to the domain.
Need to support users over the internet? click here try our remote control online beta
Remote Support Software
Provide instant remote support to customers and employees:
Click here for a free trial
Provide instant remote support to customers and employees:
Click here for a free trial
EFS data recovery agents disappearing from details of file
Auto enrollment of EFS certificates is working but when you check the details of a file after encrypting the data recovery agents are not displayed. Any idea on what can cause this ? the data recovery agents are well defined in the GPO linked
to the domain.
Need to support users over the internet? click here try our remote control online beta
to the domain.
Need to support users over the internet? click here try our remote control online beta
May 14th, 2012 3:11pm
probably, EFS recovery agent certificate is expired or invalid.My weblog:
http://en-us.sysadmins.lv
PowerShell PKI Module:
http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
Need to support users over the internet? click here try our remote control online beta
http://en-us.sysadmins.lv
PowerShell PKI Module:
http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
Need to support users over the internet? click here try our remote control online beta
May 14th, 2012 10:19pm
probably, EFS recovery agent certificate is expired or invalid.My weblog:
http://en-us.sysadmins.lv
PowerShell PKI Module:
http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
Need to support users over the internet? click here try our remote control online beta
http://en-us.sysadmins.lv
PowerShell PKI Module:
http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
Need to support users over the internet? click here try our remote control online beta
May 14th, 2012 10:19pm
No the recovery agent certs are valid until next year.
Need to support users over the internet? click here try our remote control online beta
Need to support users over the internet? click here try our remote control online beta
May 15th, 2012 3:12am
No the recovery agent certs are valid until next year.
There is an amazing pack of free network admin tools. click here to download it
There is an amazing pack of free network admin tools. click here to download it
May 15th, 2012 3:12am
any other possibilities ?
Need to support users over the internet? click here try our remote control online beta
Need to support users over the internet? click here try our remote control online beta
May 15th, 2012 8:12am
any other possibilities ?
Need to support users over the internet? click here try our remote control online beta
Need to support users over the internet? click here try our remote control online beta
May 15th, 2012 8:12am
Hello,
Thank you for your post.
This is a quick note to let you know that we are performing research on this issue.
Best Regards
Elytis ChengElytis Cheng
TechNet Community Support
Need to support users over the internet? click here try our remote control online beta
Thank you for your post.
This is a quick note to let you know that we are performing research on this issue.
Best Regards
Elytis ChengElytis Cheng
TechNet Community Support
Need to support users over the internet? click here try our remote control online beta
May 16th, 2012 3:38am
Thanks for update Elytis. To clairfy the agent certs are configured in DDP and valid and the correct EFS certs are being used to encrypt data but the recovery agents not appearing in details of the encrypted file.
Need to support users over the internet? click here try our remote control online beta
Need to support users over the internet? click here try our remote control online beta
May 16th, 2012 3:43am
Hello,
Thank you for your post.
This is a quick note to let you know that we are performing research on this issue.
Best Regards
Elytis ChengElytis Cheng
TechNet Community Support
There is an amazing pack of free network admin tools. click here to download it
Thank you for your post.
This is a quick note to let you know that we are performing research on this issue.
Best Regards
Elytis ChengElytis Cheng
TechNet Community Support
There is an amazing pack of free network admin tools. click here to download it
May 16th, 2012 3:44am
Thanks for update Elytis. To clairfy the agent certs are configured in DDP and valid and the correct EFS certs are being used to encrypt data but the recovery agents not appearing in details of the encrypted file.
Need to support users over the internet? click here try our remote control online beta
Need to support users over the internet? click here try our remote control online beta
May 16th, 2012 3:50am
did you verified recovery agent certificate for validity?
certutil -verify cert.cer
My weblog:
http://en-us.sysadmins.lv
PowerShell PKI Module:
http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
Need to support users over the internet? click here try our remote control online beta
certutil -verify cert.cer
My weblog:
http://en-us.sysadmins.lv
PowerShell PKI Module:
http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
Need to support users over the internet? click here try our remote control online beta
May 16th, 2012 4:56am
Hi,
please help to confirm following points.
1. Does this issue happen to all encrypted files or certain files?
2. If encrypt a new files , does this issue happen to new file? Best regards, Jason Mei Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
There is an amazing pack of free network admin tools. click here to download it
please help to confirm following points.
1. Does this issue happen to all encrypted files or certain files?
2. If encrypt a new files , does this issue happen to new file? Best regards, Jason Mei Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
There is an amazing pack of free network admin tools. click here to download it
May 17th, 2012 12:40am
Hi,
please help to confirm following points.
1. Does this issue happen to all encrypted files or certain files?
2. If encrypt a new files , does this issue happen to new file? Best regards, Jason Mei Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Need to support users over the internet? click here try our remote control online beta
please help to confirm following points.
1. Does this issue happen to all encrypted files or certain files?
2. If encrypt a new files , does this issue happen to new file? Best regards, Jason Mei Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Need to support users over the internet? click here try our remote control online beta
May 17th, 2012 12:46am
Vadims, yes when certutil -verify run against the cert it comes back good with no errors (revocation ok, not expired etc).
