An update is available to remove the application manifest expiry feature from AD RMS clients

Applies to: Windows XPMicrosoft Windows Server 2003Windows Vista More

Support for Windows Vista Service Pack 1 (SP1) ends on July 12, 2011. To continue receiving security updates for Windows, make sure you're running Windows Vista with Service Pack 2 (SP2). For more information, refer to this Microsoft web page: Support is ending for some versions of Windows.

INTRODUCTION


Information that describes the removal of manifest expiry feature in AD RMS

An update is available for all Active Directory Rights Management Services (AD RMS) clients. This update prevents you from receiving error messages that are related to the application manifest expiry feature of the AD RMS clients. This fix is also necessary for Windows Rights Management clients. This update ensures continued compatibility between RMS-enabled applications and the RMS client.

As a follow up to the Office 2003 Information Rights Management (IRM) update, Microsoft has made additional changes in AD RMS. The application manifest expiry feature of AD RMS is no longer required.



After careful review of the original design of the AD RMS client, Microsoft has determined that the application manifest expiry feature can be completely removed. The application manifest expiry feature was a legacy feature in the original product. This feature allowed for more specific control of the applications that can access AD RMS protected content. The functionality that was provided by this feature is now included in other features that are contained in AD RMS, such as Application Exclusion and Windows Software Restrictions policies. These new features provide a new approach to allow for controlling what applications can run in your enterprise. The new approach puts the control in your hands.

For more information, visit the following Microsoft Web site:

More Information


Update information

How to obtain this update

Windows Update

This update is available from the Microsoft Update Web site:Microsoft Download Center

The following files are available for download from the Microsoft Download Center:
Operating system Update
All supported x64-based versions of Windows XP Download Download the update package now.
All supported x86-based versions of Windows Server 2003 Download Download the update package now.
All supported x64-based versions of Windows Server 2003 Download Download the update package now.
All supported IA-64-based versions of Windows Server 2003 Download Download the update package now.
All supported x86-based versions of Windows Vista Download Download the update package now.
All supported x64-based versions of Windows Vista Download Download the update package now.
All supported x86-based versions of Windows Server 2008 Download Download the update package now.
All supported x64-based versions of Windows Server 2008 Download Download the update package now.
All supported IA-64-based versions of Windows Server 2008 Download Download the update package now.
All supported x86-based versions of Windows 7 Download Download the update package now.
All supported x64-based versions of Windows 7 Download Download the update package now.
All supported x64-based versions of Windows Server 2008 R2 Download Download the update package now.
All supported IA-64-based versions of Windows Server 2008 R2 Download Download the update package now.
For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Prerequisites

There are no prerequisites for installing this update.

Registry information

To use the update in this package, you do not have to make any changes to the registry.

Restart requirement

You do not have to restart the computer after you apply this update.

Update replacement information

This update replaces the existing AD RMS client on the computer. It contains all hotfixes that were included with AD RMS V1 Service Pack 2 and all later hotfixes that were released before this update.

