Office 2010 users receive an "An Unexpected Error has occurred.." while trying to IRM protect content.

UPDATE: This issue and a related Office 2010 application hang was fixed with the following patch:

Description of the Office 2010 hotfix package (Mso-x-none.msp): December 11, 2012

Please let us know if there are still issues AFTER installing this.


So you installed KB2584066. You're minding your own business trying to RMS protect some content, and BAM!

"An unexpected error has occurred while trying to restrict permissions to your document. Contact your administrator for assistance."

You shake your fist in the air, and wonder if you really want to talk to your administrator. He drinks alot of coffee, smokes, and violates your personal space when talking. Arghh..

Well, I'll save you the trip and you can copy and paste this to him, OR if you are the administrator grab your mints and read-on.


The problem is with the RMS URLs.

If you have a certification or licensing URL that contains a :443 you will have problems.

Office tries to match up CLC certificates with RACs by matching up the RMS URL embedded in those certs. If the certification cert has a :443, but the licensing cert doesn't then you'll hit this error.

I've fixed (err...worked around) this for a few customers recently, and the Office team is actively pursuing a fix.

I like to fix ( around) this issue by permanently fixing the ADRMS install so they dont have to worry about string comparisons within office. The upside is that once you do this procedure you don't have to worry about this problem that has been around since Office 2003. The downside is that you will need to write a logon script that removed all of your users %localappdata%\Microsoft\DRM\*.drm files so they can re-bootstrap, AND you will most likely need to Archive and recreate your RMS Templates if you are using them. If this sounds like a good trade off for a faster solution then follow along. Otherwise call support and see what other options exist.

Tip: If you want to test to see if this is your issue simply go into the users %localappdata%\Microsoft\DRM folder and edit the GIC-...file. Remove any:443 that is in there and save it. Try the application again. If it works...thats the problem. If it doesn't, it's probably something else.

1.) Go to the ADRMS server and open the ADRMS console.

2.) Right Click on the Server name, and go to Properties.

3.) Go to the 'SCP' tab and remove the SCP.

Skip to step 7 if you already have an extranet URL and your licensing URLs don't contain a :443.

4.) Go to the Cluster URLs tab, and check the box for 'Extranet URLs'

5.) Put the word 'test' in each of these and hit apply.

6.) Uncheck the 'Extranet URLs' box, and hit Apply, then OK.


7.) Close the ADRMS Console

8.) Re-open the ADRMS console

9.) Right Click on the server name>Properties>SCP Tab, and register the SCP.

- Check your RMS settings now and make sure that no :443 exists in any of the cluster URLs.

10.) Go to Regedit and create this key. (on each server)

HKLM/Software/Microsoft/DRMS (on 2008 you may have a 2.0 key under here..use that instead)

11.) Go to an Administrative command prompt and issue an IISRESET command. (on each server)

12.) Go to client PC and delete the %localappdata%\Microsoft\DRM folder.

13.) Close all office apps.

14.) Try again.


Note if you have templates do the following.


1.) Go to RMS server

2.) Go to templates section and archive all your templates by right clicking and choosing the archive option.

3.) Click on each template and choose Copy, to create a copy.

4.) Rename the new templates with a slightly different name. (You can't have two templates with the same name).

5.) Right click on the new template and choose to Distribute the template.

6.) Push these out to your users.


The last option is to wait for a patch for this patch (potentially written by a guy named Patch, wearing an eye patch, while conquering his cigarette addiction with a nicotine patch), and actually to open a support case to make sure you are notified as soon as it is fixed (bug issues are free). If you do the steps above, it won't matter either way because you won't be affected by any of the problems that require a patch to the patch.

Hope this helps.


Comments (11)

  1. Anonymous says:

    Very thanks 2 u. Let the force be with you !

  2. Anonymous says:

    thanks Jason, :443 workaround is a lifesaver.

  3. Anonymous says:

    Nice going, That worked a treat.   Many Thanks.


  4. Anonymous says:

    Two thumbs up for you, because I have the same problem and the results are OK

  5. Brilliant! Thank you for saving me a LOT of headache.


  6. Dilettanto says:

    Our server still issues GIC with an :443 port in its URL.

    Missing anything obvious here?

  7. AC says:

    Basic question when you say copy…/certification.asmx
    do you mean as is or change the rms.domain to my rms server name.domain

  8. Jason says:

    Change that to the cluster URL matching *your* environment.

  9. Daniel says:

    You've made my day, I've search a long time for this problem and your solution works great. Thanks a lot.

  10. Anonymous says:

    Pingback from Troubleshooting AD RMS | ..::Mendel's Weblog::..

  11. Alee says:

    When i try to install office 2010, i received an error saying ” An unexpected error has occurred. Setup rolling back changes” . what should i do ???

Skip to main content