Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.
One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.
Offline Encryption GPO - 'Encrypt offline files to secure data' checkbox unavailable
I need some help with an Offline File / Offline encryption GPO. So far I've done the following:
1. For testing purposes I've setup an OU in our domain called Testing.
2. I've put 3 client machines in this OU: XP1, XP2, XP3. (all are Windows XP, SP2)
3. Checked and made sure that a valid certificate exists
3. Created and linked a GPO to the Testing OU called OfflineEncryption.
The GPO has only 2 settings that have been enabled in the following spot:
Computer Configuration\Administrati
The 2 settings that have been enabled are:
1. Allow or Disallow use of the Offline Files feature
2. Encrypt the Offline Files cache
So technically any user that logs into these respective machines should by default receive the following settings: (found in Tools\Folder Options\Offline Files in Windows Explorer)
1. Enable Offline Files should be checked and grayed out
2. Encrypt offline files to secure data should be checked and grayed out
HOWEVER, this is not the case, the GPO works only 1/2 way. 'Enable offline files' is checked and grayed out however 'Encrypt offline files' is grayed out but NOT CHECKED. Which pretty much means to me that any offline files we have are not being encrypted.
I've run gpresult on each machine and the 'OfflineEncryption' GPO is being applied to each. I've tried recreating the GPO, moving the machines in and out of the Testing OU, running gpudate /force 10x and still the same results.
I'm at a stand still with this issue. Anyone have any ideas?
1. For testing purposes I've setup an OU in our domain called Testing.
2. I've put 3 client machines in this OU: XP1, XP2, XP3. (all are Windows XP, SP2)
3. Checked and made sure that a valid certificate exists
3. Created and linked a GPO to the Testing OU called OfflineEncryption.
The GPO has only 2 settings that have been enabled in the following spot:
Computer Configuration\Administrati
The 2 settings that have been enabled are:
1. Allow or Disallow use of the Offline Files feature
2. Encrypt the Offline Files cache
So technically any user that logs into these respective machines should by default receive the following settings: (found in Tools\Folder Options\Offline Files in Windows Explorer)
1. Enable Offline Files should be checked and grayed out
2. Encrypt offline files to secure data should be checked and grayed out
HOWEVER, this is not the case, the GPO works only 1/2 way. 'Enable offline files' is checked and grayed out however 'Encrypt offline files' is grayed out but NOT CHECKED. Which pretty much means to me that any offline files we have are not being encrypted.
I've run gpresult on each machine and the 'OfflineEncryption' GPO is being applied to each. I've tried recreating the GPO, moving the machines in and out of the Testing OU, running gpudate /force 10x and still the same results.
I'm at a stand still with this issue. Anyone have any ideas?
Who is Participating?
check %SystemRoot%\CSC folder and it's subfolders
if files placed here are readable then encryption really not enabled
if files placed here are readable then encryption really not enabled
The CSC folder is not there which to me means that the offline files cache is not encrypted. However the GPO is being applied to the computer, from the results of gpresult. I tried to start over with a freshly installed machine, a new test OU, a new GPO. I turned on 'blocked inheritance' so that only GPO that should effect this machine was the OfflineEncryption GPO however came up with the same results.
Hello Bangia,
Offline file policies are set at both the computer and the user level, and there are identically named policies at each level. If you work with identically named policies at both levels, keep in mind that computer policies override user policies and that these policies may be applied at different times.
The primary policies you'll want to use are summarized in Table 8-2. As the table shows, most offline policies affect access, synchronization, caching, and encryption. You'll find Offline File policies under Computer Configuration\Administrati
Please refer,
http://technet2.microsoft.com/WindowsServer/en/Library/9dba5df2-0359-4fa4-bdcf-dd6ae5ca345e1033.mspx?mfr=true
https://www.microsoft.co.ke/mspress/books/sampchap/5205c.asp
http://technet2.microsoft.com/WindowsServer/en/Library/af74d4f6-258f-477a-9d1c-2ca2b58860011033.mspx?mfr=true
Regards,
Engineer_Dell
Offline file policies are set at both the computer and the user level, and there are identically named policies at each level. If you work with identically named policies at both levels, keep in mind that computer policies override user policies and that these policies may be applied at different times.
