Solved

Offline Encryption GPO - 'Encrypt offline files to secure data' checkbox unavailable

Posted on 2006-06-21
28
891 Views
Last Modified: 2012-05-05
I need some help with an Offline File / Offline encryption GPO.  So far I've done the following:

1.  For testing purposes I've setup an OU in our domain called Testing.  
2.  I've put 3 client machines in this OU:  XP1, XP2, XP3. (all are Windows XP, SP2)
3.  Checked and made sure that a valid certificate exists
3.  Created and linked a GPO to the Testing OU called OfflineEncryption.

The GPO has only 2 settings that have been enabled in the following spot:

Computer Configuration\Administrative Templates\Network\Offline Files

The 2 settings that have been enabled are:  

1.  Allow or Disallow use of the Offline Files feature
2.  Encrypt the Offline Files cache

So technically any user that logs into these respective machines should by default receive the following settings:  (found in Tools\Folder Options\Offline Files in Windows Explorer)

1.  Enable Offline Files should be checked and grayed out
2.  Encrypt offline files to secure data should be checked and grayed out

HOWEVER, this is not the case, the GPO works only 1/2 way.  'Enable offline files' is checked and grayed out however 'Encrypt offline files' is grayed out but NOT CHECKED.  Which pretty much means to me that any offline files we have are not being encrypted.

I've run gpresult on each machine and the 'OfflineEncryption' GPO is being applied to each.  I've tried recreating the GPO, moving the machines in and out of the Testing OU, running gpudate /force 10x and still the same results.  

I'm at a stand still with this issue.  Anyone have any ideas?
0
Comment
Question by:bangia_v
  • 18
  • 9
28 Comments
 
LVL 1

Expert Comment

by:grigory7811
Comment Utility
check  %SystemRoot%\CSC folder and it's subfolders
if files placed here  are readable then encryption really not enabled
0
 

Author Comment

by:bangia_v
Comment Utility
The CSC folder is not there which to me means that the offline files cache is not encrypted.  However the GPO is being applied to the computer, from the results of gpresult.  I tried to start over with a freshly installed machine, a new test OU, a new GPO.  I turned on 'blocked inheritance' so that only GPO that should effect this machine was the OfflineEncryption GPO however came up with the same results.
0
 
LVL 6

Expert Comment

by:engineer_dell
Comment Utility
Hello Bangia,

Offline file policies are set at both the computer and the user level, and there are identically named policies at each level. If you work with identically named policies at both levels, keep in mind that computer policies override user policies and that these policies may be applied at different times.

The primary policies you'll want to use are summarized in Table 8-2. As the table shows, most offline policies affect access, synchronization, caching, and encryption. You'll find Offline File policies under Computer Configuration\Administrative Templates\Network\Offline Files and User Configuration\Administrative Templates\Network\Offline Files.

Please refer,
http://technet2.microsoft.com/WindowsServer/en/Library/9dba5df2-0359-4fa4-bdcf-dd6ae5ca345e1033.mspx?mfr=true
https://www.microsoft.co.ke/mspress/books/sampchap/5205c.asp
http://technet2.microsoft.com/WindowsServer/en/Library/af74d4f6-258f-477a-9d1c-2ca2b58860011033.mspx?mfr=true

Regards,

Engineer_Dell
0
 
LVL 6

Expert Comment

by:engineer_dell
Comment Utility

Please also check out this Hot Fix,
The "Encrypt the Offline Files cache" Group Policy setting does not take effect when a user logs on to a Windows XP-based computer

http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B810859

Regards,

Engineer_Dell
0
 

Author Comment

by:bangia_v
Comment Utility
I see you point, however there is no offline encryption policy at the user configuration level only at the computer configuration leve.  I checked and I'm definitely setting the policy setting in the right spot:  Computer Configuration\Administrative Templates\Network\Offline Files and User Configuration\Administrative Templates\Network\Offline Files.  

