Migrate EFS Files and Certificates
Published: June 17, 2009
Updated: June 29, 2010
Applies To: Windows 7
This topic describes how to migrate Encrypting File System (EFS) certificates. For more information about the /efs options, see ScanState Syntax.
To Migrate EFS Files and Certificates to a Computer Running Windows Vista or Windows 7
If the destination computer is running Windows Vista® or Windows® 7, Encrypting File System (EFS) certificates will be migrated automatically. However, by default, User State Migration Tool (USMT) fails if an encrypted file is found (unless you specify an /efs option). Therefore, you must specify the /efs:copyraw option with the ScanState command to migrate the encrypted files. Then, when you run the LoadState command on the destination computer, the encrypted file and the EFS certificate will be automatically migrated.
|The /efs options are not supported for use with the LoadState command.|
Before using the ScanState tool for a migration that includes encrypted files and EFS certificates, you must ensure that all files in an encrypted folder are encrypted as well or remove the encryption attribute from folders that contain unencrypted files. If the encryption attribute has been removed from a file but not from the parent folder, the file will be encrypted during the migration using the credentials of the account used to run the LoadState tool.
You can run the Cipher tool at a Windows command prompt to review and change encryption settings on files and folders. For example, to removed encryption from a folder, at a command prompt type:
Cipher /D /S: <PATH>
Where <Path> is the full path of the topmost parent directory where the encryption attribute is set.