(aka "reliable recovery for EFS'd files")

Project Description
One of the most critical outstanding issues with the use of EFS in the enterprise is that the EFS component 'driver' does not automatically start using "better" EFS certificates when they are enrolled. This command-line application wlil help an organization migrate EFS-encrypted content to be encrypted with centrally-enrolled (and ideally key-archival backed) digital certificates suitable for EFS.

Quick Guide

  • If you'd like to download the latest version of this application, please click here
  • If you'd like to report a bug or issue to the developers, please click here
  • If you'd like to ask questions or see previous discussions regarding this application, please click here


  • 2008-11-29: version 1.2 has been released! This version brings a command-line parameter (/migrate1) which enables you to migrate from v1 EFS certificates as well as self-signed certificates. There is additional logging, and many small bug fixes.
  • Version 1.1 was released in fall of 2007 - here.


Future Enhancements to EFSCONFIGUPDATE

There are a number of opportunities to extend the functionality for this tool, many of which I've heard from one or another customer as something they'd like to see. Time (and demand) permitting, I'll see about adding a few of these in future versions of this tool. (Your input - through the Issue Tracker - can significantly influence what I invest my time in.)
  • log significant errors in the Application Event Log
  • Archive any non-matching EFS certificates
  • provide multiple ways to identify the specific CA from which desired certificates should have been enrolled
  • don't just select the first matching certificate but the "best" matching certificate
  • optional capability to enroll for a matching certificate if no matching certificate is found
  • possible integration of this tool with the EFS Assistant (which you can find here: http://www.codeplex.com/EFSAssistant/)
  • localization by extracting all non-localized strings into appropriate resource files
  • additional error & exception handling

Other Free Tools to Help with an EFS Deployment

  • EFS Assistant: eases the burden of enforcing encryption on sensitive data files, no matter where they're stored on disk
  • EFSDump: provides access to some metadata about EFS-encrypted files, and may be the only remaining useable tool for Windows Vista since EFSInfo is not supported on Vista

Last edited Nov 30, 2008 at 3:17 AM by MikeSL, version 25