Enable or Disable Transport Decryption
Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Enabling transport decryption allows the Transport Rules agent on Hub Transport servers to access content in messages protected by Information Rights Management (IRM). As a result, other transport agents can access message content and possibly make changes to it. For example, the Transport Rules agent may need to inspect message content and apply transport rules (such as rules that apply a disclaimer to the message). To successfully decrypt IRM-protected messages, you must add the Federated Delivery mailbox to the super users group configured on your Active Directory Rights Management Services (AD RMS) server.
Important
Members of the super users group are granted an owner use license when they request a license from the AD RMS cluster. This allows them to decrypt all RMS-protected content created by that AD RMS cluster.
When enabling transport decryption, you can specify the following settings:
Mandatory Rejects messages that can't be decrypted and returns a non-delivery report (NDR) to the sender.
Optional Uses a best-effort approach to decryption. If possible, messages are decrypted, but they're delivered even if decryption fails.
To learn more about transport decryption, see Understanding Transport Decryption.
Looking for other management tasks related to IRM? Check out Managing Information Rights Management.
Prerequisites
An AD RMS server exists in the Active Directory forest and is accessible.
The Federated Delivery mailbox has been added to the AD RMS super users group. For details, see Add the Federation Mailbox to the AD RMS Super Users Group.
Use the Shell to enable transport decryption
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Rights protection" entry in the Messaging Policy and Compliance Permissions topic.
Note
You can't use the EMC to enable transport decryption.
This example enables transport decryption for the Microsoft Exchange Server 2010 organization. Messages that can't be decrypted are rejected, and an NDR is returned to the sender.
Set-IRMConfiguration -TransportDecryptionSetting Mandatory
For detailed syntax and parameter information, see Set-IRMConfiguration.
Use the Shell to disable transport decryption
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Rights protection" entry in the Messaging Policy and Compliance Permissions topic.
Note
You can't use the EMC to disable transport decryption.
This example disables transport decryption for the Exchange 2010 organization.
Set-IRMConfiguration -TransportDecryptionSetting Disabled
For detailed syntax and parameter information, see Set-IRMConfiguration.
Other Tasks
After you enable or disable transport decryption, you may also want to:
© 2010 Microsoft Corporation. All rights reserved.