AD RMS PowerShell errors when run from FSRM Tasks - 2012R2

Running into issues when trying to run the FCI PowerShell script. See error below.

I created a stripped down version of the script that basically only included the Protect-RMSFile cmdlet and get the same error as above. This is for ADRMS on-premise. When I run the task from File Server Resource Manager > File Management Tasks > [Task] > Run File Management Task Now, the debug log shows the error. I run the task as Local System. I had read that perhaps some ipsec* DLLs needed to copied to various folders, and did so.

If I run Protect-RMSFile directly from PowerShell, it executes flawlessly and protects the file as expected. If the same command is run as a File Management Task, it errors.

[2017-05-16T08:53:44.5232269-07:00] [INFORMATIONAL] [214] Logging location : C:\Users\Default\AppData\Local\Microsoft\MSIPC\pscmdlet\Logs\debug.log ["C:\\Users\\Default\\AppData\\Local\\Microsoft\\MSIPC\\pscmdlet\\Logs\\debug.log"]
[2017-05-16T08:53:44.6638518-07:00] [INFORMATIONAL] [215] Working directory : C:\Windows\TEMP\RMSProtection\4o1gco3x.xjl ["C:\\Windows\\TEMP\\RMSProtection\\4o1gco3x.xjl"]
[2017-05-16T08:53:44.6638518-07:00] [VERBOSE] [401] Calling IpcInitialize... ["Calling IpcInitialize..."]
[2017-05-16T08:53:44.6638518-07:00] [VERBOSE] [401] Calling IpcSetStoreName... ["Calling IpcSetStoreName..."]
[2017-05-16T08:53:44.6638518-07:00] [VERBOSE] [401] IpcSetStoreName successful... ["IpcSetStoreName successful..."]
[2017-05-16T08:53:44.6638518-07:00] [VERBOSE] [401] IpcInitialize successful ["IpcInitialize successful"]
[2017-05-16T08:53:44.6638518-07:00] [VERBOSE] [401] +IpcSetApplicationId ["+IpcSetApplicationId"]
[2017-05-16T08:53:44.6638518-07:00] [VERBOSE] [401] +IpcSetApplicationId ["+IpcSetApplicationId"]
[2017-05-16T08:53:44.6638518-07:00] [VERBOSE] [401] Client mode already initialized ["Client mode already initialized"]
[2017-05-16T08:53:44.6794764-07:00] [INFORMATIONAL] [301] Starting Protection Version : 2.0.0.0 ["Protection","2.0.0.0","2017-05-16 15:53:44Z"]
[2017-05-16T08:53:44.6794764-07:00] [VERBOSE] [401] Starting 2.0.0.0 Version : 2017-05-16 15:53:44Z ["Starting 2.0.0.0 Version : 2017-05-16 15:53:44Z"]
[2017-05-16T08:53:44.6794764-07:00] [INFORMATIONAL] [212] Component : 'File1-415e47b19d2b.pdf' moved from 'New' to 'Protected' ["File1-415e47b19d2b.pdf","New","Protected"]
[2017-05-16T08:53:44.6794764-07:00] [VERBOSE] [204] Protecting : File1-415e47b19d2b.pdf ["File1-415e47b19d2b.pdf"]
[2017-05-16T08:53:44.6794764-07:00] [VERBOSE] [205] Encrypting : C:\PROTECTED\2\OUTPUT\File1-415e47b19d2b.pdf ["C:\\PROTECTED\\2\\OUTPUT\\File1-415e47b19d2b.pdf"]
[2017-05-16T08:53:44.6794764-07:00] [VERBOSE] [401] Calling IpcfEncryptFile ["Calling IpcfEncryptFile"]
[2017-05-16T08:53:44.6951020-07:00] [VERBOSE] [401] Calling IpcCreateLicenseFromTemplateId... ["Calling IpcCreateLicenseFromTemplateId..."]
[2017-05-16T08:53:44.7263515-07:00] [INFORMATIONAL] [212] Component : 'File1-415e47b19d2b.pdf' moved from 'Protected' to 'Errored' ["File1-415e47b19d2b.pdf","Protected","Errored"]
