Managing Data Encryption During Your Migration

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Encrypting File System (EFS) certificate data is not migrated when you use either USMT or the Files and Settings Transfer Wizard. The two tools treat encryption differently during a user state migration:

• The Files and Settings Transfer Wizard decrypts encrypted files during migration, and does not encrypt the files when it writes them to the destination computer (unless writing them to a folder that is encrypted).

• USMT decrypts encrypted files during migration, but if the temporary store is encrypted, the file will be encrypted under the user’s credentials (since Scanstate.exe is run in the user’s context). In addition, if the destination folder for the migrated file is encrypted, the restored file might be encrypted and, because the file will have been written under the administrator’s credentials, the administrator, not the user, will be able to read the file.

In general, assume that files are not protected by encryption during a user state migration. Furthermore, because EFS certificates are not migrated, if a file does get encrypted during the migration, the user will not be able to read the file unless the EFS certificate is recovered from the network. For information about performing this type of operation, see "Encrypting File System" in Microsoft® Windows®* XP Professional Resource Kit Documentation* (or see "Encrypting File System" on the Web at https://www.microsoft.com/reskit).