EFS using internal PKI Certificates / Recovery Agent Certificates
Situation: We have an EFS deployment where we can encrypt Files and folders based on the Domain GPO policy. Unfortunately, the Recovery Agent certificates expired causing the encrypted services to begin to fail. Here is what we did to fix the issue. Keep in mind we use an internal PKI infrastructure to issue certificates.
Securing the Default Recovery Key for the Domain
As with the stand-alone computer, a default recovery policy is configured for the
domain when the first domain controller is set up. The default recovery policy uses
a self-signed certificate to make the domain Administrator account the recovery
Note: To change the default, log on as Administrator on the first domain controller
of the domain, and follow the steps above to secure the recovery key for the domain.
THIS WAS NOT AN OPTION FOR ME, AS MY FIRST DC HAS LONG BEEN RETIRED, BUT I WANTED PEOPLE TO BE AWARE OF THIS.
Requesting a File Recovery Certificate
If you decide to use the default recovery policies, you never need to request a file
recovery certificate. However, in circumstances where multiple recovery agents are
needed for the domain or where the recovery agent needs to be different from the
domain administrator due to legal or corporate policy, you may need to identify certain
users as recovery agents, and these users must be issued file recovery certificates.
To accomplish this, the following procedures must be completed:
• An Enterprise certification authority (CA) must be set up, if one isn’t available.
• The policy on the Enterprise CA must allow the designated user/agents to request and obtain a file recovery Certificate. (Enroll rights must be granted on the EFSRECOVERY Template)
• Each user must request a file recovery certificate.
I am assuming you already have a CA installed and have already created a user account(s) to be used as the recovery Agents. They can be simple user accounts in the domain, if you have not.
In my example I am using EFSUSER1 and EFSUSER2.
Add the Domain Recovery Agents group to the EFS Recovery Template.
This procedure allows users in that group to request recovery certificates.
1. Click Start, point to Programs, point to Administrative Tools, and click Active Directory Sites and Services.
2. On the View menu, click Show Services.
3. Click the + next to Services in the left pane. Use this method to expand the Public Key Services folder.
4. Click Certificate Templates (in the left pane).
5. Double-click EFSRecovery in the right pane.
6. Click the Security tab.
7. Click Add. Scroll and find the EFSUSER1 and EFSUSER2 accounts and click Add.
8. With the two accounts selected in the top pane, select the Enroll check box in the bottom pane.
9. Click OK, and close the Active Directory Sites and Services snap-in.
Assign a Certificate to the EFS Accounts.
- Add the EFSUSER1 and EFSUSER2 accounts to the local administrators group on a workstation in the UM-USERS domain.
- Login to the workstation as one of the accounts. Note, if you cannot remember the password, reset it.
- Once logged in, open the local certificates as “My User Account”. (NOT Computer). Either by way of an MMC or within the Administrator tools. Expand Personal certificates. Request a “New Certificate”. Select EFS Recovery Agent. Give it a friendly name of the user account.
- Once complete, export the certificate with both the private key and one without the private key to a directory on the local workstation or server.
- Repeat these steps for both accounts.
- Once the certificates are exported, login to a workstation\server with Domain Admin rights. Make sure the account has access to the directory and exported certs you just created. Launch AD Users and Computers, right click on the Domain and Select Properties. Edit the Default Domain Policy.
- Expand the Group Policy –> Windows Settings –> Security Settings –> Public Key Policies –> Encrypting File System.
- Right click in the EFS Panel and select Add Data Recovery Agent.
- Browse to the Certificate with no private key or the *.CER file you just created in the exported Cert Directory. Hit Next and Finish. Refresh the EFS Panel.
- You should now see the proper certificates.
- Now burn the contents of the exported EFS directory to a CD or Media, place in the vault and delete the cert files\directories from your workstation\server. Also remove the accounts from the local administrators group on the workstation.