Hi, I at the beginning with MCITP studying. And I'm getting trouble practicing EFS. My environment: 1. Server 2k8 ENT SP2 Roles: AD DS, AD CS, IIS, File Server 2. Windows 7 ENT - As client. I want to practice using Key Recovery Agent to try decrypting users encrypted files. First I duplicated the Basic EFS template and add it to the CA. (I checked that the archive private key check box is selected) Then I added the KRA template to the CA. Then I logged in as KRA user I designed for. and went throw enrollment. Then I had to Approve the certificate for the KRA in CA. Then I added the KRA cert to CA Recovery Agents tab. --- Then the CA service needed to be restart --- Then I logged in to the Win7 machine and created a TXT file. Then in the properties i checked the encrypt option in the advanced. Then I checked in the Local Certificate Store on the "current user" and noticed that the duplicated BASIC EFS template is the one the certificate used. (good). Now I Deleted the certificate from the local current user store, and logoff and logon again. And as expected the file isn't open. (good) Now I logged in as the KRA user inside the Win2k8 machine, and use the syntax: (CMD Admin mode) certutil -getkey user1@contoso.com c:\cert\blob -Command Successful certutil -recoverkey c:\cert\blob c:\cert\user1.pfx -password:**** -password again:**** At this point, I took the PFX that I just created and put it on the Win7 machine. Now with my already logged in user (User1), I imported the PFX to the local store. After the import I logged off and on again. But somehow the TXT file i encrypted couple a min ago. cannot be accessed. I checked and rechecked the CER file and PFX file. and did the procedure again and again. does anyone know why i cannot access my encrypted files with the KRA method? Best Regards, Nir Halfon.

It might be possible that your computer generated a self-signed certificate for EFS purposes. You might want to set a GPO that would disable this behaviour. (Encrypting File System Properties , untick the "Allow EFS to generate self-signed certificates"), also make sure that you have superseded the Basic EFS template by the new template. Kind regards Martin

I did edit the gpo to allow EFS but to use only my custom EFS that i created. anything

Hello, NirHalfon I've the same issue with Windows 7. The same procedure you mentioned is working fully functional with Windows XP. But with windows 7, the imported certificate (*.pfx) which is recovered using "certutil -recoverkey" cannot decrypt files. If you had solved your issue, any suggestions will be appreciated.

Hello, NirHalfon I've the same issue with Windows 7. The same procedure you mentioned is working fully functional with Windows XP, but with windows 7 imported certificate (*.pfx) cannot decrypt files. If you had solved your issue, any suggestions will be appreciated.