An update is available to remove the application manifest expiry feature from AD RMS clients

Article ID: 979099 - View products that this article applies to.
Support for Windows Vista Service Pack 1 (SP1) ends on July 12, 2011. To continue receiving security updates for Windows, make sure you're running Windows Vista with Service Pack 2 (SP2). For more information, refer to this Microsoft web page: Support is ending for some versions of Windows
(http://windows.microsoft.com/en-us/windows/help/end-support-windows-xp-sp2-windows-vista-without-service-packs)
.
Expand all | Collapse all

On This Page

SUMMARY

INTRODUCTION

Information that describes the removal of manifest expiry feature in AD RMS

An update is available for all Active Directory Rights Management Services (AD RMS) clients. This update prevents you from receiving error messages that are related to the application manifest expiry feature of the AD RMS clients. This fix is also necessary for Windows Rights Management clients. This update ensures continued compatibility between RMS-enabled applications and the RMS client.

As a follow up to the Office 2003 Information Rights Management (IRM) update, Microsoft has made additional changes in AD RMS. The application manifest expiry feature of AD RMS is no longer required.

After careful review of the original design of the AD RMS client, Microsoft has determined that the application manifest expiry feature can be completely removed. The application manifest expiry feature was a legacy feature in the original product. This feature allowed for more specific control of the applications that can access AD RMS protected content. The functionality that was provided by this feature is now included in other features that are contained in AD RMS, such as Application Exclusion and Windows Software Restrictions policies. These new features provide a new approach to allow for controlling what applications can run in your enterprise. The new approach puts the control in your hands.

For more information, visit the following Microsoft Web site:
Description of the Office 2003 documents protected with AD RMS/RMS update package: December 11, 2009
(http://support.microsoft.com/kb/978551)
Back to the top | Give Feedback

MORE INFORMATION

Update information

How to obtain this update

Windows Update

This update is available from the Microsoft Update Web site:
http://update.microsoft.com
(http://update.microsoft.com)
Microsoft Download Center

The following files are available for download from the Microsoft Download Center:
Collapse this tableExpand this table
Operating systemUpdate
All supported x86-based versions of Windows XP and of Windows 2000
Collapse this imageExpand this image
Download
Download the update package now.
(http://www.microsoft.com/downloads/details.aspx?FamilyId=2ca67c64-96a8-47bd-b679-5910ac891084)
All supported x64-based versions of Windows XP
Collapse this imageExpand this image
Download
Download the update package now.
(http://www.microsoft.com/downloads/details.aspx?FamilyId=0ae5ed60-7b0f-4c23-8a68-7bbc4e9b6008)
All supported x86-based versions of Windows Server 2003
Collapse this imageExpand this image
Download
Download the update package now.
(http://www.microsoft.com/downloads/details.aspx?FamilyId=a5e27a4d-310d-4aac-9e6d-255151a80125)
All supported x64-based versions of Windows Server 2003
Collapse this imageExpand this image
Download
Download the update package now.
(http://www.microsoft.com/downloads/details.aspx?FamilyId=48d2d65e-5c71-4ea8-a6e4-a22d72d69e86)
All supported IA-64-based versions of Windows Server 2003
Collapse this imageExpand this image
Download
Download the update package now.
(http://www.microsoft.com/downloads/details.aspx?FamilyId=16450efa-bf5a-4f90-b963-be3cf093ac4d)
All supported x86-based versions of Windows Vista
Collapse this imageExpand this image
Download
Download the update package now.
(http://www.microsoft.com/downloads/details.aspx?FamilyId=72558538-0fca-4efe-bd6e-8cf1f061fd04)
All supported x64-based versions of Windows Vista
Collapse this imageExpand this image
Download
Download the update package now.
(http://www.microsoft.com/downloads/details.aspx?FamilyId=7cc0365c-8775-49aa-be2f-28304dba7da2)
All supported x86-based versions of Windows Server 2008
Collapse this imageExpand this image
Download
Download the update package now.
(http://www.microsoft.com/downloads/details.aspx?FamilyId=aee35141-3896-47be-af2c-8aeac43cd348)
All supported x64-based versions of Windows Server 2008
Collapse this imageExpand this image
Download
Download the update package now.
(http://www.microsoft.com/downloads/details.aspx?FamilyId=801b5bf1-29ac-49ad-bf51-505028a3fe38)
All supported IA-64-based versions of Windows Server 2008
Collapse this imageExpand this image
Download
Download the update package now.
(http://www.microsoft.com/downloads/details.aspx?FamilyId=a7c54e5e-4c9a-4f12-a11e-b8c0042b7acc)
All supported x86-based versions of Windows 7
Collapse this imageExpand this image
Download
Download the update package now.
(http://www.microsoft.com/downloads/details.aspx?FamilyId=33dfe320-afe4-411c-bd0b-f93f234e9f2e)
All supported x64-based versions of Windows 7
Collapse this imageExpand this image
Download
Download the update package now.
(http://www.microsoft.com/downloads/details.aspx?FamilyId=e5997eaf-993d-4fa2-9890-9d009be69159)
All supported x64-based versions of Windows Server 2008 R2
Collapse this imageExpand this image
Download
Download the update package now.
(http://www.microsoft.com/downloads/details.aspx?FamilyId=87f72529-d316-42e8-bf77-a46951f66dda)
All supported IA-64-based versions of Windows Server 2008 R2
Collapse this imageExpand this image
Download
Download the update package now.
(http://www.microsoft.com/downloads/details.aspx?FamilyId=0f135789-0d61-4a92-8809-a30c381d4331)
For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591
(http://support.microsoft.com/kb/119591/ )
How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Prerequisites

