How to add an EFS recovery agent in Windows XP Professional (887414)


The information in this article applies to:

  • Microsoft Windows XP Professional

INTRODUCTION

This article describes how to create a recovery agent key and certificate for selected users in Microsoft Windows XP Professional Encrypting File System (EFS). Recovery agents can use certificates and public keys to decrypt files. An administrator can add the contents of a certificate to the EFS recovery policy to create the recovery agent for users and to import the .PFX file to recover individual files. In Group Policy Object Editor, you can specify the domain or the organizational unit of a recovery agent.

MORE INFORMATION

In Microsoft Windows 2000 EFS, the built-in Administrator account is used as the default recovery agent. In Windows XP Professional, the EFS recovery agent's recovery certificate is not set as the default. This configuration change prevents a malicious attempt at decrypting by using the Administrator account. In systems that are upgraded from Windows 2000, the Administrator account that is set as the default recovery agent is migrated and is used as the default EFS recovery agent.

To create an EFS recovery agent key and certificate for selected users, follow these steps.

Step 1: Export recovery certificates and the private key

  1. Log on to the computer as the user who you want to create the encrypting file for.
  2. Click Start, click Run, type CMD, and then click OK.
  3. At the command prompt, type the following, and then press ENTER:

    cipher /r:filename

  4. Type the password that you want to use when you receive the following message: Please type in the password to protect your .PFX file:
    The system creates a .PFX file that contains the certificate and the private key and a .CER file that contains only the certificate. You receive the following verification message: Your .CER file was created successfully.
    Your .PFX file was created successfully.

Step 2: Import recovery certificates and the private key

  1. Log on to the computer as the administrator.
  2. Click Start, click Run, type gpedit.msc, and then click OK.
  3. In the Group Policy Object Editor, expand the following nodes:

    Local Computer Policy
    Computer Configuration
    Windows Setting
    Security Settings
    Public Key Policies

  4. Right-click Encrypting File System, and then click Add Data Recovery Agent.
  5. Click Next, and then click Browse Folders.
  6. Select the *.CER file that you created earlier, and then click Open.

    Note By default, the certificate is created in the %userprofile% folder.
  7. Click Next, and then click Finish.
Note We recommend that you back up the recovery certificate (*.CER) and the private key files (*.PFX) to a safe location.
Modification Type:MajorLast Reviewed:10/15/2004
Keywords:kbinfo kbhowto KB887414 kbAudEndUser
©2004 Microsoft Corporation. All rights reserved.