I am trying to get EFS working on our workstations. First when I tried to set a directory to be encrypted I got a warning about the Recovery Agent certificate being invalid.
It turned out that the default one set up when my domain was first set up many years ago had expired so I created a new one and added an "EFS Data Recovery Agent" to a GPO at Computer Configuration -> Policies -> Windows Settings -> Security Policies -> Public Key Policies -> Encrypting File System.
When I perform a "Group Policy Results" for a given workstation and user, it shows the new agent so its definitely in the Group Policy
Also, after running "gpupdate /force /wait:-1" and also waiting 24 hours! when I try and set a directory to be encrypted I no longer get the warning about an invalid Recovery Agent.
So far so good I thought. However, the Recovery agent is not being used which I have proved by
- backing up the removing the "user" EFS cert and just having the recovery agent certificate and private key imported – I get access denied when trying to read the file
- running cipher /c I get " No recovery certificate found."
- Drilling down through the properties of the file and the advanced encryption details, the list of recovery agents is blank.
Anyone got any ideas what is going on and how I get the recovery agent to be used?
Best Answer
I'm not exactly sure what is preventing the the DRA from being set on the file, but here is a breakdown of the EFS GPOs I have which may help you verify all the components are in place. Getting EFS set up is a pretty complex patchwork of components if you ask me.
This configuration assumes you are using Microsoft AD Certificate Services and not self-signed certs.