1
I cannot ask our Domain Admins to update recovery agent, since they are in other country and they serve millions of people worldwide (actually, I've asked with no success).
GPO disables EFS at all, but I've overridden that by
HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\EFS\EfsConfiguration= 0Still can not encrypt because of other error - Recovery Agent are expired (not surprisingly)
I know that this is incorrect behavior as a network member, I now that this is a hack an tricky workaround... but I'm ready to that kind of solution. Could anybody suggest how to override EFS recovery agent settings?
Dmitry Gusarov
Posted 2012-10-08T10:11:20.237
Reputation: 381
I don't think you right. It is impossible to add certificate for those who don't enlisted in current state of encrypted file. The AES key encrypted by certificate, neither SYSTEM nor Administrators are able to fetch my personal private key from Crypto API to get the AES key and encrypt it back with another certificate (this is what happens when you adding another certificate to file). The recovery agent policy applies only when file is created or completely rewritten. – Dmitry Gusarov – 2018-05-02T20:18:16.770
@DmitryGusarov Adding adding a recovery agent requires you to touch the files once again before the agent can decrypt it. However on a domain the DPAPI master key is encrypted with the domain controller's public key and is backed up to the domain controller. So the domain admin can directly decrypt your private key without knowing your account password and decrypt the files even without a recovery agent. This is the reason a domain account can have its password reset forcefully without losing the encrypted data. – Monstieur – 2018-05-03T07:44:00.400