I'm going to call Microsoft and ge tthe hot fix and see if that does the trick.  I'm not too confident however as I've experienced the issue when logging in as a domain admin and an authenticated domain user.  
0
 
LVL 6

Expert Comment

by:engineer_dell
Comment Utility
Well, give it a try

and please do let me know the progress,

Regards,

Engineer_Dell
0
 

Author Comment

by:bangia_v
Comment Utility
Nope didn't work...when I talked to MS, they said that this hotfix would not fix the situation as it was included as part of SP2.  The workstations we are dealing w/ already have Windows XP SP2.  
0
 
LVL 6

Expert Comment

by:engineer_dell
Comment Utility
BTW, did you refer this articles to whether you are going right step by step ?

http://technet2.microsoft.com/WindowsServer/en/Library/9dba5df2-0359-4fa4-bdcf-dd6ae5ca345e1033.mspx?mfr=true
https://www.microsoft.co.ke/mspress/books/sampchap/5205c.asp
http://technet2.microsoft.com/WindowsServer/en/Library/af74d4f6-258f-477a-9d1c-2ca2b58860011033.mspx?mfr=true

If not please do that, mean while I would try to emulate same problem in our lab...

Regards,

Engineer_Dell
0
 
LVL 6

Assisted Solution

by:engineer_dell
engineer_dell earned 500 total points
Comment Utility
Hi Bangia

Please send me the following policies details with registry settings; Also post your server details and Userenv.log ,

MACHINE\Administrative Templates\System\ Do not automatically encrypt files moved to encrypted folders

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoEncryptOnMove

--------------------------------------------------------------------------------------------------------------------------------------------------------------
0
 
LVL 6

Expert Comment

by:engineer_dell
Comment Utility
MACHINE\Administrative Templates\System\Group Policy - EFS recovery policy processing

HKLM\Software\Policies\Microsoft\Windows\Group Policy\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}!NoSlowLink, HKLM\Software\Policies\Microsoft\Windows\Group Policy\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}!NoBackgroundPolicy, HKLM\Software\Policies\Microsoft\Windows\Group Policy\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}!NoGPOListChanges

--------------------------------------------------------------------------------------
0
 
LVL 6

Expert Comment

by:engineer_dell
Comment Utility
MACHINE      Administrative Templates\Windows Components\Terminal Services\Encryption and Security      Set client connection encryption level

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MinEncryptionLevel

----------------------------------------------------------------------------------

(Sorry that I am posting my reply in parts as EE is giving "Question Not Found" error when I post my complete reply together)
0
 
LVL 6

Expert Comment

by:engineer_dell
Comment Utility
0
 

Author Comment

by:bangia_v
Comment Utility
All 3 of our DC's at this location are Dell 1850's w/ Windows 2003 SP1 with multiple processors and plenty of RAM.  The clients are all XP, SP2 w/ the latest & greatest patches.

Here are the results from the registry and GPO:

MACHINE\Administrative Templates\System\ Do not automatically encrypt files moved to encrypted folders
**This setting in the GPO is set to 'Not Configured'**

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoEncryptOnMove
**This regkey does NOT exist**

MACHINE\Administrative Templates\System\Group Policy - EFS recovery policy processing
**This setting in the GPO is set to 'Not Configured'**

HKLM\Software\Policies\Microsoft\Windows\Group Policy\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}!NoSlowLink
**This regkey does NOT exist**

HKLM\Software\Policies\Microsoft\Windows\Group Policy\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}!NoBackgroundPolicy
**This regkey does NOT exist**

HKLM\Software\Policies\Microsoft\Windows\Group Policy\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}!NoGPOListChanges
**This regkey does NOT exist**

MACHINE\Administrative Templates\Windows Components\Terminal Services\Encryption and Security\Set client connection encryption level
**This setting in the GPO is set to 'Not Configured**

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MinEncryptionLevel
**This regkey does NOT exist**

After running 'gpresult /v > gpo.txt' the gpo.txt file shows the we want to apply to the client WAS applied:

Applied Group Policy Objects:

AllowOfflineFilesEncryption
Default Domain Policy
MachineInventory
Local Group Policy

Gpo.txt also shows that the following regkeys were created on the client:

GPO: AllowOfflineFilesEncrypt
                Setting: Software\Policies\Microsoft\Windows\NetCache
                State:   Enabled

 GPO: AllowOfflineFilesEncrypt
                Setting: Software\Policies\Microsoft\Windows\NetCache
                State:   Enabled

It appears as if the GPO has been applied however the results are the same:  In Windows explorer under Tools\Folder Options on the Offline Files tab, the 'Enable Offline Files check box is checked and grayed out. The 'Encrypt offline files to secure data' check box is grayed out but not checked.  





