EFS delegation on file share RRS feed

  • Question

  • Has encryption by delegation on a file share changed in Server 2016? I had a Server 2012 file server with delegation (using kerberos only) set up and it worked fine: users could encrypt and decrypt files and set folders to encrypt all files within. I recently moved the file share to a server 2016 system and it doesn't seem to work the same way. When a user encrypt a file, if the profile doesn't exist on the server, EFS sets it up, and if EFS cannot find a suitable cert, it requests one from our PKI: a Windows Server domain CA, and the server encrypts the file. The user can read/write/delete/decrypt with no problems at first. But a short time later, over night for example, or just logging off/rebooting, and then starts getting permissions errors trying to do anything with the file.

    I can decrypt the file on the server using the recovery cert, and then the user can access again. If the user tries to encrypt again at this point, they will get an invalid parameter error. We do not have credential or profile roaming enabled, and don't desire to do so. Any idea what could be wrong or if the way this works in 2016 was changed? Bug?

    Thursday, September 19, 2019 6:37 PM

All replies

  • Hi,

    Thank you for your question.

    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

    Thank you for your understanding.

    Best Regards,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Friday, September 20, 2019 10:00 AM
  • How long a time delay? It's been a couple of weeks. Anyone else have experience with EFS on file share?
    Monday, October 7, 2019 5:34 PM