My company has a AD2003 domain and having a root CA installed (not enterprise CA). Some users are using EFS in out environment. The EFS Recovery Agent certificate will be expired in Jun 2015. However, some users' "Basic EFS" certificates will be expired very soon in June 2011. Since the Recovery Agent cert is still valid unit 2015, I just want to know, what is going to happen after the Basic EFS cert expiry in Jun 2011. Can the Basic EFS certificate be renewed automatically after the expiry? Or, would the system regenerate a new set of Basic EFS cert to user after the expiry of existing EFS cert? Or, the users cannot perform encryption anymore after expiry? Really thanks for your help!

default Basic EFS template is version 1 template and doesn't support autoenrollment. This means that a certificate will not renewed automatically. The users are have to go through regular certificate enrollment process. Depending on your group policy settings the system may generate a self-signed (not issued by your CA) EFS certificate.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

My company has a AD2003 domain and having a root CA installed (not enterprise CA). Some users are using EFS in out environment. The EFS Recovery Agent certificate will be expired in Jun 2015. However, some users' "Basic EFS" certificates will be expired very soon in June. I just want to know whether the Basic EFS certificate can be renewed automatically upon the expiry? Or, would the system regenerate a new set of Basic EFS cert to user after the expiry of existing EFS cert? Or, the users cannot perform encryption anymore after expiry? Really thanks for your help!

Hello, please see: http://msmvps.com/blogs/alunj/archive/2007/03/24/efs-in-a-domain-expires-after-three-years.aspx http://support.microsoft.com/kb/929103Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Hello, please see: http://msmvps.com/blogs/alunj/archive/2007/03/24/efs-in-a-domain-expires-after-three-years.aspx http://support.microsoft.com/kb/929103 Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Thanks for your prompt reply. However, in our case, the Recovery Agent cert is still valid unit 2015. But the users' Basic EFS certificate will be expired in next month (Jun 2011). I just want to know, what is going to happen after the Basic EFS cert expiry. For the expiry of DRA in Jun 2015, we will handle it separately in next year.

It will be better to ask in Security forums: http://social.technet.microsoft.com/Forums/en-US/ocssecurity/threads http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads Your question is not related to Directory Services so it will be better to ask there. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration

My understanding is that the system would issue a replacement self-signed Basic certificate... hth Marcin