Microsoft PlayReady DRM – How Does It Work?

Microsoft PlayReady is a popular DRM solution with extensive support for the Windows Operating System and other mobile & TV platforms. In this edition of the Hitchhiker’s Guide to DRM, we take an in-depth look at how Microsoft’s PlayReady DRM works. We also take a look at the building blocks of PlayReady, its Security Levels, device support, and License Acquisition methods.

PlayReady DRM

Microsoft’s PlayReady is a DRM solution and a platform used for content protection and distribution. It provides the same benefits provided by Apple’s FairPlay and Google’s Widevine with respect to a secure client-side SDK (for content decryption and secure decoding and rendering), a license server, and the handling of licenses and keys during transit from the client to the servers and vice-versa.

  • PlayReady also provides other features such as Metering, Domains and Domain-based licenses, Breach Response, Key Rotation for Live streaming, etc.
  • PlayReady DRM supports MPEG-DASH, HLS, and Microsoft Smooth Streaming (MSS) streaming formats. The input videos can be in either fmp4mp4, or ismv / isma used in MSS.
  • PlayReady v4 has support for CENC-based encryption using either AES–CTR and AES–CBC encryption modes.
  • PlayReady supports Subscription, Pay-per-view, Rental, Purchase, and Ad-based business models.
  • And, PlayReady has multiple security levels and features to prevent piracy.

In the next few sections, lets take a look at the building blocks of PlayReady DRM, the typical DRM workflows, security levels, device support, and more.

Building Blocks of PlayReady DRM.

The building blocks of Microsoft PlayReady DRM are as follows –

Video Packager and the Content Packaging Server

  • Similar to FairPlay and Widevine, the content which needs to be protected is first packaged into a format suitable for video streaming using OTT video delivery. PlayReady supports input provided in MPEG-DASH, HLS, and Microsoft Smooth Streaming (MSS) streaming formats. The input videos can be in either fmp4mp4, or ismv / isma used in MSS.
  • The packaged and encrypted content is stored in a Content Packaging Server while the license information and encryption keys are sent to the License Server.

Key and KeyID

  • When a content is encrypted using PlayReady, two pieces of information are vital – the Key and the KeyID.
  • The Key is the actual AES encryption key and the KeyID is an unique value (GUID) that associates a Key with a content.
  • The Key is sent to the License Server and is a private value.
  • The KeyID is a public value and is embedded in clear (readable) format in the manifest by a packager.

License Server

  • As the name suggests, a License Server’s primary duty is to provide license information to an authenticated client so that the client can play back a protected video.
  • It relies on a Key Management System (KMS) or a database to store the Keys and KeyID. The KMS design is not part of PlayReady’s specifications.

PlayReady Domain Controller (or Domain Server)

  • PlayReady Domain is a feature of PlayReady that allows content providers to provide licenses bound to a group of devices, and not just one device. This group of devices is called a “Domain” and they can share the license with each other instead of contacting the License Server each time.
  • The Domain Controller specifies rules that decide the defintion of a Domain (e.g. identity of a single user or family). It also enforces the policy defining how many devices or PCs may join the domain, leave the domain, or renew their domain certificate.

Metering Servers

  • PlayReady Metering is a feature of PlayReady that counts the number of times a content was played. The count can be generated and stored at the client.
  • A PlayReady Metering Server aggregates the counts from all the PlayReady clients and lets the Clients know that they can reset their individual counts.
  • This is useful in tracking how many times a video was played and accordingly pay royalties.

How does Microsoft PlayReady DRM Work?

In this section, let us understand how Microsofts PlayReady DRM works. The explanation here references the building blocks of PlayReady explained in the previous section.

playready drm microsoft
PlayReady Workflow from Microsoft

Step 1: The content that needs to be encrypted is first packaged and then encrypted. After encryption, the content is sent to the Distribution Server. The license and encryption keys are sent to the License Server, and the domain information is sent to the Domain Server.

Step 2: At the player, when the user presses the “Play” button, the player recognizes that the content is encrypted and communicates this to the CDM in the browser (via the EME). The CDM generates a license request and the player sends this to the License Server. The request sent from the client contains the KeyID and information about the client as well.

Step 3: The License Server uses the KeyID to get the Keys from the Key Management System and sends it to the client along with othe relevant license information. The response from the License Server contains –

  • The content encryption key.
  • The rights of the license.
  • The right restrictions and right modifiers, also known as the conditions of the license.

Step 4: The player receives the license from the License Server and passes it to the CDM (via the EME). Since the message is encrypted, the player and any other software cannot read it and misuse it.

Step 5: The CDM or the hardware component in some devices will take the response from the License Server, extract the content key from it, and use the Key to decrypt, decode, and render the video. PlayReady also provides the License Store that can be implemented on the client to store the key and the rights at the client. This is sometimes called the Hashed Data Store or HDS.

