Offline Encryption GPO - 'Encrypt offline files to secure data' checkbox unavailable

check  %SystemRoot%\CSC folder and it's subfolders
if files placed here  are readable then encryption really not enabled

The CSC folder is not there which to me means that the offline files cache is not encrypted.  However the GPO is being applied to the computer, from the results of gpresult.  I tried to start over with a freshly installed machine, a new test OU, a new GPO.  I turned on 'blocked inheritance' so that only GPO that should effect this machine was the OfflineEncryption GPO however came up with the same results.

Hello Bangia,

Offline file policies are set at both the computer and the user level, and there are identically named policies at each level. If you work with identically named policies at both levels, keep in mind that computer policies override user policies and that these policies may be applied at different times.

The primary policies you'll want to use are summarized in Table 8-2. As the table shows, most offline policies affect access, synchronization, caching, and encryption. You'll find Offline File policies under Computer Configuration\Administrative Templates\Network\Offline Files and User Configuration\Administrative Templates\Network\Offline Files.

Please refer,
http://technet2.microsoft.com/WindowsServer/en/Library/9dba5df2-0359-4fa4-bdcf-dd6ae5ca345e1033.mspx?mfr=true
https://www.microsoft.co.ke/mspress/books/sampchap/5205c.asp
http://technet2.microsoft.com/WindowsServer/en/Library/af74d4f6-258f-477a-9d1c-2ca2b58860011033.mspx?mfr=true

Regards,

Engineer_Dell

Please also check out this Hot Fix,
The "Encrypt the Offline Files cache" Group Policy setting does not take effect when a user logs on to a Windows XP-based computer

http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B810859

Regards,

Engineer_Dell

I see you point, however there is no offline encryption policy at the user configuration level only at the computer configuration leve.  I checked and I'm definitely setting the policy setting in the right spot:  Computer Configuration\Administrative Templates\Network\Offline Files and User Configuration\Administrative Templates\Network\Offline Files.  

I'm going to call Microsoft and ge tthe hot fix and see if that does the trick.  I'm not too confident however as I've experienced the issue when logging in as a domain admin and an authenticated domain user.  

Well, give it a try

and please do let me know the progress,

Regards,

Engineer_Dell

Nope didn't work...when I talked to MS, they said that this hotfix would not fix the situation as it was included as part of SP2.  The workstations we are dealing w/ already have Windows XP SP2.  

BTW, did you refer this articles to whether you are going right step by step ?

http://technet2.microsoft.com/WindowsServer/en/Library/9dba5df2-0359-4fa4-bdcf-dd6ae5ca345e1033.mspx?mfr=true
https://www.microsoft.co.ke/mspress/books/sampchap/5205c.asp
http://technet2.microsoft.com/WindowsServer/en/Library/af74d4f6-258f-477a-9d1c-2ca2b58860011033.mspx?mfr=true

If not please do that, mean while I would try to emulate same problem in our lab...

Regards,

Engineer_Dell

MACHINE\Administrative Templates\System\Group Policy - EFS recovery policy processing

HKLM\Software\Policies\Microsoft\Windows\Group Policy\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}!NoSlowLink, HKLM\Software\Policies\Microsoft\Windows\Group Policy\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}!NoBackgroundPolicy, HKLM\Software\Policies\Microsoft\Windows\Group Policy\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}!NoGPOListChanges

--------------------------------------------------------------------------------------

MACHINE      Administrative Templates\Windows Components\Terminal Services\Encryption and Security      Set client connection encryption level

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MinEncryptionLevel

----------------------------------------------------------------------------------

(Sorry that I am posting my reply in parts as EE is giving "Question Not Found" error when I post my complete reply together)

you may also download complete policy set,

http://www.microsoft.com/downloads/details.aspx?FamilyId=92759D4B-7112-4B6C-AD4A-BBF3802A5C9B&displaylang=en
http://www.microsoft.com/downloads/details.aspx?FamilyID=7821c32f-da15-438d-8e48-45915cd2bc14&displaylang=en

Regards,

Engineer_Dell

All 3 of our DC's at this location are Dell 1850's w/ Windows 2003 SP1 with multiple processors and plenty of RAM.  The clients are all XP, SP2 w/ the latest & greatest patches.