0
 
LVL 6

Expert Comment

by:engineer_dell
Comment Utility
Hello Bangia,

The only thing I can make out by your post is "SetClient Connection Encryption Level" is not configured, it may create the problem. As it Specifies whether to enforce an encryption level for all data sent between the client and the remote computer. Important: If FIPS compliance has already been enabled by the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Group Policy, you cannot change the encryption level by using this Group Policy or by using Terminal Services Configuration.   If the status is set to Enabled, encryption for all connections to the server is set to the level you specify. By default, encryption is set to High. The following encryption levels are available:  
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 6

Expert Comment

by:engineer_dell
Comment Utility
FIPS Compliant: encrypts data sent from client to server and from server to client to meet the Federal Information Processing Standard 140-1 (FIPS 140-1), a security implementation designed for certifying cryptographic software. Use this level when Terminal Services connections require the highest degree of encryption. FIPS 140-1 validated software is required by the U.S. Government and requested by other prominent institutions.  

High: encrypts data sent from client to server and from server to client by using strong 128-bit encryption. Use this level when the remote computer is running in an environment containing 128-bit clients only (such as Remote Desktop Connection clients). Clients that do not support this level of encryption cannot connect.   Client Compatible: encrypts data sent from client to server and from server to client at the maximum key strength supported by the client. Use this level when the remote computer is running in an environment containing mixed or legacy clients.
0
 
LVL 6

Expert Comment

by:engineer_dell
Comment Utility
Low: encrypts data sent from the client to the server using 56-bit encryption. Note that data sent from the server to the client is not encrypted when Low is specified.  

If the status is set to Disabled or Not Configured, the encryption level is not enforced through Group Policy. However, administrators can set the encryption level on the server using the Terminal Services Configuration tool.

Also, check this small article out - You may find it useful -
http://technet2.microsoft.com/WindowsServer/f/?en/Library/8602e646-26e7-4247-9218-8c7e62ab56a01033.mspx

Regards,

Engineer_Dell
0
 

Author Comment

by:bangia_v
Comment Utility
I changed the GPO so the SetClient Connection Encryption Level setting was enabled, however the results were the same.  In Windows explorer under Tools\Folder Options on the Offline Files tab, the 'Enable Offline Files check box is checked and grayed out. The 'Encrypt offline files to secure data' check box is grayed out but not checked.  
0
 
LVL 6

Expert Comment

by:engineer_dell
Comment Utility
Modify the Active Directory Group Policy setting
To modify the Active Directory Group Policy setting to reference the new Group Policy Client Side extension, use the new Client Side extension in an Active Directory Group Policy setting.

Note Update the System.adm file and the Group Policy object in Active Directory. Update the System.adm file first. To do this, follow these steps:1. Update the System.adm file to include the CLIENTEXT line, as follows:POLICY!!Pol_EncryptOfflineFiles
   #if version >= 4
      SUPPORTED !!SUPPORTED_WindowsXP
   #endif
   VALUENAME "EncryptCache"
   EXPLAIN !!Pol_EncryptOfflineFiles_Help
      VALUEON  NUMERIC 1
      VALUEOFF NUMERIC 0
      CLIENTEXT {C631DF4C-088F-4156-B058-4375F0853CD8}
END POLICY
0
 
LVL 6

Expert Comment

by:engineer_dell
Comment Utility
To find the System.adm location path for the Group Policy setting, follow these steps:a.  Use the Active Directory Users and Computers tool to select a container where the Group Policy setting is applied.
b.  Change the container to display the Group Policy setting GUID. An example of this GUID is {9F16DD40-9777-4AD9-870C-9B9F1E73203E}.
c.  Use the Active Directory Service Interfaces (ADSI) Edit tool or the EnumProp tool to display the gPCFileSysPath attribute, as in the following exampe:
enumprop "LDAP://mydc/CN={3D6FF2C0-1DFC-41A9-AE72-D4502BDA81E8},CN=Po
licies,CN=System,DC=mycompany,DC=com"
The following example shows the gPCFileSysPath attribute:
LDAP://machinedc/CN={3D6FF2C0-1DFC-41A9-AE72-D4502BDA81E8},CN=Policies,CN=Syst
em,DC= mycompany,DC=com: 19 set properties.
 gPCFileSysPath: \\Test.net\SysVol\mycompany.com\Policies\{3D6FF2C0-1DFC-41A9-AE72
-D4502BDA81E8}
Note The EnumProp tool is included in the Windows XP Resource Kit.
0
 
LVL 6

Expert Comment

by:engineer_dell
Comment Utility
Update the Active Directory Group Policy object to include the Client Side extension in the gPCMachineExtensionNames attribute. To do this automatically in the Group Policy Editor snap-in, follow these steps:a.  Use the Group Policy Editor snap-in to modify the Group Policy setting.
b.  Modify the "Encrypt the Offline Files cache" Group Policy setting.

