Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Offline Encryption GPO - 'Encrypt offline files to secure data' checkbox unavailable

Posted on 2006-06-21
28
Medium Priority
?
919 Views
Last Modified: 2012-05-05
I need some help with an Offline File / Offline encryption GPO.  So far I've done the following:

1.  For testing purposes I've setup an OU in our domain called Testing.  
2.  I've put 3 client machines in this OU:  XP1, XP2, XP3. (all are Windows XP, SP2)
3.  Checked and made sure that a valid certificate exists
3.  Created and linked a GPO to the Testing OU called OfflineEncryption.

The GPO has only 2 settings that have been enabled in the following spot:

Computer Configuration\Administrative Templates\Network\Offline Files

The 2 settings that have been enabled are:  

1.  Allow or Disallow use of the Offline Files feature
2.  Encrypt the Offline Files cache

So technically any user that logs into these respective machines should by default receive the following settings:  (found in Tools\Folder Options\Offline Files in Windows Explorer)

1.  Enable Offline Files should be checked and grayed out
2.  Encrypt offline files to secure data should be checked and grayed out

HOWEVER, this is not the case, the GPO works only 1/2 way.  'Enable offline files' is checked and grayed out however 'Encrypt offline files' is grayed out but NOT CHECKED.  Which pretty much means to me that any offline files we have are not being encrypted.

I've run gpresult on each machine and the 'OfflineEncryption' GPO is being applied to each.  I've tried recreating the GPO, moving the machines in and out of the Testing OU, running gpudate /force 10x and still the same results.  

I'm at a stand still with this issue.  Anyone have any ideas?
0
Comment
Question by:bangia_v
  • 18
  • 9
28 Comments
 
LVL 1

Expert Comment

by:grigory7811
ID: 16960065
check  %SystemRoot%\CSC folder and it's subfolders
if files placed here  are readable then encryption really not enabled
0
 

Author Comment

by:bangia_v
ID: 16968475
The CSC folder is not there which to me means that the offline files cache is not encrypted.  However the GPO is being applied to the computer, from the results of gpresult.  I tried to start over with a freshly installed machine, a new test OU, a new GPO.  I turned on 'blocked inheritance' so that only GPO that should effect this machine was the OfflineEncryption GPO however came up with the same results.
0
 
LVL 6

Expert Comment

by:engineer_dell
ID: 16968604
Hello Bangia,

Offline file policies are set at both the computer and the user level, and there are identically named policies at each level. If you work with identically named policies at both levels, keep in mind that computer policies override user policies and that these policies may be applied at different times.

The primary policies you'll want to use are summarized in Table 8-2. As the table shows, most offline policies affect access, synchronization, caching, and encryption. You'll find Offline File policies under Computer Configuration\Administrative Templates\Network\Offline Files and User Configuration\Administrative Templates\Network\Offline Files.

Please refer,
http://technet2.microsoft.com/WindowsServer/en/Library/9dba5df2-0359-4fa4-bdcf-dd6ae5ca345e1033.mspx?mfr=true
https://www.microsoft.co.ke/mspress/books/sampchap/5205c.asp
http://technet2.microsoft.com/WindowsServer/en/Library/af74d4f6-258f-477a-9d1c-2ca2b58860011033.mspx?mfr=true

Regards,

Engineer_Dell
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 6

Expert Comment

by:engineer_dell
ID: 16968637

Please also check out this Hot Fix,
The "Encrypt the Offline Files cache" Group Policy setting does not take effect when a user logs on to a Windows XP-based computer

http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B810859

Regards,

Engineer_Dell
0
 

Author Comment

by:bangia_v
ID: 16970113
I see you point, however there is no offline encryption policy at the user configuration level only at the computer configuration leve.  I checked and I'm definitely setting the policy setting in the right spot:  Computer Configuration\Administrative Templates\Network\Offline Files and User Configuration\Administrative Templates\Network\Offline Files.  