File information

The global version of this hotfix installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.
Windows Vista and Windows Server 2008 file information notes
  • The files that apply to a specific product, SR_Level (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table.
    Version Product SR_Level Service branch
    6.0.600
    0.
    17xxx
    Windows Vista RTM GDR
    6.0.600
    0.
    21xxx
    Windows Vista RTM LDR
    6.0.600
    1.
    18xxx
    Windows Vista and Windows Server 2008 SP1 GDR
    6.0.600
    1.
    22xxx
    Windows Vista and Windows Server 2008 SP1 LDR
    6.0.600
    2.
    18xxx
    Windows Vista and Windows Server 2008 SP2 GDR
    6.0.600
    2.
    22xxx
    Windows Vista and Windows Server 2008 SP2 LDR
  • GDR service branches contain only those fixes that are widely released to address widespread, extremely important issues. LDR service branches contain hotfixes in addition to widely released fixes.
  • Service Pack 1 is integrated into the release version of Windows Server 2008. Therefore, RTM milestone files apply only to Windows Vista. RTM milestone files have a 6.0.0000.xxxxxx version number.
For all supported x86-based versions of Windows Server 2008 and of Windows Vista
File name File version File size Date Time Platform
Msdrm.dll 6.0.6000.17008 312,320 25-Jan-2010 12:56 x86
Msdrm.dll 6.0.6000.21210 312,832 25-Jan-2010 12:34 x86
Msdrm.dll 6.0.6001.18411 329,216 25-Jan-2010 12:45 x86
Msdrm.dll 6.0.6001.22613 336,384 25-Jan-2010 12:31 x86
Msdrm.dll 6.0.6002.18193 332,288 25-Jan-2010 11:58 x86
Msdrm.dll 6.0.6002.22321 352,768 25-Jan-2010 12:35 x86
For all supported x64-based versions of Windows Server 2008 and of Windows Vista
File name File version File size Date Time Platform
Msdrm.dll 6.0.6000.17008 433,664 25-Jan-2010 13:01 x64
Msdrm.dll 6.0.6000.21210 434,176 25-Jan-2010 13:12 x64
Msdrm.dll 6.0.6001.18411 457,216 25-Jan-2010 13:00 x64
Msdrm.dll 6.0.6001.22613 465,408 25-Jan-2010 13:04 x64
Msdrm.dll 6.0.6002.18193 460,288 25-Jan-2010 12:08 x64
Msdrm.dll 6.0.6002.22321 486,912 25-Jan-2010 12:17 x64
For all supported IA-64-based versions of Windows Server 2008
File name File version File size Date Time Platform
Msdrm.dll 6.0.6001.18411 772,608 25-Jan-2010 12:42 IA-64
Msdrm.dll 6.0.6001.22613 788,992 25-Jan-2010 12:28 IA-64
Msdrm.dll 6.0.6002.18193 778,752 25-Jan-2010 11:51 IA-64
Msdrm.dll 6.0.6002.22321 827,904 25-Jan-2010 12:06 IA-64
Windows 7 and Windows Server 2008 R2 file information notes
  • The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:
    Version Product Milestone Service branch
    6.1.760
    0.16xxx
    Windows 7 and Windows Server 2008 R2 RTM GDR
    6.1.760
    0.20xxx
    Windows 7 and Windows Server 2008 R2 RTM LDR
  • GDR service branches contain only those fixes that are widely released to address widespread, extremely important issues. LDR service branches contain hotfixes in addition to widely released fixes.
For all supported x86-based versions of Windows 7
File name File version File size Date Time Platform
Rmactivate_ssp_isv.exe 6.1.7600.16506 277,504 18-Jan-2010 23:28 x86
Secproc_ssp_isv.dll 6.1.7600.16506 85,504 18-Jan-2010 23:29 x86
Rmactivate_ssp_isv.exe 6.1.7600.20621 277,504 19-Jan-2010 11:54 x86
Secproc_ssp_isv.dll 6.1.7600.20621 85,504 19-Jan-2010 11:55 x86
Rmactivate_isv.exe 6.1.7600.16506 324,608 18-Jan-2010 23:28 x86
Secproc_isv.dll 6.1.7600.16506 365,568 18-Jan-2010 23:29 x86
Rmactivate_isv.exe 6.1.7600.20621 324,608 19-Jan-2010 11:54 x86
Secproc_isv.dll 6.1.7600.20621 365,568 19-Jan-2010 11:55 x86
Rmactivate_ssp.exe 6.1.7600.16506 280,064 18-Jan-2010 23:28 x86
Secproc_ssp.dll 6.1.7600.16506 85,504 18-Jan-2010 23:29 x86
Rmactivate_ssp.exe 6.1.7600.20621 280,064 19-Jan-2010 11:54 x86
Secproc_ssp.dll 6.1.7600.20621 85,504 19-Jan-2010 11:55 x86
Rmactivate.exe 6.1.7600.16506 320,512 18-Jan-2010 23:28 x86
Secproc.dll 6.1.7600.16506 369,152 18-Jan-2010 23:29 x86
Rmactivate.exe 6.1.7600.20621 320,512 19-Jan-2010 11:54 x86
Secproc.dll 6.1.7600.20621 369,152 19-Jan-2010 11:55 x86
For all supported x64-based versions of Windows 7 and of Windows Server 2008 R2
File name File version File size Date Time Platform
Rmactivate_ssp_isv.exe 6.1.7600.16506 305,152 19-Jan-2010 09:00 x64
Secproc_ssp_isv.dll 6.1.7600.16506 121,856 19-Jan-2010 09:05 x64
Rmactivate_ssp_isv.exe 6.1.7600.20621 305,152 19-Jan-2010 10:25 x64
Secproc_ssp_isv.dll 6.1.7600.20621 121,856 19-Jan-2010 10:30 x64
Rmactivate_isv.exe 6.1.7600.16506 357,888 19-Jan-2010 09:00 x64
Secproc_isv.dll 6.1.7600.16506 422,912 19-Jan-2010 09:05 x64
Rmactivate_isv.exe 6.1.7600.20621 357,888 19-Jan-2010 10:25 x64
Secproc_isv.dll 6.1.7600.20621 422,912 19-Jan-2010 10:30 x64
Rmactivate_ssp.exe 6.1.7600.16506 306,688 19-Jan-2010 09:00 x64
Secproc_ssp.dll 6.1.7600.16506 121,856 19-Jan-2010 09:05 x64
Rmactivate_ssp.exe 6.1.7600.20621 306,688 19-Jan-2010 10:24 x64
Secproc_ssp.dll 6.1.7600.20621 121,856 19-Jan-2010 10:30 x64
Rmactivate.exe 6.1.7600.16506 356,352 19-Jan-2010 09:00 x64
Secproc.dll 6.1.7600.16506 424,960 19-Jan-2010 09:05 x64
Rmactivate.exe 6.1.7600.20621 356,352 19-Jan-2010 10:24 x64
Secproc.dll 6.1.7600.20621 424,960 19-Jan-2010 10:30 x64
For all supported IA-64-based versions of Windows Server 2008 R2
File name File version File size Date Time Platform
Rmactivate_ssp_isv.exe 6.1.7600.16506 297,984 19-Jan-2010 07:31 IA-64
Secproc_ssp_isv.dll 6.1.7600.16506 285,696 19-Jan-2010 07:37 IA-64
Rmactivate_ssp_isv.exe 6.1.7600.20621 297,984 19-Jan-2010 08:55 IA-64
Secproc_ssp_isv.dll 6.1.7600.20621 285,696 19-Jan-2010 09:02 IA-64
Rmactivate_isv.exe 6.1.7600.16506 335,872 19-Jan-2010 07:31 IA-64
Secproc_isv.dll 6.1.7600.16506 595,456 19-Jan-2010 07:37 IA-64
Rmactivate_isv.exe 6.1.7600.20621 335,872 19-Jan-2010 08:55 IA-64
Secproc_isv.dll 6.1.7600.20621 595,456 19-Jan-2010 09:02 IA-64
Rmactivate_ssp.exe 6.1.7600.16506 300,032 19-Jan-2010 07:31 IA-64
Secproc_ssp.dll 6.1.7600.16506 285,696 19-Jan-2010 07:37 IA-64
Rmactivate_ssp.exe 6.1.7600.20621 300,032 19-Jan-2010 08:55 IA-64
Secproc_ssp.dll 6.1.7600.20621 285,696 19-Jan-2010 09:02 IA-64
Rmactivate.exe 6.1.7600.16506 334,336 19-Jan-2010 07:31 IA-64
Secproc.dll 6.1.7600.16506 593,408 19-Jan-2010 07:37 IA-64
Rmactivate.exe 6.1.7600.20621 334,336 19-Jan-2010 08:55 IA-64
Secproc.dll 6.1.7600.20621 593,408 19-Jan-2010 09:01 IA-64
For all supported x86-based versions of Windows 2000, of Windows XP, and of Windows Server 2003:
File name File version File size Date Time Platform
Msdrm.dll 5.2.3790.433 339,336 14-Jan-2010 13:14 x86
Secproc.dll 6.0.6406.0 558,984 14-Jan-2010 13:14 x86
Secproc_isv.dll 6.0.6406.0 562,064 14-Jan-2010 13:14 x86
Secproc_ssp.dll 6.0.6406.0 192,904 14-Jan-2010 13:14 x86
Secproc_ssp_isv.dll 6.0.6406.0 192,912 14-Jan-2010 13:14 x86
RmActivate.exe 6.0.6406.0 567,176 14-Jan-2010 13:14 x86
RmActivate_isv.exe 6.0.6406.0 575,880 14-Jan-2010 13:14 x86
RmActivate_ssp.exe 6.0.6406.0 362,888 14-Jan-2010 13:14 x86
RmActivate_ssp_isv.exe 6.0.6406.0 361,872 14-Jan-2010 13:14 x86
For all supported x64-based versions of Windows 2000, of Windows XP, and of Windows Server 2003:


 
File name File version File size Date Time Platform
Msdrm.dll 5.2.3790.433 586,640 14-Jan- 2010 13:17 x64
Secproc.dll 6.0.6406.0 615,312 14-Jan- 2010 13:17 x64
Secproc_isv.dll 6.0.6406.0 613,264 14-Jan- 2010 13:17 x64
Secproc_ssp.dll 6.0.6406.0 197,512 14-Jan- 2010 13:17 x64
Secproc_ssp_isv.dll 6.0.6406.0 197,520 14-Jan- 2010 13:17 x64
RmActivate.exe 6.0.6406.0 647,568 14-Jan- 2010 13:17 x64
RmActivate_isv.exe 6.0.6406.0 649,616 14-Jan- 2010 13:17 x64
RmActivate_ssp.exe 6.0.6406.0 427,920 14-Jan- 2010 13:17 x64
RmActivate_ssp_isv.exe 6.0.6406.0 436,104 14-Jan- 2010 13:17 x64
Msdrm.dll 5.2.3790.433 339,336 14-Jan- 2010 13:17 x86
Secproc.dll 6.0.6406.0 558,992 14-Jan- 2010 13:17 x86
Secproc_isv.dll 6.0.6406.0 562,056 14-Jan- 2010 13:17 x86
Secproc_ssp.dll 6.0.6406.0 192,912 14-Jan- 2010 13:17 x86
Secproc_ssp_isv.dll 6.0.6406.0 192,912 14-Jan- 2010 13:17 x86
RmActivate.exe 6.0.6406.0 567,176 14-Jan- 2010 13:17 x86
RmActivate_isv.exe 6.0.6406.0 575,888 14-Jan- 2010 13:17 x86
RmActivate_ssp.exe 6.0.6406.0 362,896 14-Jan- 2010 13:17 x86
RmActivate_ssp_isv.exe 6.0.6406.0 361,872 14-Jan- 2010 13:17 x86