Note Because the "Encrypt the Offline Files cache" Group Policy setting is now linked to the new CLIENTEXT line in the System.adm file, the Group Policy Editor will automatically update the gPCMachineExtensionNames Active Directory attribute to include the new Client Side extension GUID.

Good Luck,

Engineer_Dell
0
 
LVL 6

Expert Comment

by:engineer_dell
Comment Utility
0
 

Author Comment

by:bangia_v
Comment Utility
I looked up the guid for the GPO in question and then went to the sysvol directory on one of the DC's.  When I opened the system.adm file and looked for the EncrytOfflineFiles policy I found the following:

      POLICY !!Pol_EncryptOfflineFiles
                  #if version >= 4
                  SUPPORTED !!SUPPORTED_WindowsXP_SP2_W2K_SP5_NETSERVER_SP1
                  #endif

                  VALUENAME "EncryptCache"
                  EXPLAIN !!Pol_EncryptOfflineFiles_Help
                  VALUEON  NUMERIC 1
                  VALUEOFF NUMERIC 0
                  CLIENTEXT {C631DF4C-088F-4156-B058-4375F0853CD8}
            END POLICY

The 'CLIENTEXT' line is already in the system.adm.  Did you want me to replace this guid with the guid of the offline GPO?
0
 

Author Comment

by:bangia_v
Comment Utility
Using ADSI edit, I looked at the attributes of the gPCMachineExtensionNames of the GPO in question.  It was already populated correctly with the following:  

[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-0000F87571E3}][{C631DF4C-088F-4156-B058-4375F0853CD8}{0F6B957D-509E-11D1-A7CC-0000F87571E3}]

I found this article on Microsoft support but I think it references instances ONLY when GPO's are created using a script.  I did not use Creategpo.wsf to create the GPO, I used GPMC:  

http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B885009


0
 
LVL 6

Accepted Solution

by:
engineer_dell earned 500 total points
Comment Utility
Yes, You should try that...Remeber to copy the old line also so that you may restore it incase this step doesn't work, After you replace the line Don't forget to update the Active Directory Group Policy object to include the Client Side extension in the gPCMachineExtensionNames attribute.

By the way, have you tried using CSCCMD.EXE on XP Client to enable Client Side Caching, if not then you should try it,

http://support.microsoft.com/default.aspx?scid=kb;en-us;884739

Regards,

Engineer_Dell
0
 

Author Comment

by:bangia_v
Comment Utility
Unfortunately this did not work.  
0
 
LVL 6

Expert Comment

by:engineer_dell
Comment Utility
:)

Do you have any WMI filter linked to the "Offline" GPO ?
0
 

Author Comment

by:bangia_v
Comment Utility
No filter.  I actually just got off the phone w/ Microsoft.  There is a hotfix available for this issue on XP post SP2.  I just applied it to a few workstations and it FINALLY worked.  The KB Article number is 810859.  The file name is WindowsXP-KB810859-x86-ENU.exe.

Thanks for the help, you get the points.
0
 
LVL 6

Expert Comment

by:engineer_dell
Comment Utility
Cool !!

I had recommended the same HOTFIX on 23rd, but I think that day MS guy said something else...Anyways, wonderful that it worked ultimately...

At the end, I would suggest you to read this also, it has very useful details for EFS

https://www.netscum.dk/technet/prodtechnol/winxppro/deploy/cryptfs.mspx

Keep Smiling,

Engineer_Dell

(It's been a pleasant experience working with you)
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Windows 10 is here and for most admins this means frustration and challenges getting that first working Windows 10 image. As in my previous sysprep articles, I've put together a simple help guide to get you through this process. The aim is to achiev…
I use more than 1 computer in my office for various reasons. Multiple keyboards and mice take up more than just extra space, they make working a little more complicated. Using one mouse and keyboard for all of my computers makes life easier. This co…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now