EFS Encrypted sub folders not coming back when using hardlinking to Win7
Hi,
I'm using hardlinking with USMT 4 via SCCM OSD. We have discovered an issue where users are reporting that not all folders are coming back. Specifically, it appears encrypted subfolders do not make it back with loadstate.
Here is my OSDMigrateAdditionalCaptureOptions Variable:
/nocompress /hardlink /uel:60
I tried to look at things like /efs:hardlink, but that tells me /efs:copyraw is already used as a default with USMT 4.0.
I have a few options it appears:
1) Try and find scanstate variables that will help me.
2) Try and find loadstate variables that will help me.
3) Try and decrypt encrypted folders as part of my task sequence.
If anyone has any suggestions for 1 or 2, please let me know.
In regards to 3, I'm not very versed with much usage on EFS, but I learned a ton today. I have the recovery cert in my possession, but it really does no good to me to manually pop it into my user store. Nor does it do any good to try and user
certutil if I don't know where I should be putting it with a batch file.
Essentially, I am looking to have a batch file that:
certutil to place the recovery cert into a system account store to run
cipher /d /i /s:"c"
certutil remove cert
My issues seem that everything I read about EFS has to do with manually popping something into a user store to do recovery. From an enterprise perspective, if I'm re-imaging a whole bunch of machines every night, I should be able to have an ability
to decrypt folders with the key under system context in a batch file. You would think that is possible?
Anyone who has experienced the vanishing encrypted subfolders with hardlinking, please comment!
June 11th, 2012 9:50am
can u post your task sequence please?
Free Windows Admin Tool Kit Click here and download it now
June 11th, 2012 9:52am
I'll give you the scanstate and the loadstate, and we can go from there.
Machines have EFS encryption on their Vista user profiles.
Scanstate defaults with SCCM, with OSDMigrateAdditionalCaptureOptions set at:
/nocompress /hardlink /uel:60
Looks like all data in c:\usmt (data store) is there after scanstate
Loadstate is:
\\servername\loadstate.exe c:\usmt /i:\\servername\smspkgd$\pkgname\amd64\migapp.xml /i:\\servername\smspkgd$\pkgname\amd64\migdocs.xml /lac /c /nocompress /hardlink /ui:domainname\* /ue:%computername%\* /l:c:\%computername%.log
Also tried these variables thus far with the same issues, where encrypted folders do not bring back subfolders.
\\servername\loadstate.exe c:\usmt /i:\\servername\smspkgd$\pkgname\amd64\migapp.xml /i:\\servername\smspkgd$\pkgname\amd64\migdocs.xml /lac /lae /c /nocompress /hardlink /ui:domainname\* /ue:%computername%\*
/l:c:\%computername%.log
\\servername\loadstate.exe c:\usmt /i:\\servername\smspkgd$\pkgname\amd64\migapp.xml /i:\\servername\smspkgd$\pkgname\amd64\migdocs.xml /c /nocompress /hardlink /ui:domainname\* /ue:%computername%\* /l:c:\%computername%.log
\\servername\loadstate.exe c:\usmt /i:\\servername\smspkgd$\pkgname\amd64\migapp.xml /i:\\servername\smspkgd$\pkgname\amd64\migdocs.xml /c /hardlink /nocompress /ui:domainname\* /ue:%computername%\*
/l:c:\%computername%.log
I have removed servers and domains from the post for obvious reasons.
June 12th, 2012 4:32pm