There are no prerequisites for installing this update.

Registry information

To use the update in this package, you do not have to make any changes to the registry.

Restart requirement

You do not have to restart the computer after you apply this update.

Update replacement information

This update replaces the existing AD RMS client on the computer. It contains all hotfixes that were included with AD RMS V1 Service Pack 2 and all later hotfixes that were released before this update.

File information

The global version of this hotfix installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.
Windows Vista and Windows Server 2008 file information notes
  • The files that apply to a specific product, SR_Level (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table.
    Collapse this tableExpand this table
    VersionProductSR_LevelService branch
    6.0.600 0 . 17xxxWindows VistaRTMGDR
    6.0.600 0 . 21xxxWindows VistaRTMLDR
    6.0.600 1 . 18xxxWindows Vista and Windows Server 2008SP1GDR
    6.0.600 1 . 22xxxWindows Vista and Windows Server 2008SP1LDR
    6.0.600 2 . 18xxxWindows Vista and Windows Server 2008SP2GDR
    6.0.600 2 . 22xxxWindows Vista and Windows Server 2008SP2LDR
  • GDR service branches contain only those fixes that are widely released to address widespread, extremely important issues. LDR service branches contain hotfixes in addition to widely released fixes.
  • Service Pack 1 is integrated into the release version of Windows Server 2008. Therefore, RTM milestone files apply only to Windows Vista. RTM milestone files have a 6.0.0000.xxxxxx version number.
For all supported x86-based versions of Windows Server 2008 and of Windows Vista
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Msdrm.dll6.0.6000.17008312,32025-Jan-201012:56x86
Msdrm.dll6.0.6000.21210312,83225-Jan-201012:34x86
Msdrm.dll6.0.6001.18411329,21625-Jan-201012:45x86
Msdrm.dll6.0.6001.22613336,38425-Jan-201012:31x86
Msdrm.dll6.0.6002.18193332,28825-Jan-201011:58x86
Msdrm.dll6.0.6002.22321352,76825-Jan-201012:35x86
For all supported x64-based versions of Windows Server 2008 and of Windows Vista
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Msdrm.dll6.0.6000.17008433,66425-Jan-201013:01x64
Msdrm.dll6.0.6000.21210434,17625-Jan-201013:12x64
Msdrm.dll6.0.6001.18411457,21625-Jan-201013:00x64
Msdrm.dll6.0.6001.22613465,40825-Jan-201013:04x64
Msdrm.dll6.0.6002.18193460,28825-Jan-201012:08x64
Msdrm.dll6.0.6002.22321486,91225-Jan-201012:17x64
For all supported IA-64-based versions of Windows Server 2008
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Msdrm.dll6.0.6001.18411772,60825-Jan-201012:42IA-64
Msdrm.dll6.0.6001.22613788,99225-Jan-201012:28IA-64
Msdrm.dll6.0.6002.18193778,75225-Jan-201011:51IA-64
Msdrm.dll6.0.6002.22321827,90425-Jan-201012:06IA-64
Windows 7 and Windows Server 2008 R2 file information notes
  • The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:
    Collapse this tableExpand this table
    VersionProductMilestoneService branch
    6.1.760 0.16xxxWindows 7 and Windows Server 2008 R2RTMGDR
    6.1.760 0.20xxxWindows 7 and Windows Server 2008 R2RTMLDR
  • GDR service branches contain only those fixes that are widely released to address widespread, extremely important issues. LDR service branches contain hotfixes in addition to widely released fixes.
For all supported x86-based versions of Windows 7
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Rmactivate_ssp_isv.exe6.1.7600.16506277,50418-Jan-201023:28x86
Secproc_ssp_isv.dll6.1.7600.1650685,50418-Jan-201023:29x86
Rmactivate_ssp_isv.exe6.1.7600.20621277,50419-Jan-201011:54x86
