Deploy EFS using GPO
This has been a fun ride figuring out what Windows wanted from me in order to make this happen.
Without Using CA Server
What I really needed was a way to deploy EFS using existing servers knowing that new ones will be brought online within the month, and creating a temporary CA in Windows Server didn't sound like a good idea. I needed to accomplish the following
- Enable EFS
- Push EFS to all users on the domain
- Only encrypt sensitive files
- Have a way to decrypt in an emergency (should never be needed, but I get paranoid with data).
1.
- Create a DRA (Data Recovery Agent) user. This user does not need any special permissions other than being able to log in.
- Log in as the new DRA user, open a command prompt, and run the following command to create the self signed certs.
cipher /r:<certname>
- You will be asked for a password to protect the private key with. Please make sure you remember what it is.
- Move the cert to a secure location and now head back to the domain controller as admin.
2.
- Open up Group Policy Manager
- Either edit the default domain policy or create a new GPO under the OU of your choice.
NOTE : The GPO will be applying policies to the computer and not just the users, so ensure the computers that will be included for encryption are in an OU under the GPO.
- Edit the following fields
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies - Encrypting File System
- Right Click "Encrypting File System" then "Add Recovery Agent"
- Select "Browse Folders" and find the Public .cer file that was previously created.
- You will be informed that there is no way of knowing if the cert was revoked, just click Yes then Finish.
- Under Public Key Policies right click "Trusted Root Certificate" and click import.
- Import the same .cert Public key as before.
https://www.youtube.com/watch?v=vUCf4SPDqCQ
https://technet.microsoft.com/en-us/magazine/2007.02.securitywatch.aspx
https://technet.microsoft.com/en-us/magazine/2007.03.securitywatch.aspx
https://mizitechinfo.wordpress.com/2014/07/29/step-by-step-encrypting-user-data-with-efs-in-windows-server-2012-r2/
https://support.microsoft.com/en-us/kb/937536
https://technet.microsoft.com/en-us/library/cc770315(v=ws.10).aspx
https://www.experts-exchange.com/questions/23958388/EFS-Recovery-Agent-DRA-certificate-imported-in-Group-Policy-but-not-deployed-to-clients.html