In most corporate environments, when you roll out RMS to the client machines you're talking about domain-joined machines that you are configuring via group policy, SCCM and similar desktop deployment tools. But what if you have a few users who need to have access to RMS-protected content from non-domain-joined clients? What if they need to apply rights-protections to content as well? With your custom templates no less, then what? Under some circumstances, it may be possible to get RMS configured on a non-domain-joined client machine just by asking the user to open a rights-protected document, but whether this will work or not depends on a lot of variables, and it's not a reliable solution. Your best bet is to hand the user an easy-to-run script packaged with your rights policy templates to line all the ducks up in a row automatically.