The primary policies you'll want to use are summarized in Table 8-2. As the table shows, most offline policies affect access, synchronization, caching, and encryption. You'll find Offline File policies under Computer Configuration\Administrati
Please refer,
http://technet2.microsoft.com/WindowsServer/en/Library/9dba5df2-0359-4fa4-bdcf-dd6ae5ca345e1033.mspx?mfr=true
https://www.microsoft.co.ke/mspress/books/sampchap/5205c.asp
http://technet2.microsoft.com/WindowsServer/en/Library/af74d4f6-258f-477a-9d1c-2ca2b58860011033.mspx?mfr=true
Regards,
Engineer_Dell
Please also check out this Hot Fix,
The "Encrypt the Offline Files cache" Group Policy setting does not take effect when a user logs on to a Windows XP-based computer
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B810859
Regards,
Engineer_Dell
I see you point, however there is no offline encryption policy at the user configuration level only at the computer configuration leve. I checked and I'm definitely setting the policy setting in the right spot: Computer Configuration\Administrati
I'm going to call Microsoft and ge tthe hot fix and see if that does the trick. I'm not too confident however as I've experienced the issue when logging in as a domain admin and an authenticated domain user.
I'm going to call Microsoft and ge tthe hot fix and see if that does the trick. I'm not too confident however as I've experienced the issue when logging in as a domain admin and an authenticated domain user.
Nope didn't work...when I talked to MS, they said that this hotfix would not fix the situation as it was included as part of SP2. The workstations we are dealing w/ already have Windows XP SP2.
BTW, did you refer this articles to whether you are going right step by step ?
http://technet2.microsoft.com/WindowsServer/en/Library/9dba5df2-0359-4fa4-bdcf-dd6ae5ca345e1033.mspx?mfr=true
https://www.microsoft.co.ke/mspress/books/sampchap/5205c.asp
http://technet2.microsoft.com/WindowsServer/en/Library/af74d4f6-258f-477a-9d1c-2ca2b58860011033.mspx?mfr=true
If not please do that, mean while I would try to emulate same problem in our lab...
Regards,
Engineer_Dell
http://technet2.microsoft.com/WindowsServer/en/Library/9dba5df2-0359-4fa4-bdcf-dd6ae5ca345e1033.mspx?mfr=true
https://www.microsoft.co.ke/mspress/books/sampchap/5205c.asp
http://technet2.microsoft.com/WindowsServer/en/Library/af74d4f6-258f-477a-9d1c-2ca2b58860011033.mspx?mfr=true
If not please do that, mean while I would try to emulate same problem in our lab...
Regards,
Engineer_Dell
Hi Bangia
Please send me the following policies details with registry settings; Also post your server details and Userenv.log ,
MACHINE\Administrative Templates\System\ Do not automatically encrypt files moved to encrypted folders
HKLM\Software\Microsoft\Wi
--------------------------
Please send me the following policies details with registry settings; Also post your server details and Userenv.log ,
MACHINE\Administrative Templates\System\ Do not automatically encrypt files moved to encrypted folders
HKLM\Software\Microsoft\Wi
--------------------------
MACHINE\Administrative Templates\System\Group Policy - EFS recovery policy processing
HKLM\Software\Policies\Mic
--------------------------
HKLM\Software\Policies\Mic
--------------------------
MACHINE Administrative Templates\Windows Components\Terminal Services\Encryption and Security Set client connection encryption level
HKLM\SOFTWARE\Policies\Mic
--------------------------
(Sorry that I am posting my reply in parts as EE is giving "Question Not Found" error when I post my complete reply together)
HKLM\SOFTWARE\Policies\Mic
--------------------------
(Sorry that I am posting my reply in parts as EE is giving "Question Not Found" error when I post my complete reply together)
you may also download complete policy set,
http://www.microsoft.com/downloads/details.aspx?FamilyId=92759D4B-7112-4B6C-AD4A-BBF3802A5C9B&displaylang=en
http://www.microsoft.com/downloads/details.aspx?FamilyID=7821c32f-da15-438d-8e48-45915cd2bc14&displaylang=en
Regards,
Engineer_Dell
http://www.microsoft.com/downloads/details.aspx?FamilyId=92759D4B-7112-4B6C-AD4A-BBF3802A5C9B&displaylang=en
http://www.microsoft.com/downloads/details.aspx?FamilyID=7821c32f-da15-438d-8e48-45915cd2bc14&displaylang=en
Regards,
Engineer_Dell
All 3 of our DC's at this location are Dell 1850's w/ Windows 2003 SP1 with multiple processors and plenty of RAM. The clients are all XP, SP2 w/ the latest & greatest patches.
