Adding EFS Data Recovery Agent (DRA) certificate programmatically by API

Question

I'm looking for a way to programmatically (any language) add a Data Recovery Agent (DRA) certificate for Encrypting File System (EFS) in Windows OS.

Manually it's easy to perform by: gpedit.msc - Security Settings -> Public Key Policies -> Encrypting File System -> Add DRA;

but I want to automate it (without using Active Directory Group Policies!).

A command line solution would also be acceptable.

Answer 1

The solution is to use (Local) Group Object Policy API to publish registry keys described in MSDN documentation "[MS-GPEF]: Group Policy: Encrypting File System Extension" (MS-GPEF). Two main keys must be created \EFS\!Blog and \EFS!EFBBlob. Similar solution can be used for Bitlocker.

Remarks: - MS-GPEF registry keys must be modified according to GPO publishing rules. Direct insertion will be automatically removed by OS;