References


Error message that you may receive when you access AD RMS protected content

The following is an example of an error message that you may receive when you try to access AD RMS protected content.

If you use the Rights Management Add-on for Internet Explorer, you may receive the following error message if the manifest is expired:
You cannot open this document because we cannot set up your computer to open documents that have restricted permission.
If you click Advanced Information in the error message, you may see one of the following error messages:
The Rights Management client returned the following result code: 0x80004005(-2147467259).
The Rights Management client returned the following result code: E_DRM_SERVICE_NOT_FOUND.
The Rights Management client returned the following result code: E_DRM_BIND_VALIDITY_TIME_VIOLATED.
After you apply this update, the manifest expiry feature is removed. Therefore, the AD RMS client applications will no longer have to renew their manifests. This also eliminates the possibility of having manifests expire accidentally.

Note This update is effective for both new and existing AD RMS products. AD RMS applications will still need a manifest. AD RMS Independent Software Vendor (ISV) partners will still need a production certificate issued by Microsoft for creating this manifest.

More information about AD RMS and the legacy application manifest expiry feature

Capabilities of AD RMS

AD RMS is used to protect sensitive data. AD RMS applications that also handle sensitive data share the responsibility of protecting this data.

AD RMS provides two main capabilities:
  • AD RMS providespersistent, cryptographically-protected access control at the file level. This prevents unauthorized access to content.
  • AD RMS provides usage policy enforcement that can specify particular rights or restrictions on access to content. For example, "read-only" or "do not forward."

    To provide the usage policy enforcement capability, AD RMS restricts access to protected content. Only trusted AD RMS applications that can enforce this usage policy may access this protected content.

Mechanism of the application manifest expiry feature


Microsoft issues an application signing certificate to developers who create AD RMS applications. The developer uses this certificate to sign an application manifest for each AD RMS application. Each AD RMS application that creates or that accesses AD RMS protected content contains this signed application manifest. This application manifest verifies that the application has a trusted state. The AD RMS client checks both the signed application manifest and the application signing certificate before it enables the application to create or to access protected content.


The application signing certificate contains an expiration date. When this expiration date has passed, the AD RMS client no longer recognizes the trust state of the AD RMS application. Therefore, the AD RMS client does not enable the AD RMS application to create or to access the protected content. This expiration date is a legacy mechanism that is used to verify the trust status of an application. Previously, new application signing certificates and new signed application manifests were distributed with application updates. This occurred especially in updates that involved patching vulnerabilities. This legacy mechanism would then prevent an attacker from using older or un-patched applications in order to access the protected content.

A feature that enables the AD RMS system administrator to control application the trust state instead of relying on expiration dates replaces this legacy mechanism. An AD RMS administrator can specify particular AD RMS applications or particular versions of AD RMS applications as untrustworthy. An application that is set as untrustworthy cannot be used to create or to access AD RMS protected information.