[2017-05-16T08:53:45.0232260-07:00] [ERROR] [504] Error protecting File1-415e47b19d2b.pdf with error: The system cannot find the file specified. HRESULT: 0x80070002
at Microsoft.InformationProtectionAndControl.SafeNativeMethods.ThrowOnErrorCode(Int32 hrError)
at Microsoft.InformationProtectionAndControl.SafeNativeMethods.IpcCreateLicenseFromTemplateId(String templateId)
at RMSProtection.Core.Protection.FileProtection.BuildLicense(FileProtectionConfig config)
at RMSProtection.Core.Protection.FileProtection.<>c__DisplayClass3.<Protect>b__1()
at RMSProtection.Core.Protection.FileProtection.EncryptFile(Func`1 action, FileSystemInfo sourceFile)
at RMSProtection.Core.Protection.Protector.ProtectFile(Component component, FileSystemInfo file, FileProtectionConfig options)
at RMSProtection.Core.Protection.Protector.Protect(Component component, FileProtectionConfig options) ["File1-415e47b19d2b.pdf","The system cannot find the file specified. HRESULT: 0x80070002","   at Microsoft.InformationProtectionAndControl.SafeNativeMethods.ThrowOnErrorCode(Int32 hrError)\r\n   at Microsoft.InformationProtectionAndControl.SafeNativeMethods.IpcCreateLicenseFromTemplateId(String templateId)\r\n   at RMSProtection.Core.Protection.FileProtection.BuildLicense(FileProtectionConfig config)\r\n   at RMSProtection.Core.Protection.FileProtection.<>c__DisplayClass3.<Protect>b__1()\r\n   at RMSProtection.Core.Protection.FileProtection.EncryptFile(Func`1 action, FileSystemInfo sourceFile)\r\n   at RMSProtection.Core.Protection.Protector.ProtectFile(Component component, FileSystemInfo file, FileProtectionConfig options)\r\n   at RMSProtection.Core.Protection.Protector.Protect(Component component, FileProtectionConfig options)"]
[2017-05-16T08:53:45.0232260-07:00] [LOGALWAYS] [602] Id : 1, Type : FileLeaf, Description : File1-415e47b19d2b.pdf, Location : File1-415e47b19d2b.pdf, TempFilePath: C:\PROTECTED\2\OUTPUT\File1-415e47b19d2b.pdf, Error : Failed to protect ["1","FileLeaf","File1-415e47b19d2b.pdf","File1-415e47b19d2b.pdf","C:\\PROTECTED\\2\\OUTPUT\\File1-415e47b19d2b.pdf","Failed to protect"]
[2017-05-16T08:53:45.0232260-07:00] [VERBOSE] [401] 1 ["1"]
[2017-05-16T08:53:45.0232260-07:00] [INFORMATIONAL] [302] Completed Protection after '0:00:00.3480937', successfully completed processing of 0 of 1 items, failed processing 1 of 1 ["Protection","0:00:00.3480937",0,1,1]

This won't work for AD RMS. The error "The system cannot find the file specified" concerns the missing RMS policy template file. The FSRM Tasks runs as Local System, Local Service or Network Service - these accounts cannot be bootstrapped according to the MSIPC Client to work with the AD RMS policy templates as expected.

Here is what i would recommend: - Use the AIP Powershell cmdlet of the newest AIP Preview Client - Check out the "IntegratedAuth" feature (only preview so far) https://docs.microsoft.com/en-us/powershell/module/azureinformationprotection/Set-RMSServerAuthentication?view=azureipps. This should run the command in Server mode (as the computer account, which must be authorized on the ServerCertification.asmx on each the AD RMS server)