Adding EFS Data Recovery Agent (DRA) certificate programmatically by API
https://stackoverflow.com/questions/12822153
-
06-07-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian문제
I'm looking for a way to programmatically (any language) add a Data Recovery Agent (DRA) certificate for Encrypting File System (EFS) in Windows OS.
Manually it's easy to perform by: gpedit.msc - Security Settings -> Public Key Policies -> Encrypting File System -> Add DRA;
but I want to automate it (without using Active Directory Group Policies!).
A command line solution would also be acceptable.
해결책
The solution is to use (Local) Group Object Policy API to publish registry keys described in MSDN documentation "[MS-GPEF]: Group Policy: Encrypting File System Extension" (MS-GPEF). Two main keys must be created \EFS\!Blog and \EFS!EFBBlob. Similar solution can be used for Bitlocker.
Remarks: - MS-GPEF registry keys must be modified according to GPO publishing rules. Direct insertion will be automatically removed by OS;