I'm going to call Microsoft and ge tthe hot fix and see if that does the trick.  I'm not too confident however as I've experienced the issue when logging in as a domain admin and an authenticated domain user.  
0
 
LVL 6

Expert Comment

by:engineer_dell
ID: 16971770
Well, give it a try

and please do let me know the progress,

Regards,

Engineer_Dell
0
 

Author Comment

by:bangia_v
ID: 16971787
Nope didn't work...when I talked to MS, they said that this hotfix would not fix the situation as it was included as part of SP2.  The workstations we are dealing w/ already have Windows XP SP2.  
0
 
LVL 6

Expert Comment

by:engineer_dell
ID: 16974300
BTW, did you refer this articles to whether you are going right step by step ?

http://technet2.microsoft.com/WindowsServer/en/Library/9dba5df2-0359-4fa4-bdcf-dd6ae5ca345e1033.mspx?mfr=true
https://www.microsoft.co.ke/mspress/books/sampchap/5205c.asp
http://technet2.microsoft.com/WindowsServer/en/Library/af74d4f6-258f-477a-9d1c-2ca2b58860011033.mspx?mfr=true

If not please do that, mean while I would try to emulate same problem in our lab...

Regards,

Engineer_Dell
0
 
LVL 6

Assisted Solution

by:engineer_dell
engineer_dell earned 1500 total points
ID: 16974866
Hi Bangia

Please send me the following policies details with registry settings; Also post your server details and Userenv.log ,

MACHINE\Administrative Templates\System\ Do not automatically encrypt files moved to encrypted folders

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoEncryptOnMove

--------------------------------------------------------------------------------------------------------------------------------------------------------------
0
 
LVL 6

Expert Comment

by:engineer_dell
ID: 16974870
MACHINE\Administrative Templates\System\Group Policy - EFS recovery policy processing

HKLM\Software\Policies\Microsoft\Windows\Group Policy\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}!NoSlowLink, HKLM\Software\Policies\Microsoft\Windows\Group Policy\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}!NoBackgroundPolicy, HKLM\Software\Policies\Microsoft\Windows\Group Policy\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}!NoGPOListChanges

--------------------------------------------------------------------------------------
0
 
LVL 6

Expert Comment

by:engineer_dell
ID: 16974875
MACHINE      Administrative Templates\Windows Components\Terminal Services\Encryption and Security      Set client connection encryption level

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MinEncryptionLevel

----------------------------------------------------------------------------------

(Sorry that I am posting my reply in parts as EE is giving "Question Not Found" error when I post my complete reply together)
0
 

Author Comment

by:bangia_v
ID: 16984111
All 3 of our DC's at this location are Dell 1850's w/ Windows 2003 SP1 with multiple processors and plenty of RAM.  The clients are all XP, SP2 w/ the latest & greatest patches.

Here are the results from the registry and GPO:

MACHINE\Administrative Templates\System\ Do not automatically encrypt files moved to encrypted folders
**This setting in the GPO is set to 'Not Configured'**

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoEncryptOnMove
**This regkey does NOT exist**

MACHINE\Administrative Templates\System\Group Policy - EFS recovery policy processing
**This setting in the GPO is set to 'Not Configured'**

HKLM\Software\Policies\Microsoft\Windows\Group Policy\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}!NoSlowLink
**This regkey does NOT exist**

HKLM\Software\Policies\Microsoft\Windows\Group Policy\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}!NoBackgroundPolicy
**This regkey does NOT exist**

HKLM\Software\Policies\Microsoft\Windows\Group Policy\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}!NoGPOListChanges
**This regkey does NOT exist**

MACHINE\Administrative Templates\Windows Components\Terminal Services\Encryption and Security\Set client connection encryption level
**This setting in the GPO is set to 'Not Configured**

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MinEncryptionLevel
**This regkey does NOT exist**

After running 'gpresult /v > gpo.txt' the gpo.txt file shows the we want to apply to the client WAS applied:

Applied Group Policy Objects:

AllowOfflineFilesEncryption
Default Domain Policy
MachineInventory
Local Group Policy

Gpo.txt also shows that the following regkeys were created on the client:

GPO: AllowOfflineFilesEncrypt
                Setting: Software\Policies\Microsoft\Windows\NetCache
                State:   Enabled

 GPO: AllowOfflineFilesEncrypt
                Setting: Software\Policies\Microsoft\Windows\NetCache
                State:   Enabled

It appears as if the GPO has been applied however the results are the same:  In Windows explorer under Tools\Folder Options on the Offline Files tab, the 'Enable Offline Files check box is checked and grayed out. The 'Encrypt offline files to secure data' check box is grayed out but not checked.  





