This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 53%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPR%3C/text%3E%3C/svg%3E)
We’re in the process of trying to do a bulk decryption of Office files that were encrypted by AD RMS. We've identified a potentially effective PowerShell command, "Unprotect-RMSFile," that could address our decryption needs. We expected this command to be included with the Azure Information Protection Client or the AzureInformation Protection PowerShell module as Microsoft documentation indicates it but it appears to be missing as seen in the screenshot below when we tried to test it. Can you help us find a way or let us know what is the module required to run the command and its requirements?
That's an old cmdlet, likely the module version you downloaded does not contain it. Try using the Set-AIPFileLabel cmdlet instead: https://learn.microsoft.com/en-us/powershell/module/azureinformationprotection/set-aipfilelabel?view=azureipps
Hi Vasil. Thank you. But we need to decrypt the files from AD RMS in an on-premise server. The cmdlet seems to be using Azure Information Protection, which we do not have. Can we confirm that Set-AIPFileLabel is compatible for AD RMS?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 11%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EUJ%3C/text%3E%3C/svg%3E)
Documentation is inaccurate, there is no option to bulk decrypt files at all at this moment. I spent a lot of time investigating which PowerShell to use, but there i no option as far as I know.
I am in touch with Microsoft because we are solving the same issue. We do have AD RMS server in place, we requested TPD key from Azure, now we plan to do some tests.
We configured registry redirect to force Office client to have a look on AD RMS for certificates. I would be happy to share experience as we are trying to achieve the same goal.
I’ve successfully managed to address this issue using PowerShell!
The key was utilizing the Azure Information Protection (AIP) client, which provides powerful cmdlets to manage sensitivity labels and file protection. Specifically, I used the Remove-FileLabel cmdlet to remove both sensitivity labels and protection in bulk.
Steps and Explanation
Install the AIP Client Download and install the Microsoft Purview Information Protection client from here. This client provides the necessary tools to manage file protection.
Command: Remove-FileLabel I used the Remove-FileLabel cmdlet to remove labels and decrypt files. Here’s an example:
Remove-FileLabel .\file.docx -RemoveProtection -RemoveLabel -JustificationMessage "Removing labels for migration"
-RemoveProtection: This parameter removes Rights Management Services (RMS) protection from the file. It’s essential for decrypting AD RMS-encrypted files.
-RemoveLabel: Removes any applied sensitivity label. While RMS protection and labels are separate, they often coexist.
-JustificationMessage: Adds a message to document the reason for removing protection and labels. This is useful for audit purposes or team transparency.Get-FileStatus cmdlet to validate the file's status before and after running the Remove-FileLabel command. This ensured that protection and labels were fully removed.GitHub Repository
I’ve documented the entire process, including example commands, scripts for automation, and detailed explanations, in a GitHub repository. You can find everything you need to replicate this solution there: GitHub Repository: Sensitivity Label Removal with AIP
Feel free to explore the repository, ask questions, or contribute!