Hi,

I noticed that we have a certificate out of date in our default domain policy - this was for a data recovery agent. I created a new certificate from our CA. However I have now used the policy to not allow file encryption...I have never used it and can't see anyone on our domain doing so - I guess they haven't so far as the certificate was invalid?

Presumably with it not allowed I no longer need the certificate?

If I do need a certificate will it be automatically updated or will I have to create another?

Hi.

For the EFS recovery agent certificate expired issue,you can use cipher /r to create a new certificate to solve this issue. For detailed steps and information, please refer to the following article:

Replacing an Expired DRA Certificate

http://blogs.technet.com/askds/archive/2008/01/07/replacing-an-expired-dra-certificate.aspx

Please follow the suggestions to backup original certificates and new certificates.

Also you can check the below link for more reference:

https://social.technet.microsoft.com/Forums/windowsserver/en-US/f514129b-bab7-4cad-a179-f53f9abdc826/efs-recovery-policy-contains-invalid-recovery-certificate?forum=winservergen

Best Regards,

Elaine