Secproc_ssp_isv.dll6.1.7600.2062185,50419-Jan-201011:55x86
Rmactivate_isv.exe6.1.7600.16506324,60818-Jan-201023:28x86
Secproc_isv.dll6.1.7600.16506365,56818-Jan-201023:29x86
Rmactivate_isv.exe6.1.7600.20621324,60819-Jan-201011:54x86
Secproc_isv.dll6.1.7600.20621365,56819-Jan-201011:55x86
Rmactivate_ssp.exe6.1.7600.16506280,06418-Jan-201023:28x86
Secproc_ssp.dll6.1.7600.1650685,50418-Jan-201023:29x86
Rmactivate_ssp.exe6.1.7600.20621280,06419-Jan-201011:54x86
Secproc_ssp.dll6.1.7600.2062185,50419-Jan-201011:55x86
Rmactivate.exe6.1.7600.16506320,51218-Jan-201023:28x86
Secproc.dll6.1.7600.16506369,15218-Jan-201023:29x86
Rmactivate.exe6.1.7600.20621320,51219-Jan-201011:54x86
Secproc.dll6.1.7600.20621369,15219-Jan-201011:55x86
For all supported x64-based versions of Windows 7 and of Windows Server 2008 R2
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Rmactivate_ssp_isv.exe6.1.7600.16506305,15219-Jan-201009:00x64
Secproc_ssp_isv.dll6.1.7600.16506121,85619-Jan-201009:05x64
Rmactivate_ssp_isv.exe6.1.7600.20621305,15219-Jan-201010:25x64
Secproc_ssp_isv.dll6.1.7600.20621121,85619-Jan-201010:30x64
Rmactivate_isv.exe6.1.7600.16506357,88819-Jan-201009:00x64
Secproc_isv.dll6.1.7600.16506422,91219-Jan-201009:05x64
Rmactivate_isv.exe6.1.7600.20621357,88819-Jan-201010:25x64
Secproc_isv.dll6.1.7600.20621422,91219-Jan-201010:30x64
Rmactivate_ssp.exe6.1.7600.16506306,68819-Jan-201009:00x64
Secproc_ssp.dll6.1.7600.16506121,85619-Jan-201009:05x64
Rmactivate_ssp.exe6.1.7600.20621306,68819-Jan-201010:24x64
Secproc_ssp.dll6.1.7600.20621121,85619-Jan-201010:30x64
Rmactivate.exe6.1.7600.16506356,35219-Jan-201009:00x64
Secproc.dll6.1.7600.16506424,96019-Jan-201009:05x64
Rmactivate.exe6.1.7600.20621356,35219-Jan-201010:24x64
Secproc.dll6.1.7600.20621424,96019-Jan-201010:30x64
For all supported IA-64-based versions of Windows Server 2008 R2
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Rmactivate_ssp_isv.exe6.1.7600.16506297,98419-Jan-201007:31IA-64
Secproc_ssp_isv.dll6.1.7600.16506285,69619-Jan-201007:37IA-64
Rmactivate_ssp_isv.exe6.1.7600.20621297,98419-Jan-201008:55IA-64
Secproc_ssp_isv.dll6.1.7600.20621285,69619-Jan-201009:02IA-64
Rmactivate_isv.exe6.1.7600.16506335,87219-Jan-201007:31IA-64
Secproc_isv.dll6.1.7600.16506595,45619-Jan-201007:37IA-64
Rmactivate_isv.exe6.1.7600.20621335,87219-Jan-201008:55IA-64
Secproc_isv.dll6.1.7600.20621595,45619-Jan-201009:02IA-64
Rmactivate_ssp.exe6.1.7600.16506300,03219-Jan-201007:31IA-64
Secproc_ssp.dll6.1.7600.16506285,69619-Jan-201007:37IA-64
Rmactivate_ssp.exe6.1.7600.20621300,03219-Jan-201008:55IA-64
Secproc_ssp.dll6.1.7600.20621285,69619-Jan-201009:02IA-64
Rmactivate.exe6.1.7600.16506334,33619-Jan-201007:31IA-64
Secproc.dll6.1.7600.16506593,40819-Jan-201007:37IA-64
Rmactivate.exe6.1.7600.20621334,33619-Jan-201008:55IA-64
Secproc.dll6.1.7600.20621593,40819-Jan-201009:01IA-64
For all supported x86-based versions of Windows 2000, of Windows XP, and of Windows Server 2003:
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Msdrm.dll5.2.3790.433339,33614-Jan-201013:14x86
Secproc.dll6.0.6406.0558,98414-Jan-201013:14x86
Secproc_isv.dll6.0.6406.0562,06414-Jan-201013:14x86
Secproc_ssp.dll6.0.6406.0192,90414-Jan-201013:14x86
Secproc_ssp_isv.dll6.0.6406.0192,91214-Jan-201013:14x86
RmActivate.exe6.0.6406.0567,17614-Jan-201013:14x86
RmActivate_isv.exe6.0.6406.0575,88014-Jan-201013:14x86
RmActivate_ssp.exe6.0.6406.0362,88814-Jan-201013:14x86
RmActivate_ssp_isv.exe6.0.6406.0361,87214-Jan-201013:14x86
For all supported x64-based versions of Windows 2000, of Windows XP, and of Windows Server 2003:


Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Msdrm.dll5.2.3790.433586,64014-Jan- 201013:17x64
Secproc.dll6.0.6406.0615,31214-Jan- 201013:17x64
Secproc_isv.dll6.0.6406.0613,26414-Jan- 201013:17x64
Secproc_ssp.dll6.0.6406.0197,51214-Jan- 201013:17x64
Secproc_ssp_isv.dll6.0.6406.0197,52014-Jan- 201013:17x64
RmActivate.exe6.0.6406.0647,56814-Jan- 201013:17x64
RmActivate_isv.exe6.0.6406.0649,61614-Jan- 201013:17x64
RmActivate_ssp.exe6.0.6406.0427,92014-Jan- 201013:17x64
RmActivate_ssp_isv.exe6.0.6406.0436,10414-Jan- 201013:17x64
Msdrm.dll5.2.3790.433339,33614-Jan- 201013:17x86
Secproc.dll6.0.6406.0558,99214-Jan- 201013:17x86
Secproc_isv.dll6.0.6406.0562,05614-Jan- 201013:17x86
Secproc_ssp.dll6.0.6406.0192,91214-Jan- 201013:17x86
Secproc_ssp_isv.dll6.0.6406.0192,91214-Jan- 201013:17x86
RmActivate.exe6.0.6406.0567,17614-Jan- 201013:17x86
RmActivate_isv.exe6.0.6406.0575,88814-Jan- 201013:17x86
RmActivate_ssp.exe6.0.6406.0362,89614-Jan- 201013:17x86
RmActivate_ssp_isv.exe6.0.6406.0361,87214-Jan- 201013:17x86
Back to the top | Give Feedback

REFERENCES

Error message that you may receive when you access AD RMS protected content

The following is an example of an error message that you may receive when you try to access AD RMS protected content.

If you use the Rights Management Add-on for Internet Explorer, you may receive the following error message if the manifest is expired:
You cannot open this document because we cannot set up your computer to open documents that have restricted permission.
If you click Advanced Information in the error message, you may see one of the following error messages:
The Rights Management client returned the following result code: 0x80004005(-2147467259).
The Rights Management client returned the following result code: E_DRM_SERVICE_NOT_FOUND.
The Rights Management client returned the following result code: E_DRM_BIND_VALIDITY_TIME_VIOLATED.
After you apply this update, the manifest expiry feature is removed. Therefore, the AD RMS client applications will no longer have to renew their manifests. This also eliminates the possibility of having manifests expire accidentally.

