Managing the Encrypted File System certs…or "preventing self signed certs."


This is an FYI ..


How do you manage your users related to EFS?

Do they use EFS? Do you know if they use EFS?


I won't go into all the details of why this new DCR is so neat... unless the readers really ask about it.

But - this can save you from a huge  headache if you are planning to deploy EFS...


The not yet public article is 912761 - refer to this when you call PSS and ask for this DCR ( design change  request )





Install hotfix to the XP machine.


Create the following registry key:


[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\EFS]




Once you have done this - reboot the client.


Now attempt to encrypt a file.


If you do not have an EFS cert, or you do not have an Enterprise CA to request one from, you will now get an error as seen below:


If you attempt to encrypt from CMD line via cipher.exe you will see:


Encrypting files in C:\Documents and Settings\efsr\Desktop\


New Text Document.txt [ERR]

New Text Document.txt: NO EFS certificate available.


0 file(s) [or directorie(s)] within 1 directorie(s) were encrypted.


Key: self signed certificate EFS DRA DCR

Happy New Year!




Comments (2)

  1. matheesha says:

    What happens if a user has already started encrypting files? Can they continue to do so afterwards. Can they decrypt what they already have encrypted?

  2. SpatDSG says:

    If they already have a cert they are using for encryption then they will continue to use this cert – it will not prevent this

    They can decrypt what was encrypted prior, as long as they possess the private key

Skip to main content