Here are the results from the registry and GPO:
MACHINE\Administrative Templates\System\ Do not automatically encrypt files moved to encrypted folders
**This setting in the GPO is set to 'Not Configured'**
HKLM\Software\Microsoft\Wi
**This regkey does NOT exist**
MACHINE\Administrative Templates\System\Group Policy - EFS recovery policy processing
**This setting in the GPO is set to 'Not Configured'**
HKLM\Software\Policies\Mic
**This regkey does NOT exist**
HKLM\Software\Policies\Mic
**This regkey does NOT exist**
HKLM\Software\Policies\Mic
**This regkey does NOT exist**
MACHINE\Administrative Templates\Windows Components\Terminal Services\Encryption and Security\Set client connection encryption level
**This setting in the GPO is set to 'Not Configured**
HKLM\SOFTWARE\Policies\Mic
**This regkey does NOT exist**
After running 'gpresult /v > gpo.txt' the gpo.txt file shows the we want to apply to the client WAS applied:
Applied Group Policy Objects:
AllowOfflineFilesEncryptio
Default Domain Policy
MachineInventory
Local Group Policy
Gpo.txt also shows that the following regkeys were created on the client:
GPO: AllowOfflineFilesEncrypt
Setting: Software\Policies\Microsof
State: Enabled
GPO: AllowOfflineFilesEncrypt
Setting: Software\Policies\Microsof
State: Enabled
It appears as if the GPO has been applied however the results are the same: In Windows explorer under Tools\Folder Options on the Offline Files tab, the 'Enable Offline Files check box is checked and grayed out. The 'Encrypt offline files to secure data' check box is grayed out but not checked.
Here are the results from the registry and GPO:
MACHINE\Administrative Templates\System\ Do not automatically encrypt files moved to encrypted folders
**This setting in the GPO is set to 'Not Configured'**
HKLM\Software\Microsoft\Wi
**This regkey does NOT exist**
MACHINE\Administrative Templates\System\Group Policy - EFS recovery policy processing
**This setting in the GPO is set to 'Not Configured'**
HKLM\Software\Policies\Mic
**This regkey does NOT exist**
HKLM\Software\Policies\Mic
**This regkey does NOT exist**
HKLM\Software\Policies\Mic
**This regkey does NOT exist**
MACHINE\Administrative Templates\Windows Components\Terminal Services\Encryption and Security\Set client connection encryption level
**This setting in the GPO is set to 'Not Configured**
HKLM\SOFTWARE\Policies\Mic
**This regkey does NOT exist**
After running 'gpresult /v > gpo.txt' the gpo.txt file shows the we want to apply to the client WAS applied:
Applied Group Policy Objects:
AllowOfflineFilesEncryptio
Default Domain Policy
MachineInventory
Local Group Policy
Gpo.txt also shows that the following regkeys were created on the client:
GPO: AllowOfflineFilesEncrypt
Setting: Software\Policies\Microsof
State: Enabled
GPO: AllowOfflineFilesEncrypt
Setting: Software\Policies\Microsof
State: Enabled
It appears as if the GPO has been applied however the results are the same: In Windows explorer under Tools\Folder Options on the Offline Files tab, the 'Enable Offline Files check box is checked and grayed out. The 'Encrypt offline files to secure data' check box is grayed out but not checked.
