Problem solve Get help with specific problems with your technologies, process and projects.

How can I select a different EFS recovery agent?

Hi, Roberta. There have been many requests in my organization to let laptop users (standalone machines) used EFS to encrypt files. I've been reading your articles and replies to questions on this topic.

My understanding is that the backup and recovery of keys is very important. I do not have a certificate authority available to create the certificates of recovery agents. What are the steps or processes I need to take to ensure that I can recover the encrypted files if I do not want to use the default administrator account in each laptop as the recovery agents?

Are you saying you don't want a recovery agent or you just don't want to have the local administrator be the recovery agent? I'm assuming the latter.

First, I would strongly recommend that users use machines that are joined in a domain. This way the domain admin will be the default recovery agent, not the local admin. (With Windows XP there is no default recovery agent; however, XP in a domain will use the recovery agent if one exists.)

You can remove the private key (not the certificate, but the private key) from the domain controller (DC), and keep it safe. The public key will be used to encrypt the FEK (File Encryption Key) of the encrypted files. If you follow best practices and not allow anyone to log on using the domain administrator account, you can reserve that account to be used for recovery if necessary. You can log on using the account to recover stations (a computer set up for this purpose) and import the certificate and private key, then recover the files. The private key needs to be removed from the recovery station.

Second, I would advise that all users who do encrypt files be taught how to make their own backup of their keys and how to keep this copy safe and away from their laptop.

As a third recommendation, traveling users can remove their private key from the laptop and carry it on a floppy in a safe container separate from the laptop. They can import it to decrypt files while on the road, and export it when traveling or when locking the computer in their hotel room (locked to something solid with a computer lock or in a safe). If the laptop is stolen, since no private key is on board, no attacker can decrypt the files.

Finally, make sure all laptops are purged of old administrator account default certificates and keys!

And make sure you test these scenarios before sending folks on the road!

Dig Deeper on Windows 10 security and management

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.