Hello, I am hoping someone can help me understand the purpose of the EFS Recovery Agent template. I'm confused about whether or not these certificates are issued to the users. Should each user with an EFS certificate also have an EFS Recovery Agent certificate? If they lose their EFS certificate are they to recover the files themselves using the recovery certificate? Or is it issued to a special account? I see that in the Group Policy Management Editor you can create a Data Recovery Agent. It seems this account would be able to access encrypted files that have had their keys lost. Is this the last resort, with the first resort being the users recovering the files themselves? If I didn't make my confusion clear, please let me know and I'll try to rephrase it. Thanks in advance, ruisu

If I'm not mistaken this is how it works.When a user encrypts a file with the users EFS certificate Windows will automatically also encrypt (the symmetric key that encrypted) the file with any existing EFS Recovery Agent certificate for the domain. Windows finds the EFS Recovery Agent certificate in Active Directory as it is published in the userCertificate attribute of the Key Recovery Agents domain account.Then, in case a user loose his cert the EFS Recovery Agent will be able to decrypt the file.By default the first administrator of the domain is the first EFS Recovery Agent but best-practice is to assign a couple of users (accounts) as the domain EFS Recovery Agents.You do this in a GPO for the domain. Check in gpmc.msc under Public Key Policies. Just add a Data Recovery Agent. However the new EFS Recovery Agent needs a certificate first and this certificate must be published in the AD (see options in the template - Publish Certificate in Active Directory).But I might be mixing things up so don't take my word for it.

Thanks for the answer, SnorLars. Just to make sure: * I should have the special user/account responsible for recovery request the EFS Recovery Agent certificate. * I definitely do not want to have regular users autoenroll for both the EFS certificate and the EFS Recovery Agent certificate Is that correct?

That is correct. Designated Recovery user accounts is the way to go.Also please ensure that in the EFS Recovery Template the alternative to publish certificate to active directory is checked. U might have to duplicate the template to be able to check.Remember that these Recovery agent have the potential to decrypt everything encrypted after they were added as agent. That's pretty potent so need to protect these accounts.I know technicians hate it but please establish a recovery policy before implementing it.Good luck.

Thank you very much!