Hello Bangia,
The only thing I can make out by your post is "SetClient Connection Encryption Level" is not configured, it may create the problem. As it Specifies whether to enforce an encryption level for all data sent between the client and the remote computer. Important: If FIPS compliance has already been enabled by the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Group Policy, you cannot change the encryption level by using this Group Policy or by using Terminal Services Configuration. If the status is set to Enabled, encryption for all connections to the server is set to the level you specify. By default, encryption is set to High. The following encryption levels are available:
The only thing I can make out by your post is "SetClient Connection Encryption Level" is not configured, it may create the problem. As it Specifies whether to enforce an encryption level for all data sent between the client and the remote computer. Important: If FIPS compliance has already been enabled by the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Group Policy, you cannot change the encryption level by using this Group Policy or by using Terminal Services Configuration. If the status is set to Enabled, encryption for all connections to the server is set to the level you specify. By default, encryption is set to High. The following encryption levels are available:
FIPS Compliant: encrypts data sent from client to server and from server to client to meet the Federal Information Processing Standard 140-1 (FIPS 140-1), a security implementation designed for certifying cryptographic software. Use this level when Terminal Services connections require the highest degree of encryption. FIPS 140-1 validated software is required by the U.S. Government and requested by other prominent institutions.
High: encrypts data sent from client to server and from server to client by using strong 128-bit encryption. Use this level when the remote computer is running in an environment containing 128-bit clients only (such as Remote Desktop Connection clients). Clients that do not support this level of encryption cannot connect. Client Compatible: encrypts data sent from client to server and from server to client at the maximum key strength supported by the client. Use this level when the remote computer is running in an environment containing mixed or legacy clients.
High: encrypts data sent from client to server and from server to client by using strong 128-bit encryption. Use this level when the remote computer is running in an environment containing 128-bit clients only (such as Remote Desktop Connection clients). Clients that do not support this level of encryption cannot connect. Client Compatible: encrypts data sent from client to server and from server to client at the maximum key strength supported by the client. Use this level when the remote computer is running in an environment containing mixed or legacy clients.
Low: encrypts data sent from the client to the server using 56-bit encryption. Note that data sent from the server to the client is not encrypted when Low is specified.
If the status is set to Disabled or Not Configured, the encryption level is not enforced through Group Policy. However, administrators can set the encryption level on the server using the Terminal Services Configuration tool.
Also, check this small article out - You may find it useful -
http://technet2.microsoft.com/WindowsServer/f/?en/Library/8602e646-26e7-4247-9218-8c7e62ab56a01033.mspx
Regards,
Engineer_Dell
If the status is set to Disabled or Not Configured, the encryption level is not enforced through Group Policy. However, administrators can set the encryption level on the server using the Terminal Services Configuration tool.
Also, check this small article out - You may find it useful -
http://technet2.microsoft.com/WindowsServer/f/?en/Library/8602e646-26e7-4247-9218-8c7e62ab56a01033.mspx
Regards,
Engineer_Dell
I changed the GPO so the SetClient Connection Encryption Level setting was enabled, however the results were the same. In Windows explorer under Tools\Folder Options on the Offline Files tab, the 'Enable Offline Files check box is checked and grayed out. The 'Encrypt offline files to secure data' check box is grayed out but not checked.
Modify the Active Directory Group Policy setting
To modify the Active Directory Group Policy setting to reference the new Group Policy Client Side extension, use the new Client Side extension in an Active Directory Group Policy setting.
