum required to complete this procedure.

To exclude lockbox versions
  1. Open the Active Directory Rights Management Services console and expand the AD RMS cluster.

  2. In the console tree, expand Exclusion Policies, and then select Lockbox.

  3. Click Enable Lockbox Exclusion to exclude lockbox versions.

  4. Click Change minimum lockbox version. The Lockbox properties sheet opens.

  5. Click View the recommended minimum lockbox version to connect to the Internet and view the minimum lockbox version that is signed by the Microsoft Activation Service. If you do not have an Internet connection on the AD RMS server, you can go directly to the Windows AD RMS Activation Service Web site (http://go.microsoft.com/fwlink/?LinkID=12995) and view the minimum lockbox version.

  6. On the Minimum RM lockbox version page that appears, copy the version number, and then close your Web browser.

  7. In the Minimum lockbox version box, paste the version number, and then click OK.

To stop excluding lockbox versions
  1. Open the Active Directory Rights Management Services console and expand the AD RMS cluster.

  2. In the console tree, expand Exclusion Policies, and then select Lockbox.

  3. Click Disable Lockbox Exclusion to stop excluding lockbox versions.

Additional considerations

Additional reference

Table Of Contents