Hi Each time you encrypt a file on a system for the first time, an EFS certificate with a public key and associated private key is issued to you. You end up with one set of EFS key (private and public) for each system you login to perform encryption... How to ensure I have only the same set of EFS keys used for encryption and decryption for any systems I login within a domain? Is CA the solution, if yes, how? Thanks

There are 2 options: 1) implement smart cards for EFS if your systems are Windows Vista and newer. 2) implement Credential Roaming service if your systems are lower than Vista and/or you don't have smart cards.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

Thanks for your quick response. If I have a CA in the domain to issue the certificates, does it help? I mean, each time when user login a system and perform encryption, does it request from the CA for the same public key and private key when decrypt? For option 1 - how does the system knows to pick up the public/private keys from the smart card to encrypt/decrypt? For option 2 - Roaming profile, i guess. This would be that the public and private keys are stored in the AD domain controller, right? Thanks Anthony

1) For Windows Vista and Windows 7, you can choose which key to use which allows you to designate the certs on the smart card 2) This is not Roaming Profiles, but Credential Roaming SErvices (huge difference). You are only roaming credential information, not the entire user profile. See this link http://technet.microsoft.com/en-us/library/cc700815.aspx Brian