Offline Encryption GPO - 'Encrypt offline files to secure data' checkbox unavailable

I need some help with an Offline File / Offline encryption GPO.  So far I've done the following:

1.  For testing purposes I've setup an OU in our domain called Testing.  
2.  I've put 3 client machines in this OU:  XP1, XP2, XP3. (all are Windows XP, SP2)
3.  Checked and made sure that a valid certificate exists
3.  Created and linked a GPO to the Testing OU called OfflineEncryption.

The GPO has only 2 settings that have been enabled in the following spot:

Computer Configuration\Administrative Templates\Network\Offline Files

The 2 settings that have been enabled are:  

1.  Allow or Disallow use of the Offline Files feature
2.  Encrypt the Offline Files cache

So technically any user that logs into these respective machines should by default receive the following settings:  (found in Tools\Folder Options\Offline Files in Windows Explorer)

1.  Enable Offline Files should be checked and grayed out
2.  Encrypt offline files to secure data should be checked and grayed out

HOWEVER, this is not the case, the GPO works only 1/2 way.  'Enable offline files' is checked and grayed out however 'Encrypt offline files' is grayed out but NOT CHECKED.  Which pretty much means to me that any offline files we have are not being encrypted.

I've run gpresult on each machine and the 'OfflineEncryption' GPO is being applied to each.  I've tried recreating the GPO, moving the machines in and out of the Testing OU, running gpudate /force 10x and still the same results.  

I'm at a stand still with this issue.  Anyone have any ideas?
bangia_vAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
engineer_dellConnect With a Mentor Commented:
Yes, You should try that...Remeber to copy the old line also so that you may restore it incase this step doesn't work, After you replace the line Don't forget to update the Active Directory Group Policy object to include the Client Side extension in the gPCMachineExtensionNames attribute.

By the way, have you tried using CSCCMD.EXE on XP Client to enable Client Side Caching, if not then you should try it,

http://support.microsoft.com/default.aspx?scid=kb;en-us;884739

Regards,

Engineer_Dell
0
 
grigory7811Commented:
check  %SystemRoot%\CSC folder and it's subfolders
if files placed here  are readable then encryption really not enabled
0
 
bangia_vAuthor Commented:
The CSC folder is not there which to me means that the offline files cache is not encrypted.  However the GPO is being applied to the computer, from the results of gpresult.  I tried to start over with a freshly installed machine, a new test OU, a new GPO.  I turned on 'blocked inheritance' so that only GPO that should effect this machine was the OfflineEncryption GPO however came up with the same results.
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
engineer_dellCommented:
Hello Bangia,

Offline file policies are set at both the computer and the user level, and there are identically named policies at each level. If you work with identically named policies at both levels, keep in mind that computer policies override user policies and that these policies may be applied at different times.

The primary policies you'll want to use are summarized in Table 8-2. As the table shows, most offline policies affect access, synchronization, caching, and encryption. You'll find Offline File policies under Computer Configuration\Administrative Templates\Network\Offline Files and User Configuration\Administrative Templates\Network\Offline Files.

Please refer,
http://technet2.microsoft.com/WindowsServer/en/Library/9dba5df2-0359-4fa4-bdcf-dd6ae5ca345e1033.mspx?mfr=true
https://www.microsoft.co.ke/mspress/books/sampchap/5205c.asp
http://technet2.microsoft.com/WindowsServer/en/Library/af74d4f6-258f-477a-9d1c-2ca2b58860011033.mspx?mfr=true

Regards,

Engineer_Dell
0
 
engineer_dellCommented:

Please also check out this Hot Fix,
The "Encrypt the Offline Files cache" Group Policy setting does not take effect when a user logs on to a Windows XP-based computer

http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B810859

Regards,

Engineer_Dell
0
 
bangia_vAuthor Commented:
I see you point, however there is no offline encryption policy at the user configuration level only at the computer configuration leve.  I checked and I'm definitely setting the policy setting in the right spot:  Computer Configuration\Administrative Templates\Network\Offline Files and User Configuration\Administrative Templates\Network\Offline Files.  