Note Update the System.adm file and the Group Policy object in Active Directory. Update the System.adm file first. To do this, follow these steps:1. Update the System.adm file to include the CLIENTEXT line, as follows:POLICY!!Pol_Encryp
#if version >= 4
SUPPORTED !!SUPPORTED_WindowsXP
#endif
VALUENAME "EncryptCache"
EXPLAIN !!Pol_EncryptOfflineFiles_
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
CLIENTEXT {C631DF4C-088F-4156-B058-4
END POLICY
To modify the Active Directory Group Policy setting to reference the new Group Policy Client Side extension, use the new Client Side extension in an Active Directory Group Policy setting.
Note Update the System.adm file and the Group Policy object in Active Directory. Update the System.adm file first. To do this, follow these steps:1. Update the System.adm file to include the CLIENTEXT line, as follows:POLICY!!Pol_Encryp
#if version >= 4
SUPPORTED !!SUPPORTED_WindowsXP
#endif
VALUENAME "EncryptCache"
EXPLAIN !!Pol_EncryptOfflineFiles_
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
CLIENTEXT {C631DF4C-088F-4156-B058-4
END POLICY
To find the System.adm location path for the Group Policy setting, follow these steps:a. Use the Active Directory Users and Computers tool to select a container where the Group Policy setting is applied.
b. Change the container to display the Group Policy setting GUID. An example of this GUID is {9F16DD40-9777-4AD9-870C-9
c. Use the Active Directory Service Interfaces (ADSI) Edit tool or the EnumProp tool to display the gPCFileSysPath attribute, as in the following exampe:
enumprop "LDAP://mydc/CN={3D6FF2C0-
licies,CN=System,DC=mycomp
The following example shows the gPCFileSysPath attribute:
LDAP://machinedc/CN={3D6FF
em,DC= mycompany,DC=com: 19 set properties.
gPCFileSysPath: \\Test.net\SysVol\mycompan
-D4502BDA81E8}
Note The EnumProp tool is included in the Windows XP Resource Kit.
b. Change the container to display the Group Policy setting GUID. An example of this GUID is {9F16DD40-9777-4AD9-870C-9
c. Use the Active Directory Service Interfaces (ADSI) Edit tool or the EnumProp tool to display the gPCFileSysPath attribute, as in the following exampe:
enumprop "LDAP://mydc/CN={3D6FF2C0-
licies,CN=System,DC=mycomp
The following example shows the gPCFileSysPath attribute:
LDAP://machinedc/CN={3D6FF
em,DC= mycompany,DC=com: 19 set properties.
gPCFileSysPath: \\Test.net\SysVol\mycompan
-D4502BDA81E8}
Note The EnumProp tool is included in the Windows XP Resource Kit.
Update the Active Directory Group Policy object to include the Client Side extension in the gPCMachineExtensionNames attribute. To do this automatically in the Group Policy Editor snap-in, follow these steps:a. Use the Group Policy Editor snap-in to modify the Group Policy setting.
b. Modify the "Encrypt the Offline Files cache" Group Policy setting.
Note Because the "Encrypt the Offline Files cache" Group Policy setting is now linked to the new CLIENTEXT line in the System.adm file, the Group Policy Editor will automatically update the gPCMachineExtensionNames Active Directory attribute to include the new Client Side extension GUID.
Good Luck,
Engineer_Dell
b. Modify the "Encrypt the Offline Files cache" Group Policy setting.
Note Because the "Encrypt the Offline Files cache" Group Policy setting is now linked to the new CLIENTEXT line in the System.adm file, the Group Policy Editor will automatically update the gPCMachineExtensionNames Active Directory attribute to include the new Client Side extension GUID.
Good Luck,
Engineer_Dell
Hey!!