Jason, 1) I have only tested from one domain computer so far so I will test from another and let you know. 2) yes it happens to new encrypted data on the computer I am testing it on.
There is an amazing pack of free network admin tools. click here to download it
Jason, 1) I have only tested from one domain computer so far so I will test from another and let you know. 2) yes it happens to new encrypted data on the computer I am testing it on.
There is an amazing pack of free network admin tools. click here to download it
May 17th, 2012 2:21am
Vadims, yes when certutil -verify run against the cert it comes back good with no errors (revocation ok, not expired etc).
Jason, 1) I have only tested from one domain computer so far so I will test from another and let you know. 2) yes it happens to new encrypted data on the computer I am testing it on.
Need to support users over the internet? click here try our remote control online beta
Jason, 1) I have only tested from one domain computer so far so I will test from another and let you know. 2) yes it happens to new encrypted data on the computer I am testing it on.
Need to support users over the internet? click here try our remote control online beta
May 17th, 2012 2:27am
I think we have found the issue which is inheritance was blocked on the OU which the computer was under so was not getting the DRA certs from domain policy.
Do you know what impact that will have on computers already issued with certs and who have encrypted data ? assume once inheritance blocking is removed the DRA certs will flow through and populate encrypted data ?
Need to support users over the internet? click here try our remote control online beta
Do you know what impact that will have on computers already issued with certs and who have encrypted data ? assume once inheritance blocking is removed the DRA certs will flow through and populate encrypted data ?
Need to support users over the internet? click here try our remote control online beta
May 17th, 2012 3:02am
I think we have found the issue which is inheritance was blocked on the OU which the computer was under so was not getting the DRA certs from domain policy.
Do you know what impact that will have on computers already issued with certs and who have encrypted data ? assume once inheritance blocking is removed the DRA certs will flow through and populate encrypted data ?
Need to support users over the internet? click here try our remote control online beta
Do you know what impact that will have on computers already issued with certs and who have encrypted data ? assume once inheritance blocking is removed the DRA certs will flow through and populate encrypted data ?
Need to support users over the internet? click here try our remote control online beta
May 17th, 2012 3:09am
HI,
As you mentioned, the GPO defined data recovery agents related policy is linked to the domain level, so if inheritance was blocked on the OU, the group policy will not be applied to the computer in that OU. This will affected the new encrypted files.
Add a recovery agent for a domain:
http://technet.microsoft.com/en-us/library/cc778448(WS.10).aspx
Using Encrypting File System:
http://technet.microsoft.com/en-us/library/bb457116.aspx
Best regards, Jason Mei Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
There is an amazing pack of free network admin tools. click here to download it
As you mentioned, the GPO defined data recovery agents related policy is linked to the domain level, so if inheritance was blocked on the OU, the group policy will not be applied to the computer in that OU. This will affected the new encrypted files.
Add a recovery agent for a domain:
http://technet.microsoft.com/en-us/library/cc778448(WS.10).aspx
Using Encrypting File System:
http://technet.microsoft.com/en-us/library/bb457116.aspx
Best regards, Jason Mei Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
There is an amazing pack of free network admin tools. click here to download it
May 17th, 2012 11:59pm
HI,
As you mentioned, the GPO defined data recovery agents related policy is linked to the domain level, so if inheritance was blocked on the OU, the group policy will not be applied to the computer in that OU. This will affected the new encrypted files.
Add a recovery agent for a domain:
http://technet.microsoft.com/en-us/library/cc778448(WS.10).aspx
Using Encrypting File System:
http://technet.microsoft.com/en-us/library/bb457116.aspx
Best regards, Jason Mei Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Need to support users over the internet? click here try our remote control online beta
As you mentioned, the GPO defined data recovery agents related policy is linked to the domain level, so if inheritance was blocked on the OU, the group policy will not be applied to the computer in that OU. This will affected the new encrypted files.
Add a recovery agent for a domain:
http://technet.microsoft.com/en-us/library/cc778448(WS.10).aspx
Using Encrypting File System:
http://technet.microsoft.com/en-us/library/bb457116.aspx
Best regards, Jason Mei Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Need to support users over the internet? click here try our remote control online beta
May 17th, 2012 11:59pm
To clarify for files already encrypted on computers where inheritance is blocked what is the solution ? by removing the block will the recovery agents be able to decrypt them again ? I just want to understand impact this has had.
Need to support users over the internet? click here try our remote control online beta
Need to support users over the internet? click here try our remote control online beta
May 18th, 2012 1:00am
> by removing the block will the recovery agents be able to decrypt them again ?
or by enfocing required link.My weblog:
http://en-us.sysadmins.lv
PowerShell PKI Module:
http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
There is an amazing pack of free network admin tools. click here to download it
or by enfocing required link.My weblog:
http://en-us.sysadmins.lv
PowerShell PKI Module:
http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
There is an amazing pack of free network admin tools. click here to download it
May 18th, 2012 5:20am
> by removing the block will the recovery agents be able to decrypt them again ?
or by enfocing required link.My weblog:
http://en-us.sysadmins.lv
PowerShell PKI Module:
http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
Need to support users over the internet? click here try our remote control online beta
or by enfocing required link.My weblog:
http://en-us.sysadmins.lv
PowerShell PKI Module:
http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
Need to support users over the internet? click here try our remote control online beta
May 18th, 2012 5:21am
No, we may need to decrypt them by unchecking "encrypt contents to secure data" and then check "encrypt contents to secure data" to encryp them again.
