Managing the Encrypted File System certs...or "preventing self signed certs."
This is an FYI ..
How do you manage your users related to EFS?
Do they use EFS? Do you know if they use EFS?
I won't go into all the details of why this new DCR is so neat... unless the readers really ask about it.
But - this can save you from a huge headache if you are planning to deploy EFS...
The not yet public article is 912761 - refer to this when you call PSS and ask for this DCR ( design change request )
Usage:
Install hotfix to the XP machine.
Create the following registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\EFS]
"EfsOptions"=dword:0
Once you have done this - reboot the client.
Now attempt to encrypt a file.
If you do not have an EFS cert, or you do not have an Enterprise CA to request one from, you will now get an error as seen below:
If you attempt to encrypt from CMD line via cipher.exe you will see:
Encrypting files in C:\Documents and Settings\efsr\Desktop\
New Text Document.txt [ERR]
New Text Document.txt: NO EFS certificate available.
0 file(s) [or directorie(s)] within 1 directorie(s) were encrypted.
Key: self signed certificate EFS DRA DCR
Happy New Year!
Spat
Comments
- Anonymous
May 19, 2006
What happens if a user has already started encrypting files? Can they continue to do so afterwards. Can they decrypt what they already have encrypted? - Anonymous
May 20, 2006
If they already have a cert they are using for encryption then they will continue to use this cert - it will not prevent this
They can decrypt what was encrypted prior, as long as they possess the private key