You are not alone:)
As I have found the same issue with another guy in Microsoft Forum, (I guess it's not you), he seems to be more frustrated ;)
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?query=encrypt+offline+file+gpo+not+apply+on+xp+client&dg=&cat=en_US_d02fc761-3f6b-402c-82f6-ba1a8875c1a7&lang=en&cr=&pt=&catlist=&dglist=&ptlist=&exp=&sloc=en-us&mid=aa09f786-8f99-4751-aed4-93d5cab7108d
Regards,
Engineer_Dell
You are not alone:)
As I have found the same issue with another guy in Microsoft Forum, (I guess it's not you), he seems to be more frustrated ;)
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?query=encrypt+offline+file+gpo+not+apply+on+xp+client&dg=&cat=en_US_d02fc761-3f6b-402c-82f6-ba1a8875c1a7&lang=en&cr=&pt=&catlist=&dglist=&ptlist=&exp=&sloc=en-us&mid=aa09f786-8f99-4751-aed4-93d5cab7108d
Regards,
Engineer_Dell
I looked up the guid for the GPO in question and then went to the sysvol directory on one of the DC's. When I opened the system.adm file and looked for the EncrytOfflineFiles policy I found the following:
POLICY !!Pol_EncryptOfflineFiles
#if version >= 4
SUPPORTED !!SUPPORTED_WindowsXP_SP2_
#endif
VALUENAME "EncryptCache"
EXPLAIN !!Pol_EncryptOfflineFiles_
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
CLIENTEXT {C631DF4C-088F-4156-B058-4
END POLICY
The 'CLIENTEXT' line is already in the system.adm. Did you want me to replace this guid with the guid of the offline GPO?
POLICY !!Pol_EncryptOfflineFiles
#if version >= 4
SUPPORTED !!SUPPORTED_WindowsXP_SP2_
#endif
VALUENAME "EncryptCache"
EXPLAIN !!Pol_EncryptOfflineFiles_
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
CLIENTEXT {C631DF4C-088F-4156-B058-4
END POLICY
The 'CLIENTEXT' line is already in the system.adm. Did you want me to replace this guid with the guid of the offline GPO?
Using ADSI edit, I looked at the attributes of the gPCMachineExtensionNames of the GPO in question. It was already populated correctly with the following:
[{35378EAC-683F-11D2-A89A-
I found this article on Microsoft support but I think it references instances ONLY when GPO's are created using a script. I did not use Creategpo.wsf to create the GPO, I used GPMC:
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B885009
[{35378EAC-683F-11D2-A89A-
I found this article on Microsoft support but I think it references instances ONLY when GPO's are created using a script. I did not use Creategpo.wsf to create the GPO, I used GPMC:
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B885009
No filter. I actually just got off the phone w/ Microsoft. There is a hotfix available for this issue on XP post SP2. I just applied it to a few workstations and it FINALLY worked. The KB Article number is 810859. The file name is WindowsXP-KB810859-x86-ENU
Thanks for the help, you get the points.
Thanks for the help, you get the points.
Cool !!
I had recommended the same HOTFIX on 23rd, but I think that day MS guy said something else...Anyways, wonderful that it worked ultimately...
At the end, I would suggest you to read this also, it has very useful details for EFS
https://www.netscum.dk/technet/prodtechnol/winxppro/deploy/cryptfs.mspx
Keep Smiling,
Engineer_Dell
(It's been a pleasant experience working with you)
I had recommended the same HOTFIX on 23rd, but I think that day MS guy said something else...Anyways, wonderful that it worked ultimately...
At the end, I would suggest you to read this also, it has very useful details for EFS
https://www.netscum.dk/technet/prodtechnol/winxppro/deploy/cryptfs.mspx
Keep Smiling,
Engineer_Dell
(It's been a pleasant experience working with you)
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
All Courses
From novice to tech pro — start learning today.
-
Course of the Month11 days, 6 hours left to enrollMonitoring and Operating a Private Cloud with System Center 2012 R2 273 lessons
By the way, have you tried using CSCCMD.EXE on XP Client to enable Client Side Caching, if not then you should try it,
http://support.microsoft.com/default.aspx?scid=kb;en-us;884739
Regards,
Engineer_Dell