2.2.1 EFS Recovery Policy
This option MUST be supported by all implementations of the Group Policy: Encrypting File System Extensions.
When writing the EFS recovery policy, the administrative plug-in MUST configure the machine-specific Registry Policy file to create a registry key named Software\Policies\Microsoft\SystemCertificates\EFS. This key MUST contain three subkeys, named Certificates, CRLs, and CTLs, respectively. The Certificates subkey MUST in turn contain zero or more subkeys, each of which represents the X.509 certificate (as specified in [RFC5280]) of an EFS recovery agent. The format of these entries is specified in section 2.2.1.1. The CRLs and CTLs subkeys MUST be empty.
In addition to the previous information, the administrative plug-in MUST create an additional entry in the machine-specific Registry Policy file, which contains all the applicable EFS recovery agent certificates marshaled into a single value, as specified in section 2.2.1.2.