Spat's WebLog (Steve Patrick)

When things go wrong...

Managing the Encrypted File System certs...or "preventing self signed certs."

Managing the Encrypted File System certs...or "preventing self signed certs."

  • Comments 2
 

This is an FYI ..

 

How do you manage your users related to EFS?

Do they use EFS? Do you know if they use EFS?

 

I won't go into all the details of why this new DCR is so neat... unless the readers really ask about it.

But - this can save you from a huge  headache if you are planning to deploy EFS...

 

The not yet public article is 912761 - refer to this when you call PSS and ask for this DCR ( design change  request )

 

Usage:

 

 

Install hotfix to the XP machine.

 

Create the following registry key:

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\EFS]

"EfsOptions"=dword:0

 

 

Once you have done this - reboot the client.

 

Now attempt to encrypt a file.

 

If you do not have an EFS cert, or you do not have an Enterprise CA to request one from, you will now get an error as seen below:

 

If you attempt to encrypt from CMD line via cipher.exe you will see:

 

Encrypting files in C:\Documents and Settings\efsr\Desktop\

 

New Text Document.txt [ERR]

New Text Document.txt: NO EFS certificate available.

 

0 file(s) [or directorie(s)] within 1 directorie(s) were encrypted.

 

Key: self signed certificate EFS DRA DCR

Happy New Year!

 

Spat

 

Leave a Comment
  • Please add 8 and 2 and type the answer here:
  • Post
  • What happens if a user has already started encrypting files? Can they continue to do so afterwards. Can they decrypt what they already have encrypted?
  • If they already have a cert they are using for encryption then they will continue to use this cert - it will not prevent this

    They can decrypt what was encrypted prior, as long as they possess the private key
Page 1 of 1 (2 items)