I'm going to call Microsoft and ge tthe hot fix and see if that does the trick.  I'm not too confident however as I've experienced the issue when logging in as a domain admin and an authenticated domain user.  
0
 
engineer_dellCommented:
Well, give it a try

and please do let me know the progress,

Regards,

Engineer_Dell
0
 
bangia_vAuthor Commented:
Nope didn't work...when I talked to MS, they said that this hotfix would not fix the situation as it was included as part of SP2.  The workstations we are dealing w/ already have Windows XP SP2.  
0
 
engineer_dellCommented:
BTW, did you refer this articles to whether you are going right step by step ?

http://technet2.microsoft.com/WindowsServer/en/Library/9dba5df2-0359-4fa4-bdcf-dd6ae5ca345e1033.mspx?mfr=true
https://www.microsoft.co.ke/mspress/books/sampchap/5205c.asp
http://technet2.microsoft.com/WindowsServer/en/Library/af74d4f6-258f-477a-9d1c-2ca2b58860011033.mspx?mfr=true

If not please do that, mean while I would try to emulate same problem in our lab...

Regards,

Engineer_Dell
0
 
engineer_dellConnect With a Mentor Commented:
Hi Bangia

Please send me the following policies details with registry settings; Also post your server details and Userenv.log ,

MACHINE\Administrative Templates\System\ Do not automatically encrypt files moved to encrypted folders

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoEncryptOnMove

--------------------------------------------------------------------------------------------------------------------------------------------------------------
0
 
engineer_dellCommented:
MACHINE\Administrative Templates\System\Group Policy - EFS recovery policy processing

HKLM\Software\Policies\Microsoft\Windows\Group Policy\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}!NoSlowLink, HKLM\Software\Policies\Microsoft\Windows\Group Policy\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}!NoBackgroundPolicy, HKLM\Software\Policies\Microsoft\Windows\Group Policy\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}!NoGPOListChanges

--------------------------------------------------------------------------------------
0
 
engineer_dellCommented:
MACHINE      Administrative Templates\Windows Components\Terminal Services\Encryption and Security      Set client connection encryption level

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MinEncryptionLevel

----------------------------------------------------------------------------------

(Sorry that I am posting my reply in parts as EE is giving "Question Not Found" error when I post my complete reply together)
0
 
bangia_vAuthor Commented:
All 3 of our DC's at this location are Dell 1850's w/ Windows 2003 SP1 with multiple processors and plenty of RAM.  The clients are all XP, SP2 w/ the latest & greatest patches.

Here are the results from the registry and GPO:

MACHINE\Administrative Templates\System\ Do not automatically encrypt files moved to encrypted folders
**This setting in the GPO is set to 'Not Configured'**

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoEncryptOnMove
**This regkey does NOT exist**

MACHINE\Administrative Templates\System\Group Policy - EFS recovery policy processing
**This setting in the GPO is set to 'Not Configured'**

HKLM\Software\Policies\Microsoft\Windows\Group Policy\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}!NoSlowLink
**This regkey does NOT exist**

HKLM\Software\Policies\Microsoft\Windows\Group Policy\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}!NoBackgroundPolicy
**This regkey does NOT exist**

HKLM\Software\Policies\Microsoft\Windows\Group Policy\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}!NoGPOListChanges
**This regkey does NOT exist**

MACHINE\Administrative Templates\Windows Components\Terminal Services\Encryption and Security\Set client connection encryption level
**This setting in the GPO is set to 'Not Configured**

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MinEncryptionLevel
**This regkey does NOT exist**

After running 'gpresult /v > gpo.txt' the gpo.txt file shows the we want to apply to the client WAS applied:

Applied Group Policy Objects:

AllowOfflineFilesEncryption
Default Domain Policy
MachineInventory
Local Group Policy

Gpo.txt also shows that the following regkeys were created on the client:

GPO: AllowOfflineFilesEncrypt
                Setting: Software\Policies\Microsoft\Windows\NetCache
                State:   Enabled

 GPO: AllowOfflineFilesEncrypt
                Setting: Software\Policies\Microsoft\Windows\NetCache
                State:   Enabled

It appears as if the GPO has been applied however the results are the same:  In Windows explorer under Tools\Folder Options on the Offline Files tab, the 'Enable Offline Files check box is checked and grayed out. The 'Encrypt offline files to secure data' check box is grayed out but not checked.  