0
 
LVL 6

Expert Comment

by:engineer_dell
ID: 16987372
Hello Bangia,

The only thing I can make out by your post is "SetClient Connection Encryption Level" is not configured, it may create the problem. As it Specifies whether to enforce an encryption level for all data sent between the client and the remote computer. Important: If FIPS compliance has already been enabled by the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Group Policy, you cannot change the encryption level by using this Group Policy or by using Terminal Services Configuration.   If the status is set to Enabled, encryption for all connections to the server is set to the level you specify. By default, encryption is set to High. The following encryption levels are available:  
0
 
LVL 6

Expert Comment

by:engineer_dell
ID: 16987384
FIPS Compliant: encrypts data sent from client to server and from server to client to meet the Federal Information Processing Standard 140-1 (FIPS 140-1), a security implementation designed for certifying cryptographic software. Use this level when Terminal Services connections require the highest degree of encryption. FIPS 140-1 validated software is required by the U.S. Government and requested by other prominent institutions.  

High: encrypts data sent from client to server and from server to client by using strong 128-bit encryption. Use this level when the remote computer is running in an environment containing 128-bit clients only (such as Remote Desktop Connection clients). Clients that do not support this level of encryption cannot connect.   Client Compatible: encrypts data sent from client to server and from server to client at the maximum key strength supported by the client. Use this level when the remote computer is running in an environment containing mixed or legacy clients.
0
 
LVL 6

Expert Comment

by:engineer_dell
ID: 16987394
Low: encrypts data sent from the client to the server using 56-bit encryption. Note that data sent from the server to the client is not encrypted when Low is specified.  

If the status is set to Disabled or Not Configured, the encryption level is not enforced through Group Policy. However, administrators can set the encryption level on the server using the Terminal Services Configuration tool.

Also, check this small article out - You may find it useful -
http://technet2.microsoft.com/WindowsServer/f/?en/Library/8602e646-26e7-4247-9218-8c7e62ab56a01033.mspx

Regards,

Engineer_Dell
0
 

Author Comment

by:bangia_v
ID: 16987890
I changed the GPO so the SetClient Connection Encryption Level setting was enabled, however the results were the same.  In Windows explorer under Tools\Folder Options on the Offline Files tab, the 'Enable Offline Files check box is checked and grayed out. The 'Encrypt offline files to secure data' check box is grayed out but not checked.  
0
 
LVL 6

Expert Comment

by:engineer_dell
ID: 16988145
Modify the Active Directory Group Policy setting
To modify the Active Directory Group Policy setting to reference the new Group Policy Client Side extension, use the new Client Side extension in an Active Directory Group Policy setting.

Note Update the System.adm file and the Group Policy object in Active Directory. Update the System.adm file first. To do this, follow these steps:1. Update the System.adm file to include the CLIENTEXT line, as follows:POLICY!!Pol_EncryptOfflineFiles
   #if version >= 4
      SUPPORTED !!SUPPORTED_WindowsXP
   #endif
   VALUENAME "EncryptCache"
   EXPLAIN !!Pol_EncryptOfflineFiles_Help
      VALUEON  NUMERIC 1
      VALUEOFF NUMERIC 0
      CLIENTEXT {C631DF4C-088F-4156-B058-4375F0853CD8}
END POLICY
0
 
LVL 6

Expert Comment

by:engineer_dell
ID: 16988147
To find the System.adm location path for the Group Policy setting, follow these steps:a.  Use the Active Directory Users and Computers tool to select a container where the Group Policy setting is applied.
b.  Change the container to display the Group Policy setting GUID. An example of this GUID is {9F16DD40-9777-4AD9-870C-9B9F1E73203E}.
c.  Use the Active Directory Service Interfaces (ADSI) Edit tool or the EnumProp tool to display the gPCFileSysPath attribute, as in the following exampe:
enumprop "LDAP://mydc/CN={3D6FF2C0-1DFC-41A9-AE72-D4502BDA81E8},CN=Po
licies,CN=System,DC=mycompany,DC=com"
The following example shows the gPCFileSysPath attribute:
LDAP://machinedc/CN={3D6FF2C0-1DFC-41A9-AE72-D4502BDA81E8},CN=Policies,CN=Syst
em,DC= mycompany,DC=com: 19 set properties.
 gPCFileSysPath: \\Test.net\SysVol\mycompany.com\Policies\{3D6FF2C0-1DFC-41A9-AE72
-D4502BDA81E8}
Note The EnumProp tool is included in the Windows XP Resource Kit.
0
 
LVL 6

Expert Comment

by:engineer_dell
ID: 16988165
Update the Active Directory Group Policy object to include the Client Side extension in the gPCMachineExtensionNames attribute. To do this automatically in the Group Policy Editor snap-in, follow these steps:a.  Use the Group Policy Editor snap-in to modify the Group Policy setting.
b.  Modify the "Encrypt the Offline Files cache" Group Policy setting.

