Solved Microsoft EFS recovery policy for this system contains invalid recovery certificate
I encountered a problem with a Microsoft encrypted file system and I want to explain how I solved the problem in case someone else has this same issue.
Our EFS implementation relies on an Active Directory Forest and Domain structure with the Forest domain providing the self-signed CA certificate and then issuing other certificates for the domains. One of the domain certificates expired taking the EFS recovery agent certificate with it. Reads and writes began failing to the EFS and we were alerted to the problem.
Renewing the domain and subordinate certificates was not a problem. But even after renewing the certificates and exporting/importing them to various appropriate places, we were still unable to manage the EFS.
We received the following error message:
recovery policy for this system contains invalid recovery certificate
Either renew the existing certificates or generate new certificates for the EFS recovery agents and reapply the recovery agent policy with those certificates.
After a lot of searching on the internet for an answer and reading several Microsoft KB articles, I was finding no solution. It seemed that everywhere I looked at the certificates, they looked correct.
As it turns out, the policies for the recovery agent are stored in Group Policy Objects and so I started searching through the various GPO configurations. I found the GPO that contained the old expired recovery agent certificate and imported the renewed certificate and forced a gpudate on the server with the EFS issue and was finally again able to write and read to the EFS.
I hope this information helps others who are struggling with the same issue.