0
 
engineer_dellCommented:
Hello Bangia,

The only thing I can make out by your post is "SetClient Connection Encryption Level" is not configured, it may create the problem. As it Specifies whether to enforce an encryption level for all data sent between the client and the remote computer. Important: If FIPS compliance has already been enabled by the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Group Policy, you cannot change the encryption level by using this Group Policy or by using Terminal Services Configuration.   If the status is set to Enabled, encryption for all connections to the server is set to the level you specify. By default, encryption is set to High. The following encryption levels are available:  
0
 
engineer_dellCommented:
FIPS Compliant: encrypts data sent from client to server and from server to client to meet the Federal Information Processing Standard 140-1 (FIPS 140-1), a security implementation designed for certifying cryptographic software. Use this level when Terminal Services connections require the highest degree of encryption. FIPS 140-1 validated software is required by the U.S. Government and requested by other prominent institutions.  

High: encrypts data sent from client to server and from server to client by using strong 128-bit encryption. Use this level when the remote computer is running in an environment containing 128-bit clients only (such as Remote Desktop Connection clients). Clients that do not support this level of encryption cannot connect.   Client Compatible: encrypts data sent from client to server and from server to client at the maximum key strength supported by the client. Use this level when the remote computer is running in an environment containing mixed or legacy clients.
0
 
engineer_dellCommented:
Low: encrypts data sent from the client to the server using 56-bit encryption. Note that data sent from the server to the client is not encrypted when Low is specified.  

If the status is set to Disabled or Not Configured, the encryption level is not enforced through Group Policy. However, administrators can set the encryption level on the server using the Terminal Services Configuration tool.

Also, check this small article out - You may find it useful -
http://technet2.microsoft.com/WindowsServer/f/?en/Library/8602e646-26e7-4247-9218-8c7e62ab56a01033.mspx

Regards,

Engineer_Dell
0
 
bangia_vAuthor Commented:
I changed the GPO so the SetClient Connection Encryption Level setting was enabled, however the results were the same.  In Windows explorer under Tools\Folder Options on the Offline Files tab, the 'Enable Offline Files check box is checked and grayed out. The 'Encrypt offline files to secure data' check box is grayed out but not checked.  
0
 
engineer_dellCommented:
Modify the Active Directory Group Policy setting
To modify the Active Directory Group Policy setting to reference the new Group Policy Client Side extension, use the new Client Side extension in an Active Directory Group Policy setting.

Note Update the System.adm file and the Group Policy object in Active Directory. Update the System.adm file first. To do this, follow these steps:1. Update the System.adm file to include the CLIENTEXT line, as follows:POLICY!!Pol_EncryptOfflineFiles
   #if version >= 4
      SUPPORTED !!SUPPORTED_WindowsXP
   #endif
   VALUENAME "EncryptCache"
   EXPLAIN !!Pol_EncryptOfflineFiles_Help
      VALUEON  NUMERIC 1
      VALUEOFF NUMERIC 0
      CLIENTEXT {C631DF4C-088F-4156-B058-4375F0853CD8}
END POLICY
0
 