Best regards, Jason Mei Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
There is an amazing pack of free network admin tools. click here to download it
Best regards, Jason Mei Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
There is an amazing pack of free network admin tools. click here to download it
May 21st, 2012 2:59am
No, we may need to decrypt them by unchecking "encrypt contents to secure data" and then check "encrypt contents to secure data" to encryp them again.
Best regards, Jason Mei Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
There is an amazing pack of free network admin tools. click here to download it
Best regards, Jason Mei Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
There is an amazing pack of free network admin tools. click here to download it
May 21st, 2012 3:00am
That's two different responses. Jason, are you saying that if inheritance of the domain policy (containing the DRA agents) was blocked at the site OU when the data was encrypted it would require someone to decrypt and re-encrypt in order for the DRA agents
to be used on the data ?
There is an amazing pack of free network admin tools. click here to download it
to be used on the data ?
There is an amazing pack of free network admin tools. click here to download it
May 21st, 2012 3:02am
That's two different responses. Jason, are you saying that if inheritance of the domain policy (containing the DRA agents) was blocked at the site OU when the data was encrypted it would require someone to decrypt and re-encrypt in order for the DRA agents
to be used on the data ?
Need to support users over the internet? click here try our remote control online beta
to be used on the data ?
Need to support users over the internet? click here try our remote control online beta
May 21st, 2012 3:03am
at first you need to enable GPO link (or enforce it) and then re-encrypt files.My weblog:
http://en-us.sysadmins.lv
PowerShell PKI Module:
http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
Need to support users over the internet? click here try our remote control online beta
http://en-us.sysadmins.lv
PowerShell PKI Module:
http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
Need to support users over the internet? click here try our remote control online beta
May 21st, 2012 3:08am
at first you need to enable GPO link (or enforce it) and then re-encrypt files.My weblog:
http://en-us.sysadmins.lv
PowerShell PKI Module:
http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
There is an amazing pack of free network admin tools. click here to download it
http://en-us.sysadmins.lv
PowerShell PKI Module:
http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
There is an amazing pack of free network admin tools. click here to download it
May 21st, 2012 3:09am
Don's suppose there is an easy way to identify all users who have encrypted data on their computers which don't have a DRA capable of recovery the data ?
Need to support users over the internet? click here try our remote control online beta
Need to support users over the internet? click here try our remote control online beta
May 21st, 2012 3:10am
Don's suppose there is an easy way to identify all users who have encrypted data on their computers which don't have a DRA capable of recovery the data ?
There is an amazing pack of free network admin tools. click here to download it
There is an amazing pack of free network admin tools. click here to download it
May 21st, 2012 3:11am
I think, you can look at cipher.exe utility to automate this stuff.My weblog:
http://en-us.sysadmins.lv
PowerShell PKI Module:
http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
There is an amazing pack of free network admin tools. click here to download it
http://en-us.sysadmins.lv
PowerShell PKI Module:
http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
There is an amazing pack of free network admin tools. click here to download it
May 21st, 2012 6:26am
I think, you can look at cipher.exe utility to automate this stuff.My weblog:
http://en-us.sysadmins.lv
PowerShell PKI Module:
http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
Need to support users over the internet? click here try our remote control online beta
http://en-us.sysadmins.lv
PowerShell PKI Module:
http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
Need to support users over the internet? click here try our remote control online beta
May 21st, 2012 6:28am
HI,
The reason for the DRA is not listed under encrypted files is that the GPO defined the DRA was not applied to the computer. So we want all encrypted files to list DRA, we should make the computer to apply the policy and then re-encrypt them.
Best regards, Jason Mei Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Need to support users over the internet? click here try our remote control online beta
The reason for the DRA is not listed under encrypted files is that the GPO defined the DRA was not applied to the computer. So we want all encrypted files to list DRA, we should make the computer to apply the policy and then re-encrypt them.
Best regards, Jason Mei Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Need to support users over the internet? click here try our remote control online beta
May 22nd, 2012 12:18am
HI,
The reason for the DRA is not listed under encrypted files is that the GPO defined the DRA was not applied to the computer. So we want all encrypted files to list DRA, we should make the computer to apply the policy and then re-encrypt them.
Best regards, Jason Mei Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Need to support users over the internet? click here try our remote control online beta
The reason for the DRA is not listed under encrypted files is that the GPO defined the DRA was not applied to the computer. So we want all encrypted files to list DRA, we should make the computer to apply the policy and then re-encrypt them.
Best regards, Jason Mei Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Need to support users over the internet? click here try our remote control online beta
May 22nd, 2012 12:20am
This topic is archived. No further replies will be accepted.
Other recent topics
