EFS in a domain expires after three years – Tales from the Crypto

EFS in a domain expires after three years

I enjoyed the research for writing my article on EFS, for the Technet Security Newsletter, but there’s always something experience will teach you.

Here’s an issue I experienced just last week, with EFS. It shouldn’t have been a surprise, given what I already know, and if I put the two facts together, you’ll probably spot it straight away:

  • EFS certificates are automatically issued, and expire after three years if you use the default EFS template.
  • When you create a domain, the administrator account on the first domain controller is automatically given an EFS certificate, so he can become the domain’s default DRA.

You’ve spotted it already (and the title helped you, right?) – after three years, the administrator’s EFS certificate expires.

His certificate may get renewed, so he can encrypt more documents, and of course his old private key still allows him to read files that were encrypted while the certificate was still valid.

That assumes, though, that the administrator’s account is an actively used one.

Whether it’s used or not, though, the fact remains that the DRA certificate does not get updated in the default Group Policy Object – and as a result, even if the administrator renews his EFS certificate, EFS will be effectively disabled throughout the domain.

Here’s the dialog you get:


For those of you using search engines, that dialog says “Error Applying Attributes”, “An error occurred applying attributes to the file:”, and “Recovery policy configured for this system contains invalid recovery certificate.”

Pretty much your only good choice here is “Cancel”, until you can generate a new certificate and add it to the default domain policy, being sure to remove the old expired cert.


[That old private key can be used to recover anything that was encrypted using EFS before the key expired. Always hold PFX files on keys that can be used to decrypt information – always, always, always.]

There’s no easy way to put the new certificate into the default domain policy, so you have to do it by hand. You might as well also generate the certificate by hand, and make sure that it’s not associated with a particular user account (why should it be? it’s just a key with a purpose, and that purpose is not associated with a user.)

How do you do this best?

A simple command line is easiest, in my opinion:

C:\>cipher /R:EFS_DRA_20070324
Please type in the password to protect your .PFX file:
Please type in the password to protect your .PFX file:

Your .CER file was created successfully.
Your .PFX file was created successfully.

That generates two files – EFS_DRA_20070324.PFX, and EFS_DRA_20070324.CER. As hinted at in the output, the PFX file is protected by a password (as they all should be) – move this immediately to a floppy disk and lock it in a cabinet, along with documentation of the password you used (or segregate the two, whatever your certificate handling policies dictate). Or maybe you expect to have frequent requests to recover EFS-encrypted files, so you want the Service Desk to own the PFX file.

Then, go through whatever change management nightmares you have to do in order to edit the default domain policy, delete the old expired certificate, and import the one you just created.

Now, encrypt away, knowing that your encrypted files can be recovered using the PFX file you just created.

11 Responses to EFS in a domain expires after three years

  • It also happens while trying to access previously encrypted files with an expired DRA domain certificate, but the initial response from the system is much more cryptic.  For example, opening a file in Excel or trying to create a plain folder inside of an already encrypted folder results in a simple “Access Denied” message.  My first responses were to log out/in, reboot, run chkdisk, etc.  

  • There is als a KB article for this issue: http://support.microsoft.com/kb/929103.

  • yeah, my company was burned on this. Go Microsoft. Way to let admins know a critical element of security exists upon the creation of a domain.

    Our recovery process (the private key was totally way lost) was to implement 2 new DRA’s, which I spent forever trying to figure out how to do. Then days after the cert expired and I had admins complaining about access loss to their files, I managed to get the solution in place, but no one wants to go anywhere near EFS now….but its coming anyway. 🙂

  • Re the previous comment, “Go Microsoft. Way to let admins know a critical element of security exusts upon the creation of a domain”…

    How about “Go, stupid employee. Way to take on a job that you don’t have enough experience with”?

    If you can’t handle the heat, get out of the kitchen.

    If you don’t understand the basics of certificate expiration and the impact this has on a business, then go work in human resources or something.

    One of the first things I do when I enter a new company is to audit everything I can, including certificate expiration dates. It’s common sense. It doesn’t take long. And it’s really the most obvious thing you could do if you are running an IT network.

  • Re: the previous comment, “Go, stupid employee,..”

    Obviously written by a Microsoft employee…

  • mr mat sounds like one of those guys who doesn’t know anything and is hiding it.
    The EFS Certificate stuff is a challenge to understand for the rest of us “non-geniuses”.
    Thanks for the artical.

  • Yeah, and what do you do when you are out of the domain when the expiration arrives, and that you cannot connect back to it for a few months?
    You stop encrypting files…

    I have rights to add new recovery agents, but the presence of the existing expired certificate prevents me from encrypting anyway. There is no way to remove it (that I manage).

    • You can remove that expired certificate from the default domain policy, with the understanding that the private key may be lost and you can’t read any files that were encrypted from that certificate. Just click the remove button, and add the new DRA account that you created and you will be able to encrypt after Group Policy refreshes.

  • Alun Jones,

    Thank you very much for the informative analysis on EFS and how the default account expires. I came across your blog while researching the “Recovery policy configured for this system contains invalid recovery certificate” error message; and apparently what’s happened to our Windows 2008 server is exactly what you described.

    Quick question though regarding: “Then, go through whatever change management nightmares you have to do in order to edit the default domain policy, delete the old expired certificate, and import the one you just created.”

    Do you know of any websites with a good walkthrough on how to carry these steps out? I’m afraid I’m in a bit over my head on this one.

    Thanks in advance,

    L.F. Lee

  • There are plenty of nightmares associated with this. How about when you use Windows 7 and your remote users are configured to encrypt the offline cache when your cert expires? The syncs are newly encrypted files so guess what? It stops working. Winning. . . .

  • One of the first things Mat does when he joins a new company is to audit everything he can, which doesn’t take long. Sounds like a pretty thorough audit that, or a conveniently small company.

Leave a Reply to Mr Mat Cancel reply

Your email address will not be published. Required fields are marked *