Rights Management Services Analyzer Tool – updated

The RMS troubleshooting tool that I blogged about a couple of months ago has been updated and now also supports analyzing Azure RMS. The tool is no longer separate for client and server, it is now a single tool.

When you fire up the tool is asks you what role you have (or rather want to test):


The user tests analyzes the computer’s status and ability to use RMS, the admin tests makes sure that the RMS service is functioning properly

User tests

I chose Azure RMS user and clicked OK. I then filled in my Azure RMS user credentials and clicked OK at the login prompt:


I then clicked Run diagnostics:


The status is updated as it progresses:


It only takes a couple of seconds and when it finishes the result is displayed.


I can get more information by clicking each test. I can see even more details in the log that is created. The log is created in a folder that has the current date and time (down to the second), “150414-105949” as an example, so logs will not be overwritten by running the tool multiple times.

The brown warning symbol I got (in the screenshot above) is because the tool cannot make sure that an SCP (Service Connection Point) is not present in Active Directory. This test is performed because a registered AD RMS SCP can prevent domain joined clients from working with Azure RMS. But since my computer is not domain joined it is not an issue.

The first error was due to old cached RMS Templates that I had from a tenant that now has expired.

The second error states:
“The Default Server setting ‘<MyTenantname>’ does not match the internal licensing endpoint: https://7d0194e1-02fc-5276-a318-79964ae28237.rms.eu.aadrm.com/_wmcs/licensing.”

This is likely related to the fact that I have multiple RMS tenants configured and The Default Server setting can only be one tenant. I’ll look more into this.

By clicking the Fix It link I get information about what will be done to fix the problem:


After I clicked Fix now it showed green checkmarks:


When I ran the Diagnostics again the errors were gone.

If you click the button Reset configuration you delete all cached RMS-related files on your client, even if no errors were found. Note that this action will not make you lose access to any RMS protected data, it only means that the next time RMS is used on the client you will be automatically bootstrapped (get a fresh set of user certificates and templates).

If you need to troubleshoot a specific use case you can enable logging while reproducing the error:


Admin tests

I next chose Azure RMS admin when running the tool:


I could see some general information about my Azure RMS configuration:


The admin version of the Diagnostics have fewer tests for admins than users:


By clicking Templates you can download all the published RMS templates:


By clicking each of them you can get more information, such as who can do what when the selected template is applied:


By clicking Federation you can verify that federation works with Azure RMS, if you have this configured. You need to enter the federation service name and credentials manually:


You can download the tool here:

It does not require installation, so you can easily run it from a USB-drive on computers that you do not want to install software on but want to diagnose. It does however require .Net Framework 4.5.

Please leave a comment with any feedback and/or experiences you have using this tool.

About Tom Aafloen

IT Security Advisor @ Onevinn
This entry was posted in information protection, Rights Management Services, RMS and tagged , , . Bookmark the permalink.

3 Responses to Rights Management Services Analyzer Tool – updated

  1. Pingback: RMS Analyzer | IT-Säkerhetsguiden

  2. Pingback: Announcement: Azure RMS Documentation Library Update for April 2015 - The Official RMS Team Blog - Site Home - TechNet Blogs

  3. Pingback: Troubleshooting AD RMS just got easier! | Microsoft Security Solutions

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s