AD RMS How To: Disable IRM Functionality for Some Office Applications
An interesting question was posed to me. "How can I disable DRM for all my Office 2010 applications except for Outlook?" My initial reaction was that this is not possible. I know how to disable it for all Office applications on a client but not pick and choose. A few minutes with Bing and conferring with a peer and I found two possible solutions.
Note: I've not tested these to any great extent. Please test.
Solution One: Disable IRM functionality for all Office applications
Per Office Registry Settings on TechNet, there is a value to disable IRM for all of the installed Office applications.
The registry location depends on the version of Office (e.g. 2016) and the architecture (x86 or x64). For my example here I am using the generic HKCU\Software\Microsoft pathing. Please see the TechNet article for the specifics.
Disable all RMS functionality
To disable IRM, both creation and consumption, for all Office applications on the client set the following registry value.
HKCU\Software\Microsoft\Office\16.0\Common\DRM
Name: Disable
Type: DWORD
Value: 0/1
0 = No functionality affected by this registry key
1 = All IRM functionality is removed; IRM is disabled
To disable just the creation of IRM documents for all Office applications on the client set the following registry value.
HKCU\Software\Microsoft\Office\16.0\Common\DRM
Value Name: DisableCreation
Value Type: DWORD
Value Data: 0/1
0 = No functionality affected by this registry key
1 = IRM protection options are removed; you can still consume protected files.
These options exist in the Office Templates with the following names:
IRM Disable User Interface disables the ability to consume OR create protected content. (completely disabled)
Prevent Users from Changing Permissions prevent users from creating protected content, but consumption is allowed.
Solution Two: Disable IRM in the GUI for specific Office applications
This solution allows specific applications to have IRM functionality disabled in the GUI. These settings may be managed via GPO or the registry. End users should either see greyed out buttons or they may be hidden.
Links
- [All supported versions] Office Fluent UI Command Identifiers
- Office 2010 Help Files: Office Fluent User Interface Control Identifiers
- Office 2013 Help Files: Office Fluent User Interface Control Identifiers
- Office 2016 Help Files: Office Fluent User Interface Control Identifiers
Download the appropriate guide for the version of Office in use. Locate the appropriate GUI options for disabling. My limited (quick) research discovered the following settings for Word, Excel, and PowerPoint.
To disable IRM GUI for the desired Office application set the following registry values. Note, these may be used with the Office group policy templates or via a group policy pushing out registry preferences. When doing the manual preferences note that the values are written to the Policies key under Software.
- HKCU\Software\Policies\Microsoft\Office\14.0\Word\DisabledCmdBarItemsList
- HKCU\Software\Policies\Microsoft\Office\14.0\Excel\DisabledCmdBarItemsList
- HKCU\Software\Policies\Microsoft\Office\14.0\PowerPoint\DisabledCmdBarItemsList
Value Name: TCID1
Value Type: REG_SZ
Value Data: 7990
TCID 7990 disables the items on the flyout menu of File / Info / Protect Document / Restrict Access option.
TCID 195519 removes the whole Protect Document option.
Refer to the Office interface control identifiers documentation to find other values.
Solution Three: Exclude the applications on the RMS server
This solution does not require any client-side management. Use the Exclude Applications feature in the AD RMS console. Enable the feature and add the desired applications to be excluded. NOTE: This only prevents the consumption of protected files in the specified application. It doesn't impact creation or hide any options from the client.