Spat's WebLog (Steve Patrick)

When things go wrong...

Managing the Encrypted File System certs...or "preventing self signed certs."

Managing the Encrypted File System certs...or "preventing self signed certs."

  • Comments 2

This is an FYI ..


How do you manage your users related to EFS?

Do they use EFS? Do you know if they use EFS?


I won't go into all the details of why this new DCR is so neat... unless the readers really ask about it.

But - this can save you from a huge  headache if you are planning to deploy EFS...


The not yet public article is 912761 - refer to this when you call PSS and ask for this DCR ( design change  request )





Install hotfix to the XP machine.


Create the following registry key:


[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\EFS]




Once you have done this - reboot the client.


Now attempt to encrypt a file.


If you do not have an EFS cert, or you do not have an Enterprise CA to request one from, you will now get an error as seen below:


If you attempt to encrypt from CMD line via cipher.exe you will see:


Encrypting files in C:\Documents and Settings\efsr\Desktop\


New Text Document.txt [ERR]

New Text Document.txt: NO EFS certificate available.


0 file(s) [or directorie(s)] within 1 directorie(s) were encrypted.


Key: self signed certificate EFS DRA DCR

Happy New Year!




Leave a Comment
  • Please add 7 and 3 and type the answer here:
  • Post
  • What happens if a user has already started encrypting files? Can they continue to do so afterwards. Can they decrypt what they already have encrypted?
  • If they already have a cert they are using for encryption then they will continue to use this cert - it will not prevent this

    They can decrypt what was encrypted prior, as long as they possess the private key
Page 1 of 1 (2 items)