Export (0) Print
Expand All

Task Preset for Azure Media Encryptor

Updated: August 18, 2014

When you run Microsoft Azure Media Services processing tasks such as encoding and encryption, you can use task preset files to store configuration settings for the tasks. This topic contains the content of a task configuration file for encrypting on-demand Smooth Streams for use by Microsoft PlayReady. For more information on creating Azure Media Encryptor tasks, see Static Packaging.

In the PlayReady Protection task, Microsoft Smooth Streaming files (.ismv, .isma) are encrypted per the MPEG Common Encryption (CENC) specification (ISO 23001-7:2011) for use by Microsoft PlayReady and the client manifest is updated for use by Smooth Streaming clients.

You can use Dynamic Packaging to deliver DASH/CSF encrypted with CENC, HLS v3 and v4 encrypted with PlayReady, or Smooth Streaming encrypted with PlayReady only if your input asset is Smooth Streaming encrypted with PlayReady. Currently, you must use static packing and encryption to protect your Smooth Streaming with PlayReady. For more information, see Protecting Smooth Streaming and MPEG DASH with PlayReady.

To deliver MPEG DASH encrypted with PlayReady, make sure to use CENC options by setting the useSencBox and adjustSubSamples properties (described later in this topic) to true.

To take advantage of dynamic packaging, you must first get at least one On-demand Streaming reserved units. For more information, see How to Scale a Media Service.

Microsoft does not currently provide a license server. You can implement your own or use a third-party provider. For more information about implementing your own PlayReady license server see: Microsoft PlayReady Overview. For more information about available third-party PlayReady providers see: Engaging a PlayReady Service Provider.

If you do not currently have a PlayReady server to use, you can get settings for testing from the Microsoft PlayReady Test Server site. On the PlayReady test site, there is also a Silverlight client player that you can use to play back media content that you encrypt with PlayReady protection.

Azure Media Encryptor Preset

The following configuration xml encrypts on-demand Smooth Streams for use by Microsoft PlayReady and updates the client manifest. Copy the following configuration xml and use it to create a file named MediaEncryptor_PlayReadyProtection.xml on your local computer. Then update the configuration file with the required settings. Ask your licensing provider for the appropriate values to use.

To make the sample configuration file work with a task, provide the following values:

  • A licenseAcquisitionUrl value. You must specify values for the licenseAquisitionURL setting of your PlayReady license server.

  • A keyId value and a contentKey value. The keyId value can be a randomly generated guid (you can generate a guid for a keyId in code, or by using tools in Visual Studio). Key Ids must be unique and could only be associated with one content key. 

    It is recommended to use keySeedValue and keyId values to generate a contentKey value. The keySeedValue value is provided with a PlayReady license server, or for testing you can obtain a default value on the PlayReady test site. You can use the GeneratePlayReadyContentKey method to generate the content key based on keySeedValue and keyId. Once you generate the content key value, add the keyId and the associated contentKey to the configuration file.

    As an alternative to using keyId and contentKey, you can add a keySeedValue directly in the configuration file. Adding keySeedValue to the configuration file should only be done for testing purposes.

    securitySecurity Note
    Using a keySeedValue in a task configuration file is not recommended for production applications. Because the key seed is used to generate content keys for your PlayReady protected content, there is a security risk involved with storing it in configuration. For production PlayReady applications, the recommended practice is to use a keyId with a generated contentKey.

The following example uses the keySeedValue and licenseAcquisitionUrl values provided by the PlayReady test server. For more information, see the PlayReady test server.

<taskDefinition xmlns="http://schemas.microsoft.com/iis/media/v4/TM/TaskDefinition#">
  <name>PlayReady Protection</name>
  <description xml:lang="en" />
  <properties namespace="http://schemas.microsoft.com/iis/media/v4/SharedData#" prefix="sd">
    <property name="adjustSubSamples" value="true" />
    <property name="contentKey" value="" />
    <property name="customAttributes" value="" />
    <property name="dataFormats" value="h264, avc1, mp4a, vc1, wma, owma, ovc1, aacl, aach, ac-3, ec-3, mlpa, dtsc, dtsh, dtsl, dtse" />
    <property name="keyId" value="" />
    <property name="keySeedValue" value="XVBovsmzhP9gRIZxWfFta3VVRPzVEWmJsazEJ46I" />
    <property name="licenseAcquisitionUrl" value="http://playready.directtaps.net/pr/svc/rightsmanager.asmx" />
    <property name="useSencBox" value="true" />
    <property name="serviceId" value="" />
    <type>Microsoft.Web.Media.TransformManager.DigitalRightsManagementTask, Microsoft.Web.Media.TransformManager.DigitalRightsManagement, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35</type>

The configuration file must conform to the syntax rules of a well formed xml file.

The following table explains the properties of the Azure Media Encryptor xml:


Name Required Description



When encrypting subsamples on H.264 tracks, adjusts the clear space at the beginning of each subsample so that a whole number of encryption blocks is used. This leaves slightly more of the sample data unencrypted but maximizes player compatibility.



A base64-encoded 16-byte value, which is produced by the key seed in conjunction with the key ID and is used to encrypt content. You must enter a content key value if no key seed value is specified.



A comma-delimited list of name:value pairs (in the form name1:value1,name2:value2,name3:value3) to be included in the CUSTOMATTRIBUTES section of the WRM header. The WRM header is XML metadata added to encrypted content and included in the client manifest. It is also included in license challenges made to license servers.



A comma-delimited list of four-character codes (FourCCs) that specify the data formats to be encrypted. If no value is specified, all data formats are encrypted.



A globally unique identifier (GUID) that uniquely identifies content for the purposes of licensing. Key Ids must be unique and could only be associated with one content key. If no value is specified, a random value is used.


true, if a contentKey is not specified. Otherwise, false.

A fixed, base64-encoded 30-byte value that enables a protection task to auto-generate the key for each content item. A key seed is used together with a key ID to generate a content key. Typically, one key seed is used with many key IDs to protect multiple files or sets of files; for example, all files issued by a license server or perhaps all files by a particular artist. Key seeds are stored on license servers.

You can use the following Media Services SDK for .NET method to generate the content key based on the keySeedValue: GeneratePlayReadyContentKey.



The Web page address of a license server (for example, a PlayReady license server). A client player uses the URL to contact the license server and obtain a license to decrypt the content for playback.



Use a 'senc' box to hold encryption metadata instead of a Protected Interoperable File Format (PIFF) 1.1 'uuid' box.



The service ID to include in the PlayReady header that is added to each file and in the client manifest (.ismc). This value must be a globally unique identifier (GUID) in Little Endian string form (like this 237A4EB1-9D01-4F4A-A2D2-79E51468014D)

The following topics demonstrate how to encrypt with PlayReady:

  1. Protecting Smooth Streaming and MPEG DASH with PlayReady

  2. Producing HLSv3 Encrypted with PlayReady

See Also

Build Date:


Community Additions

© 2014 Microsoft