Note Because the "Encrypt the Offline Files cache" Group Policy setting is now linked to the new CLIENTEXT line in the System.adm file, the Group Policy Editor will automatically update the gPCMachineExtensionNames Active Directory attribute to include the new Client Side extension GUID.

Good Luck,

Engineer_Dell
0
 
LVL 6

Expert Comment

by:engineer_dell
ID: 16988264
0
 

Author Comment

by:bangia_v
ID: 16992638
I looked up the guid for the GPO in question and then went to the sysvol directory on one of the DC's.  When I opened the system.adm file and looked for the EncrytOfflineFiles policy I found the following:

      POLICY !!Pol_EncryptOfflineFiles
                  #if version >= 4
                  SUPPORTED !!SUPPORTED_WindowsXP_SP2_W2K_SP5_NETSERVER_SP1
                  #endif

                  VALUENAME "EncryptCache"
                  EXPLAIN !!Pol_EncryptOfflineFiles_Help
                  VALUEON  NUMERIC 1
                  VALUEOFF NUMERIC 0
                  CLIENTEXT {C631DF4C-088F-4156-B058-4375F0853CD8}
            END POLICY

The 'CLIENTEXT' line is already in the system.adm.  Did you want me to replace this guid with the guid of the offline GPO?
0
 

Author Comment

by:bangia_v
ID: 16994072
Using ADSI edit, I looked at the attributes of the gPCMachineExtensionNames of the GPO in question.  It was already populated correctly with the following:  

[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-0000F87571E3}][{C631DF4C-088F-4156-B058-4375F0853CD8}{0F6B957D-509E-11D1-A7CC-0000F87571E3}]

I found this article on Microsoft support but I think it references instances ONLY when GPO's are created using a script.  I did not use Creategpo.wsf to create the GPO, I used GPMC:  

http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B885009


0
 
LVL 6

Accepted Solution

by:
engineer_dell earned 1500 total points
ID: 16994486
Yes, You should try that...Remeber to copy the old line also so that you may restore it incase this step doesn't work, After you replace the line Don't forget to update the Active Directory Group Policy object to include the Client Side extension in the gPCMachineExtensionNames attribute.

By the way, have you tried using CSCCMD.EXE on XP Client to enable Client Side Caching, if not then you should try it,

http://support.microsoft.com/default.aspx?scid=kb;en-us;884739

Regards,

Engineer_Dell
0
 

Author Comment

by:bangia_v
ID: 16995207
Unfortunately this did not work.  
0
 
LVL 6

Expert Comment

by:engineer_dell
ID: 16995643
:)

Do you have any WMI filter linked to the "Offline" GPO ?
0
 

Author Comment

by:bangia_v
ID: 16995692
No filter.  I actually just got off the phone w/ Microsoft.  There is a hotfix available for this issue on XP post SP2.  I just applied it to a few workstations and it FINALLY worked.  The KB Article number is 810859.  The file name is WindowsXP-KB810859-x86-ENU.exe.

Thanks for the help, you get the points.
0
 
LVL 6

Expert Comment

by:engineer_dell
ID: 16995967
Cool !!

I had recommended the same HOTFIX on 23rd, but I think that day MS guy said something else...Anyways, wonderful that it worked ultimately...

At the end, I would suggest you to read this also, it has very useful details for EFS

https://www.netscum.dk/technet/prodtechnol/winxppro/deploy/cryptfs.mspx

Keep Smiling,

Engineer_Dell

(It's been a pleasant experience working with you)
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello I read in a discussion about a person who configured a very simple mirror RAID with two hard drives; the system and data were on the same partition. He asked how to repair the system as it was not booting up anymore. In his case running …
The article covers five tools all IT professionals should know about, as they up productivity by a great deal!
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question