I've been banding my head against this issue for a week now. In summary, the data recovery agent certificate is not being applied to EFS when users start to encrypt files. Scenario is this: New domain, 2 DCs both 2008 R2 Enterprise CAEFS Recovery Certificate Template duplicated to allow export of private key, certificate published to AD.GPO exists and is being applied (checked with gpresult) that sets a Data Recovery Agent (user account created for this purpose) under Computer / Security / Public Key / EFS. When a user turns on EFS in Windows 7 the user gets an EFS certificate which is stored in AD as expected but nothing appears in the Recovery Certificate box (also tried with a new user and a new machine created just to test this). I had a number of issues getting an EFS recovery certificate generated from the duplicated template so have a hunch there may be an issue with the certificate or publishing of it in some way, but given the GPO thinks its being applied I'm at a loss how to debug this. Thanks in advance for any help.

Any pointers would be much appretiated

Any pointers would be much appretiated

Hi Melakh, Which GPO contains your EFS Data Recovery Agent policy? If it's not in the Default Domain Policy then check the policy precedence of your GPO in the GPMC. The EFS Data Recovery Agent needs to be defined in either the Default Domain Policy or in another GPO that is set to a higher precedence in the GPMC than the Default Domain Policy. I had the EFS DRA defined in a 'Certificate Settings' GPO that was lower precedence than the Default Domain Policy. The Default Domain Policy didn't have any EFS policy defined within it, so by normal Group Policy rules my 'Certificate Settings' GPO should have applied - and indeed, RSoP showed it as applying correctly. However it didn't actually work until I bumped up the precedence of my 'Certificate Settings' higher than the DDP. I understand there are a number of settings in Windows Settings->Security Settings that work in this unexpected way, where the DDP can override settings in other GPOs despite not having anything relevant set in the DDP. This seems like a bug in Windows 7 Group Policy - or an 'undocumented feature' that needs a lot more documentation. Thanks, Llama-made

Thanks Llama, I applied two changes that seem to have made it work - I bumped the EFS recovery agent policy into a higher level GPO (not at the DDP level but one level down), and also switched the certificate template back to 2003 compatibility - I haven't gone back and isolated which change resolved it, but one of them did. I also saw the same RSOP issue, it looked like everything was being applied but wasn't working.