Great – you know have a working knowledge of PlayReady DRM!

License Acquisition in PlayReady

It is important to know that there are two methods of license acquisition in PlayReady –

  • Proactive: in this method, the client sends license requests to the License Server even before playback begins (e.g. the user is browsing content and reading the summary of a movie – a high indicator he might watch it).
  • Reactive: in this method, after the user presses “Play”, the client searches for the license in the License Store (a Hashed Data Store) in the client. If it finds a license for that content, it can start playback immediately. If it does not find a license, it needs to ask the License Server for a new license. Please note that Microsoft Playready provides the tools to build a License Store (HDS) on the client.

It is important to consult or ask your DRM vendor whether they support both Proactive and Reactive license acqusition as it can affect your workflow and client implementation.

Now, let’s move on to the security levels and features offered by PlayReady.

PlayReady Security Levels – SL150, SL2000, SL3000

PlayReady has three Security Levels or SLs – SL150, SL2000, and SL3000.

But we move on to the security levels, let’s learn about the Trusted Execution Environment (TEE). This is defined in Wikipedia as

“a secure area of a main processor that guarantees code and data loaded inside to be protected with respect to confidentiality and integrity”

The Trusted Execution Environment is very important to DRM because it enhances security greatly and plays a critical role in ensuring that the decryption keys and the decrypted videos are not leaked or stolen.

With that understanding, let’s see the differences between PlayReady’s SL150, SL2000, and SL3000.


  • SL150 is the lowest level of security in PlayReady
  • it is not recommended for product and should only be used in closed-door testing.
  • in SL150, nothing is protected (assets, clients, keys, etc) and anything can be hacked.


  • it can be used in production scenarios and on commercial content.
  • in SL2000, the content, assets, keys, clients are proteced either in software or hardware.


  • SL3000 is the most secure form of PlayReady DRM and was introduced in 2015 along with PlayReady v3.
  • there is hardware protection of assets, clients, and keys via the Trusted Execution Environment.
  • usually, HD, UHD, HDR content are protected using SL3000

How Are The Security Levels Imposed?

As described by Microsoft’s documentation, the Security Level is a property of the Client Certificate embedded in the client at manufacturing time. And so, when a client makes a license request, it also mentions what its security level is.

The License Server examines the client’s security level and returns the content key for the appropriate resolutions. For example, if a content provider wanted ony clients with SL3000 to watch 1080p, and the client provides a security level of SL2000, then the License Server will not return the content key of the 1080p stream.

The License Server also specifies the MinimumSecurityLevel set to either SL150, SL2000, or SL3000. The client needs to check this value and refuse to play the stream if its own security level is lower than the minimum value specified.

Business Models

As mentioned before, PlayReady supports Subscription, Pay-per-view, Rental, Purchase, and Ad-based business models. Let’s take a brief look at the differences and the features between these business models.


In this model, the license can either be time-based or chained.

  • Time-based model: the license is valid only for a specified period of time. If the subscription is active and the license is close to expiry, then the license is automatically renewed. If the subscription is cancelled, then the license is automatically invalid.
  • Chained: in this model, there is the concept of a root license and a leaf license. The root license contains the subscription’s time based policies and the leaf licenses are tied to it. When the root license expires, the leaf licenses also expire.


In this business model, PlayReady pre-delivers the content licenses to the subscribers and also acknowledges that the licenses were successfully stored on the client’s device.


This is a basic time-based license with flexibilities. You can specify for how long the license is valid (1 day, or 30 days, or 24 hours from pressing play, etc. )


In this business model, the assumption is that the license is issued with no expiration at all. Additionally, when a person purchases a content, then PlayReady enables copying to a different device, or converting the content into any other DRM scheme.

Where is Microsoft’s PlayReady DRM Supported?

PlayReady is supported on several platforms such as –

  • Windows Ecosystem
  • XBox & PlayStation
  • Android
  • iOS
  • Chromecast
  • Roku
  • Browers such as Edge and IE11
  • SmartTVs (Samsung, LG, etc.)


I hope by now you have a good understanding of how Microsoft’s PlayReady DRM works. There is a lot of information online along with code samples, players, and SDKs to help you go deeper into PlayReady and implement it.

So, until next time, take care and see you soon!

krishna rao vijayanagar
Krishna Rao Vijayanagar

I’m Dr. Krishna Rao Vijayanagar, and I have worked on Video Compression (AVC, HEVC, MultiView Plus Depth), ABR streaming, and Video Analytics (QoE, Content & Audience, and Ad) for several years.

I hope to use my experience and love for video streaming to bring you information and insights into the OTT universe.

1 Comment

  1. Hello.

    You wrote “CENC, CDM, EME, MSE – we looked at these in the DRM building blocks article and won’t be repeating the explanation here.”. But there is no MSE abbreviature explenation in the “DRM building blocks” article.

Leave a Reply

Your email address will not be published.