EFS data recovery agents disappearing from details of file
-
Monday, May 14, 2012 10:11 PMAuto enrollment of EFS certificates is working but when you check the details of a file after encrypting the data recovery agents are not displayed. Any idea on what can cause this ? the data recovery agents are well defined in the GPO linked to the domain.
- Edited by Tech11-EU Monday, May 14, 2012 10:12 PM
All Replies
-
Tuesday, May 15, 2012 5:19 AM
probably, EFS recovery agent certificate is expired or invalid.
My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference: on TechNet wiki -
Tuesday, May 15, 2012 10:12 AMNo the recovery agent certs are valid until next year.
-
Tuesday, May 15, 2012 3:12 PMany other possibilities ?
-
Wednesday, May 16, 2012 10:38 AMModerator
Hello,
Thank you for your post.
This is a quick note to let you know that we are performing research on this issue.
Best Regards
Elytis Cheng
Elytis Cheng
TechNet Community Support
-
Wednesday, May 16, 2012 10:43 AMThanks for update Elytis. To clairfy the agent certs are configured in DDP and valid and the correct EFS certs are being used to encrypt data but the recovery agents not appearing in details of the encrypted file.
-
Wednesday, May 16, 2012 11:49 AM
did you verified recovery agent certificate for validity?
certutil -verify cert.cer
My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference: on TechNet wiki
- Edited by Vadims PodansMVP Wednesday, May 16, 2012 11:50 AM
-
Thursday, May 17, 2012 7:40 AM
Hi,
please help to confirm following points.
1. Does this issue happen to all encrypted files or certain files?
2. If encrypt a new files , does this issue happen to new file?
Best regards, Jason Mei Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
-
Thursday, May 17, 2012 9:21 AM
Vadims, yes when certutil -verify run against the cert it comes back good with no errors (revocation ok, not expired etc).
Jason, 1) I have only tested from one domain computer so far so I will test from another and let you know. 2) yes it happens to new encrypted data on the computer I am testing it on.
-
Thursday, May 17, 2012 10:02 AM
I think we have found the issue which is inheritance was blocked on the OU which the computer was under so was not getting the DRA certs from domain policy.
Do you know what impact that will have on computers already issued with certs and who have encrypted data ? assume once inheritance blocking is removed the DRA certs will flow through and populate encrypted data ?
-
Friday, May 18, 2012 6:59 AM
HI,
As you mentioned, the GPO defined data recovery agents related policy is linked to the domain level, so if inheritance was blocked on the OU, the group policy will not be applied to the computer in that OU. This will affected the new encrypted files.
Add a recovery agent for a domain: http://technet.microsoft.com/en-us/library/cc778448(WS.10).aspx
Using Encrypting File System: http://technet.microsoft.com/en-us/library/bb457116.aspxBest regards, Jason Mei Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
- Marked As Answer by Tech11-EU Tuesday, May 22, 2012 11:03 PM
-
Friday, May 18, 2012 7:59 AMTo clarify for files already encrypted on computers where inheritance is blocked what is the solution ? by removing the block will the recovery agents be able to decrypt them again ? I just want to understand impact this has had.
- Edited by Tech11-EU Friday, May 18, 2012 7:59 AM
-
Friday, May 18, 2012 12:20 PM
> by removing the block will the recovery agents be able to decrypt them again ?
or by enfocing required link.
My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference: on TechNet wiki -
Monday, May 21, 2012 9:59 AM
No, we may need to decrypt them by unchecking "encrypt contents to secure data" and then check "encrypt contents to secure data" to encryp them again.
Best regards, Jason Mei Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
-
Monday, May 21, 2012 10:02 AM
That's two different responses. Jason, are you saying that if inheritance of the domain policy (containing the DRA agents) was blocked at the site OU when the data was encrypted it would require someone to decrypt and re-encrypt in order for the DRA agents to be used on the data ?
-
Monday, May 21, 2012 10:08 AMat first you need to enable GPO link (or enforce it) and then re-encrypt files.
My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference: on TechNet wiki -
Monday, May 21, 2012 10:10 AMDon's suppose there is an easy way to identify all users who have encrypted data on their computers which don't have a DRA capable of recovery the data ?
-
Monday, May 21, 2012 1:26 PMI think, you can look at cipher.exe utility to automate this stuff.
My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference: on TechNet wiki -
Tuesday, May 22, 2012 7:18 AM
HI,
The reason for the DRA is not listed under encrypted files is that the GPO defined the DRA was not applied to the computer. So we want all encrypted files to list DRA, we should make the computer to apply the policy and then re-encrypt them.
Best regards, Jason Mei Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
.png)
