How To Migrate EFS Files and Certificates

In order to migrate encrypted files, you must change the default behavior using one of the following options. For more information about the /efs options, see How To Migrate EFS Files and Certificates.

To a computer running Windows Vista

If the destination computer is running Windows Vista, Encrypting File System (EFS) certificates will be migrated automatically. However, by default, USMT fails if an encrypted file is found (unless you specify an /efs option). Therefore, you must specify /efs:copyraw with ScanState to migrate the encrypted files. Then when you run LoadState on the destination computer, the encrypted file and the EFS certificate will be automatically migrated.

Note

The /efs options are not supported on the LoadState command line.

To a computer running Windows XP

In order to migrate encrypted files to computers running Windows XP, you must also migrate the Encrypting File System (EFS) certificate. By default, USMT fails if an encrypted file is found (unless you specify an /efs option). In order to migrate encrypted files, you must change the default behavior. When migrating certificates using USMT, the end user is needed both before and after the migration. You can migrate EFS certificates using Cipher.exe or with the Certificates snap-in.

  • To migrate EFS certificates using Cipher.exe
  • To migrate EFS certificates using the Certificates snap-in

Important

You should use extreme caution when migrating encrypted files. If you migrate an encrypted file without also migrating the certificate, end users will not be able to access the file after the migration.

To migrate EFS certificates using Cipher.exe

In order to migrate Encrypting File System (EFS) certificates using Cipher.exe the user who owns the certificate must complete the following procedure.

To migrate EFS certificates using Cipher.exe

  1. The end user who owns the certificate must log on to the source computer and quit all programs.

  2. At the command prompt, run Cipher.exe using the following syntax:

    cipher /x[:EFSFilePath] [FileName]

    FileName is a file name without extensions, and EFSFilePath is an encrypted filepath. If EFSFilePath is provided, the current user's certificate(s) that is used to encrypt the file will be backed up. Otherwise, the user's current EFS certificate and keys will be backed up. Cipher will create a password-protected .pfx file wherever you specify. For additional information about Cipher.exe, type cipher /?.

Important

The end user should keep the following issues in mind when determining where to store the .pfx file (the backed-up certificate). First, the file must be stored in a location that will be accessible from the destination computer (for example, a shared folder or removable media). Second, the file should not be stored in the same place as the USMT intermediate store (which will contain the encrypted file). Cipher will password-protect the .pfx file, but this is not a very strong security measure. It would still be a security risk to store the encrypted file and its EFS certificate in the same place.

  1. Once the certificate is stored, the administrator can collect the user state using the /efs:copyraw option on the Scanstate command line. For example:

    scanstate \\fileserver\migration\mystore /efs:copyraw /i:migapp.xml /i:migsys.xml /i:miguser.xml /v:13 /targetxp

  2. Next, the administrator should install Windows XP and applications as needed on the destination computer, and then restore the user state onto the destination computer using LoadState.

  3. Once the migration is complete, the end user must log on to the destination computer, navigate to the backed up certificate, and double-click the .pfx file.

  4. The Import Wizard will guide the end user through restoring the EFS certificate. The end user must specify his or her password for the certificate. After completing the Import Wizard, the certificate will be restored.

To migrate EFS certificates using the Certificates snap-in

In order to migrate Encrypting File System (EFS) certificates using the Certificates snap-in, the user who owns the certificate(s) must export the certificate from the source computer before the migration. Then this user must import the certificate on the destination computer after the migration. If either of the procedures are not followed, the file will remain encrypted on the destination computer.

Important

By default, Scanstate fails with an error code if an EFS file is found on the source computer. In order to migrate EFS files, you must change this behavior using one of the /efs options.

To export the certificate from the source computer

  1. The end user who owns the certificate must log on to the source computer.

  2. Open Microsoft Management Console (MMC) by typing mmc in the Run dialog box.

  3. In the File menu, click Add/Remove Snap-in.

  4. In the Add/Remove Snap-in dialog box, click Add.

  5. Select Certificates from the list, click Add, and then select My user account.

  6. Click Finish, click Close, and then click OK.

  7. Browse to Certificates - Current user\Personal\Certificates.

  8. Right-click the certificate that you want to migrate.

  9. Click All Tasks and then click Export.

  10. The Certificate Export Wizard will help you store the certificate somewhere that is accessible from the destination computer (for example a floppy disk, or shared folder). When prompted, indicate that you want to export the private key along with the certificate. Upon completion, you will receive a message that the export was successful.

  11. The administrator can now collect the user state using the /efs:copyraw option on the Scanstate command line. For example:

    scanstate \\fileserver\migration\mystore /efs:copyraw /i:migapp.xml /i:migsys.xml /i:miguser.xml /v:13 /targetxp

  12. Next, the administrator should install Windows XP and applications as needed on the destination computer and then restore the user state to the destination computer using LoadState.

To import the certificate onto the destination computer. export the certificate from the source computer

  1. The end user who owns the certificate must log on to the destination computer.

  2. Open MMC by typing mmc in the Run dialog box.

  3. In the File menu, click Add/Remove Snap-in.

  4. In the Add/Remove Snap-in dialog box, click Add.

  5. Select Certificates from the list, click Add, and then select My user account.

  6. Click Finish, click Close, and then click OK.

  7. Browse to Certificates - Current user\Personal.

  8. Right-click Personal.

  9. Click All Tasks, and then click Import.

  10. Use the Certificate Import Wizard to locate the certificate that you exported. When browsing for the certificate, you should select Personal Information Exchange (*.pfx; *.p12) from the Files of type dropdown list box. You will need to enter the password you supplied when you exported the certificate from the destination computer.

  11. Upon completion, you will receive a message that the import was successful.