Here are the results from the registry and GPO:

MACHINE\Administrative Templates\System\ Do not automatically encrypt files moved to encrypted folders
**This setting in the GPO is set to 'Not Configured'**

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoEncryptOnMove
**This regkey does NOT exist**

MACHINE\Administrative Templates\System\Group Policy - EFS recovery policy processing
**This setting in the GPO is set to 'Not Configured'**

HKLM\Software\Policies\Microsoft\Windows\Group Policy\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}!NoSlowLink
**This regkey does NOT exist**

HKLM\Software\Policies\Microsoft\Windows\Group Policy\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}!NoBackgroundPolicy
**This regkey does NOT exist**

HKLM\Software\Policies\Microsoft\Windows\Group Policy\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}!NoGPOListChanges
**This regkey does NOT exist**

MACHINE\Administrative Templates\Windows Components\Terminal Services\Encryption and Security\Set client connection encryption level
**This setting in the GPO is set to 'Not Configured**

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MinEncryptionLevel
**This regkey does NOT exist**

After running 'gpresult /v > gpo.txt' the gpo.txt file shows the we want to apply to the client WAS applied:

Applied Group Policy Objects:

AllowOfflineFilesEncryption
Default Domain Policy
MachineInventory
Local Group Policy

Gpo.txt also shows that the following regkeys were created on the client:

GPO: AllowOfflineFilesEncrypt
                Setting: Software\Policies\Microsoft\Windows\NetCache
                State:   Enabled

 GPO: AllowOfflineFilesEncrypt
                Setting: Software\Policies\Microsoft\Windows\NetCache
                State:   Enabled

It appears as if the GPO has been applied however the results are the same:  In Windows explorer under Tools\Folder Options on the Offline Files tab, the 'Enable Offline Files check box is checked and grayed out. The 'Encrypt offline files to secure data' check box is grayed out but not checked.  

Hello Bangia,

The only thing I can make out by your post is "SetClient Connection Encryption Level" is not configured, it may create the problem. As it Specifies whether to enforce an encryption level for all data sent between the client and the remote computer. Important: If FIPS compliance has already been enabled by the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Group Policy, you cannot change the encryption level by using this Group Policy or by using Terminal Services Configuration.   If the status is set to Enabled, encryption for all connections to the server is set to the level you specify. By default, encryption is set to High. The following encryption levels are available:  

FIPS Compliant: encrypts data sent from client to server and from server to client to meet the Federal Information Processing Standard 140-1 (FIPS 140-1), a security implementation designed for certifying cryptographic software. Use this level when Terminal Services connections require the highest degree of encryption. FIPS 140-1 validated software is required by the U.S. Government and requested by other prominent institutions.  

High: encrypts data sent from client to server and from server to client by using strong 128-bit encryption. Use this level when the remote computer is running in an environment containing 128-bit clients only (such as Remote Desktop Connection clients). Clients that do not support this level of encryption cannot connect.   Client Compatible: encrypts data sent from client to server and from server to client at the maximum key strength supported by the client. Use this level when the remote computer is running in an environment containing mixed or legacy clients.

Low: encrypts data sent from the client to the server using 56-bit encryption. Note that data sent from the server to the client is not encrypted when Low is specified.  

If the status is set to Disabled or Not Configured, the encryption level is not enforced through Group Policy. However, administrators can set the encryption level on the server using the Terminal Services Configuration tool.

Also, check this small article out - You may find it useful -
http://technet2.microsoft.com/WindowsServer/f/?en/Library/8602e646-26e7-4247-9218-8c7e62ab56a01033.mspx

Regards,

Engineer_Dell

I changed the GPO so the SetClient Connection Encryption Level setting was enabled, however the results were the same.  In Windows explorer under Tools\Folder Options on the Offline Files tab, the 'Enable Offline Files check box is checked and grayed out. The 'Encrypt offline files to secure data' check box is grayed out but not checked.  

Modify the Active Directory Group Policy setting
To modify the Active Directory Group Policy setting to reference the new Group Policy Client Side extension, use the new Client Side extension in an Active Directory Group Policy setting.

