How to Use the EFS Certificate Configuration Updater The EFS Certificate Configuration Updater is a critical administrative tool designed to update user and Data Recovery Agent (DRA) certificates for Windows Encrypting File System (EFS). When EFS certificates expire or roll over to a new public key infrastructure (PKI) template, users can instantly lose access to locally encrypted files. Running this built-in updater system ensures all existing encrypted files are migrated to use the newest, valid certificate thumbprint without manual decryption. Prerequisites Before Updating
Valid New Certificate: Ensure the new EFS or DRA certificate is actively issued and visible in the local store via certmgr.msc.
Administrative Privileges: You must run deployment commands from an elevated command prompt or PowerShell instance.
Forced Group Policy: If deploying on a domain, execute gpupdate /force first to pull the updated Group Policy Object (GPO) parameters. Step-by-Step: Updating via the Graphical Wizard
Windows provides a user-friendly wizard built directly into the Control Panel to update and re-encrypt files. Open the Control Panel and navigate to User Accounts.
Click on Manage your file encryption certificates from the left-hand navigation pane.
Click Next on the welcome screen to view all currently active and legacy certificates.
Select the newest valid certificate you wish to use going forward, then click Next.
Check the box to Update previously encrypted files so the wizard can retroactively apply the new key.
Choose the specific drives or folders to scan, and click Next to complete the updating operation. Step-by-Step: Updating via the Command-Line Utility Encrypt/Decrypt Files With EFS – HID Global Documentation
Leave a Reply