engineer_dellCommented:
To find the System.adm location path for the Group Policy setting, follow these steps:a.  Use the Active Directory Users and Computers tool to select a container where the Group Policy setting is applied.
b.  Change the container to display the Group Policy setting GUID. An example of this GUID is {9F16DD40-9777-4AD9-870C-9B9F1E73203E}.
c.  Use the Active Directory Service Interfaces (ADSI) Edit tool or the EnumProp tool to display the gPCFileSysPath attribute, as in the following exampe:
enumprop "LDAP://mydc/CN={3D6FF2C0-1DFC-41A9-AE72-D4502BDA81E8},CN=Po
licies,CN=System,DC=mycompany,DC=com"
The following example shows the gPCFileSysPath attribute:
LDAP://machinedc/CN={3D6FF2C0-1DFC-41A9-AE72-D4502BDA81E8},CN=Policies,CN=Syst
em,DC= mycompany,DC=com: 19 set properties.
 gPCFileSysPath: \\Test.net\SysVol\mycompany.com\Policies\{3D6FF2C0-1DFC-41A9-AE72
-D4502BDA81E8}
Note The EnumProp tool is included in the Windows XP Resource Kit.
0
 
engineer_dellCommented:
Update the Active Directory Group Policy object to include the Client Side extension in the gPCMachineExtensionNames attribute. To do this automatically in the Group Policy Editor snap-in, follow these steps:a.  Use the Group Policy Editor snap-in to modify the Group Policy setting.
b.  Modify the "Encrypt the Offline Files cache" Group Policy setting.

Note Because the "Encrypt the Offline Files cache" Group Policy setting is now linked to the new CLIENTEXT line in the System.adm file, the Group Policy Editor will automatically update the gPCMachineExtensionNames Active Directory attribute to include the new Client Side extension GUID.

Good Luck,

Engineer_Dell
0
 
engineer_dellCommented:
0
 
bangia_vAuthor Commented:
I looked up the guid for the GPO in question and then went to the sysvol directory on one of the DC's.  When I opened the system.adm file and looked for the EncrytOfflineFiles policy I found the following:

      POLICY !!Pol_EncryptOfflineFiles
                  #if version >= 4
                  SUPPORTED !!SUPPORTED_WindowsXP_SP2_W2K_SP5_NETSERVER_SP1
                  #endif

                  VALUENAME "EncryptCache"
                  EXPLAIN !!Pol_EncryptOfflineFiles_Help
                  VALUEON  NUMERIC 1
                  VALUEOFF NUMERIC 0
                  CLIENTEXT {C631DF4C-088F-4156-B058-4375F0853CD8}
            END POLICY

The 'CLIENTEXT' line is already in the system.adm.  Did you want me to replace this guid with the guid of the offline GPO?
0
 
bangia_vAuthor Commented:
Using ADSI edit, I looked at the attributes of the gPCMachineExtensionNames of the GPO in question.  It was already populated correctly with the following:  

[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-0000F87571E3}][{C631DF4C-088F-4156-B058-4375F0853CD8}{0F6B957D-509E-11D1-A7CC-0000F87571E3}]

I found this article on Microsoft support but I think it references instances ONLY when GPO's are created using a script.  I did not use Creategpo.wsf to create the GPO, I used GPMC:  

http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B885009


0
 
bangia_vAuthor Commented:
Unfortunately this did not work.  
0
 
engineer_dellCommented:
:)

Do you have any WMI filter linked to the "Offline" GPO ?
0
 
bangia_vAuthor Commented:
No filter.  I actually just got off the phone w/ Microsoft.  There is a hotfix available for this issue on XP post SP2.  I just applied it to a few workstations and it FINALLY worked.  The KB Article number is 810859.  The file name is WindowsXP-KB810859-x86-ENU.exe.

Thanks for the help, you get the points.
0
 
engineer_dellCommented:
Cool !!

I had recommended the same HOTFIX on 23rd, but I think that day MS guy said something else...Anyways, wonderful that it worked ultimately...

At the end, I would suggest you to read this also, it has very useful details for EFS

https://www.netscum.dk/technet/prodtechnol/winxppro/deploy/cryptfs.mspx

Keep Smiling,

Engineer_Dell

(It's been a pleasant experience working with you)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.