To create a recovery agent account, create a user account, then explicitly grant the account Enroll permission on Certificate Services' EFSRecovery certificate template. (The default ACL on the EFSRecovery template lets only members of the Domain Admins and Enterprise Admins groups request a recovery agent certificate.) To grant Enroll permission to a user, follow these steps:

  1. Open the Microsoft Management Console (MMC) Active Directory Sites and Services snap-in, then navigate to the Certificate Templates folder, which Figure A shows. (If you don't see the Services node in this snap-in, select View on the MMC taskbar, then select Show Service Node.)
  2. Right-click EFSRecovery in the right pane, then select Properties.
  3. In the Properties dialog box, click the Security tab, then click Add to add the user to the template. Your CA administrator must grant each user Enroll permission.

Let's say you're the assigned recovery agent. To obtain an EFS Recovery Agent certificate, point your browser to the CertSrv virtual directory on the issuing CA (e.g., http://issuingca/certsrv). On the resulting page, select the Request a certificate option, then click Next. On the next page, select the Advanced request option, then click Next. The next page asks how you want to make the certificate request. Select the Use a form option, then click Next. On the Advanced Certificate Request page, which Figure B shows, select EFS Recovery Agent from the Certificate Template drop-down list. From the CSP drop-down list, select either the Microsoft Base Cryptographic Provider option or the Microsoft Enhanced Cryptographic Provider option, unless you have special requirements (e.g., if you store all your certificates on smart cards or USB tokens or have a hardware cryptographic accelerator). For the key size, enter at least 1024 bits.

The key size you enter here affects the size of the recovery agent key used to protect the FEK rather than the size of the FEK used to encrypt files in EFS. The smaller the key size, the more vulnerable the encrypted FEK is to attack. A larger key size, however, can significantly slow encryption and the EFS for all users on systems on which recovery agent certificates are used. I also recommend that you select the Mark keys as exportable check box so that the EFS certificate and associated private key can be exported.

You can leave all other options on the form at the defaults unless you have specific needs. Click Submit to start the certificate request process. If the process is successful, a page appears with a link that lets you install the EFS Recovery Agent certificate to your profile. After you install the certificate, I recommend that you export it to a floppy disk and store the disk in a secure location. (The CA administrator should also remove the Enroll permission granted to the recovery agent accounts on the EFS Recovery Agent certificate template.)

To create a recovery agent account, create a user account, then explicitly grant the account Enroll permission on Certificate Services' EFSRecovery certificate template. (The default ACL on the EFSRecovery template lets only members of the Domain Admins and Enterprise Admins groups request a recovery agent certificate.) To grant Enroll permission to a user, follow these steps:

  1. Open the Microsoft Management Console (MMC) Active Directory Sites and Services snap-in, then navigate to the Certificate Templates folder, which Figure A shows. (If you don't see the Services node in this snap-in, select View on the MMC taskbar, then select Show Service Node.)
  2. Right-click EFSRecovery in the right pane, then select Properties.
  3. In the Properties dialog box, click the Security tab, then click Add to add the user to the template. Your CA administrator must grant each user Enroll permission.

Let's say you're the assigned recovery agent. To obtain an EFS Recovery Agent certificate, point your browser to the CertSrv virtual directory on the issuing CA (e.g., http://issuingca/certsrv). On the resulting page, select the Request a certificate option, then click Next. On the next page, select the Advanced request option, then click Next. The next page asks how you want to make the certificate request. Select the Use a form option, then click Next. On the Advanced Certificate Request page, which Figure B shows, select EFS Recovery Agent from the Certificate Template drop-down list. From the CSP drop-down list, select either the Microsoft Base Cryptographic Provider option or the Microsoft Enhanced Cryptographic Provider option, unless you have special requirements (e.g., if you store all your certificates on smart cards or USB tokens or have a hardware cryptographic accelerator). For the key size, enter at least 1024 bits.

The key size you enter here affects the size of the recovery agent key used to protect the FEK rather than the size of the FEK used to encrypt files in EFS. The smaller the key size, the more vulnerable the encrypted FEK is to attack. A larger key size, however, can significantly slow encryption and the EFS for all users on systems on which recovery agent certificates are used. I also recommend that you select the Mark keys as exportable check box so that the EFS certificate and associated private key can be exported.

You can leave all other options on the form at the defaults unless you have specific needs. Click Submit to start the certificate request process. If the process is successful, a page appears with a link that lets you install the EFS Recovery Agent certificate to your profile. After you install the certificate, I recommend that you export it to a floppy disk and store the disk in a secure location. (The CA administrator should also remove the Enroll permission granted to the recovery agent accounts on the EFS Recovery Agent certificate template.)