Note Update the System.adm file and the Group Policy object in Active Directory. Update the System.adm file first. To do this, follow these steps:1. Update the System.adm file to include the CLIENTEXT line, as follows:POLICY!!Pol_EncryptOfflineFiles
   #if version >= 4
      SUPPORTED !!SUPPORTED_WindowsXP
   #endif
   VALUENAME "EncryptCache"
   EXPLAIN !!Pol_EncryptOfflineFiles_Help
      VALUEON  NUMERIC 1
      VALUEOFF NUMERIC 0
      CLIENTEXT {C631DF4C-088F-4156-B058-4375F0853CD8}
END POLICY

To find the System.adm location path for the Group Policy setting, follow these steps:a.  Use the Active Directory Users and Computers tool to select a container where the Group Policy setting is applied.
b.  Change the container to display the Group Policy setting GUID. An example of this GUID is {9F16DD40-9777-4AD9-870C-9B9F1E73203E}.
c.  Use the Active Directory Service Interfaces (ADSI) Edit tool or the EnumProp tool to display the gPCFileSysPath attribute, as in the following exampe:
enumprop "LDAP://mydc/CN={3D6FF2C0-1DFC-41A9-AE72-D4502BDA81E8},CN=Po
licies,CN=System,DC=mycompany,DC=com"
The following example shows the gPCFileSysPath attribute:
LDAP://machinedc/CN={3D6FF2C0-1DFC-41A9-AE72-D4502BDA81E8},CN=Policies,CN=Syst
em,DC= mycompany,DC=com: 19 set properties.
 gPCFileSysPath: \\Test.net\SysVol\mycompany.com\Policies\{3D6FF2C0-1DFC-41A9-AE72
-D4502BDA81E8}
Note The EnumProp tool is included in the Windows XP Resource Kit.

Update the Active Directory Group Policy object to include the Client Side extension in the gPCMachineExtensionNames attribute. To do this automatically in the Group Policy Editor snap-in, follow these steps:a.  Use the Group Policy Editor snap-in to modify the Group Policy setting.
b.  Modify the "Encrypt the Offline Files cache" Group Policy setting.

Note Because the "Encrypt the Offline Files cache" Group Policy setting is now linked to the new CLIENTEXT line in the System.adm file, the Group Policy Editor will automatically update the gPCMachineExtensionNames Active Directory attribute to include the new Client Side extension GUID.

Good Luck,

Engineer_Dell

Hey!!

You are not alone:)
As I have found the same issue with another guy in Microsoft Forum, (I guess it's not you), he seems to be more frustrated ;)

http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?query=encrypt+offline+file+gpo+not+apply+on+xp+client&dg=&cat=en_US_d02fc761-3f6b-402c-82f6-ba1a8875c1a7&lang=en&cr=&pt=&catlist=&dglist=&ptlist=&exp=&sloc=en-us&mid=aa09f786-8f99-4751-aed4-93d5cab7108d

Regards,

Engineer_Dell

I looked up the guid for the GPO in question and then went to the sysvol directory on one of the DC's.  When I opened the system.adm file and looked for the EncrytOfflineFiles policy I found the following:

      POLICY !!Pol_EncryptOfflineFiles
                  #if version >= 4
                  SUPPORTED !!SUPPORTED_WindowsXP_SP2_W2K_SP5_NETSERVER_SP1
                  #endif

                  VALUENAME "EncryptCache"
                  EXPLAIN !!Pol_EncryptOfflineFiles_Help
                  VALUEON  NUMERIC 1
                  VALUEOFF NUMERIC 0
                  CLIENTEXT {C631DF4C-088F-4156-B058-4375F0853CD8}
            END POLICY

The 'CLIENTEXT' line is already in the system.adm.  Did you want me to replace this guid with the guid of the offline GPO?

Using ADSI edit, I looked at the attributes of the gPCMachineExtensionNames of the GPO in question.  It was already populated correctly with the following:  

[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-0000F87571E3}][{C631DF4C-088F-4156-B058-4375F0853CD8}{0F6B957D-509E-11D1-A7CC-0000F87571E3}]

I found this article on Microsoft support but I think it references instances ONLY when GPO's are created using a script.  I did not use Creategpo.wsf to create the GPO, I used GPMC:  

http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B885009

Unfortunately this did not work.  

:)

Do you have any WMI filter linked to the "Offline" GPO ?

No filter.  I actually just got off the phone w/ Microsoft.  There is a hotfix available for this issue on XP post SP2.  I just applied it to a few workstations and it FINALLY worked.  The KB Article number is 810859.  The file name is WindowsXP-KB810859-x86-ENU.exe.

Thanks for the help, you get the points.

Cool !!

I had recommended the same HOTFIX on 23rd, but I think that day MS guy said something else...Anyways, wonderful that it worked ultimately...

At the end, I would suggest you to read this also, it has very useful details for EFS

https://www.netscum.dk/technet/prodtechnol/winxppro/deploy/cryptfs.mspx

Keep Smiling,

Engineer_Dell

(It's been a pleasant experience working with you)