Note This update is effective for both new and existing AD RMS products. AD RMS applications will still need a manifest. AD RMS Independent Software Vendor (ISV) partners will still need a production certificate issued by Microsoft for creating this manifest.

More information about AD RMS and the legacy application manifest expiry feature

Capabilities of AD RMS

AD RMS is used to protect sensitive data. AD RMS applications that also handle sensitive data share the responsibility of protecting this data.

AD RMS provides two main capabilities:
  • AD RMS provides persistent, cryptographically-protected access control at the file level. This prevents unauthorized access to content.
  • AD RMS provides usage policy enforcement that can specify particular rights or restrictions on access to content. For example, "read-only" or "do not forward."

    To provide the usage policy enforcement capability, AD RMS restricts access to protected content. Only trusted AD RMS applications that can enforce this usage policy may access this protected content.

Mechanism of the application manifest expiry feature

Microsoft issues an application signing certificate to developers who create AD RMS applications. The developer uses this certificate to sign an application manifest for each AD RMS application. Each AD RMS application that creates or that accesses AD RMS protected content contains this signed application manifest. This application manifest verifies that the application has a trusted state. The AD RMS client checks both the signed application manifest and the application signing certificate before it enables the application to create or to access protected content.

The application signing certificate contains an expiration date. When this expiration date has passed, the AD RMS client no longer recognizes the trust state of the AD RMS application. Therefore, the AD RMS client does not enable the AD RMS application to create or to access the protected content. This expiration date is a legacy mechanism that is used to verify the trust status of an application. Previously, new application signing certificates and new signed application manifests were distributed with application updates. This occurred especially in updates that involved patching vulnerabilities. This legacy mechanism would then prevent an attacker from using older or un-patched applications in order to access the protected content.

A feature that enables the AD RMS system administrator to control application the trust state instead of relying on expiration dates replaces this legacy mechanism. An AD RMS administrator can specify particular AD RMS applications or particular versions of AD RMS applications as untrustworthy. An application that is set as untrustworthy cannot be used to create or to access AD RMS protected information.
Back to the top | Give Feedback

Properties

Article ID: 979099 - Last Review: June 10, 2011 - Revision: 2.1
APPLIES TO
  • Windows 7 Enterprise
  • Windows 7 Home Basic
  • Windows 7 Home Premium
  • Windows 7 Professional
  • Windows 7 Ultimate
  • Windows Vista Business
  • Windows Vista Business 64-bit Edition
  • Windows Vista Enterprise
  • Windows Vista Enterprise 64-bit Edition
  • Windows Vista Home Basic
  • Windows Vista Home Basic 64-bit Edition
  • Windows Vista Home Premium
  • Windows Vista Home Premium 64-bit Edition
  • Windows Vista Ultimate
  • Windows Vista Ultimate 64-bit Edition
  • Windows Vista Service Pack 1
  • Windows Vista Service Pack 2
  • Windows HPC Server 2008 R2
  • Windows Server 2008 R2 Datacenter
  • Windows Server 2008 R2 Enterprise
  • Windows Server 2008 R2 Standard
  • Windows Web Server 2008 R2
  • Windows HPC Server 2008
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Datacenter without Hyper-V
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Enterprise without Hyper-V
  • Windows Server 2008 Standard
  • Windows Server 2008 Standard without Hyper-V
  • Windows Web Server 2008
  • Windows Server 2008 for Itanium-Based Systems
  • Windows Server 2008 Service Pack 2
  • Microsoft Windows Server 2003 Service Pack 2
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard x64 Edition
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003 Service Pack 1
  • Microsoft Windows XP Service Pack 3
  • Microsoft Windows XP Service Pack 2
  • Microsoft Windows XP Service Pack 1
  • Microsoft Windows XP Home Edition
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Professional x64 Edition
Keywords: 
kbexpertiseinter kbinfo atdownload kbsurveynew kbhowto KB979099
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top