If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
FIX: Can't encrypt the Offline Files cache using Group Policy sett
Hi all,
Just thought I would post a quick fix to a problem that I think many people have been experiencing when enabling the 'Encrypt the Offline Files Cache' setting in Group Policy, but finding out that the 'Encrypt offline files to secure data' setting under 'Folder Options / Offline Files' remains greyed out, and that offline files are not actually encrypted. (You can find out if Offline Files encryption is working properly by navigating to "%SystemRoot%\CSC" and looking in the subfolders for any files that appear in 'green'. If you can see some 'green' files, offline files encryption is working fine. If not, and the box mentioned above in Folder Options / Offline Files remains greyed out, you might have this problem). After some searching and testing, I have found the following checks & steps which seem to fix the problem in my environment at least: 1. Make sure you have the KB810859 hotfix installed ('The "Encrypt the Offline Files cache" Group Policy setting does not take effect when a user logs on to a Windows XP-based computer', http://support.microsoft.com/kb/810859). This really is the key to the whole thing, and thankfully it seems to be included in XP SP3. 2. Once you have installed the hotfix / SP3, make sure that your copy of system.adm is up-to-date. You can check this by going to %windir%\inf and opening the file in Notepad. Search for the string '{C631DF4C-088F-4156-B058-4375F0853CD8}' (without quotes) - if you can find it, you should be fine. 3. ON THE SYSTEM WHICH HAS THE UPDATED VERSION OF SYSTEM.ADM, go into the Group Policy where you have set the 'Encrypt the Offline Files Cache' setting, REMOVE the policy (set it to 'Not Configured', click Apply), and then RE-ENABLE the policy (set it to 'Enabled', click Apply), then close the policy. As KB810859 describes, this will set the gPCMachineExtensionNames attribute on this particular Group Policy object to 'trigger' the new functionality in the hotfix - if you don't do this, then none of this will work. 4. Perform the above step on any other policies on your domain which include the 'Encrypt the Offline Files Cache' setting. Any policies which have this setting included need to be 'touched' with the new version of system.adm in order to have any effect on patched computers. 5. Make sure that the computer where you are trying to enable offline files encryption on actually has some offline files set. It might sound obvious, but the Group Policy setting won't apply until there are some actually some offline files to encrypt - it won't work on a 'clean' cache. 6. Once the computer has some offline files set, *wait for Group Policy to refresh* before checking if Offline Files encryption is working or not. Unfortunately, even if the Group Policy setting is enabled, the encryption process won't begin until the next Group Policy refresh interval occurs - by default 90 minutes on most clients. If you can't wait this long (or want to make sure it's working), type 'gpupdate' into a Command Prompt and wait - after a few seconds the encryption process should begin, you should see the files in %SystemRoot%\CSCCSC files start to go 'green', and the 'Encrypt offline files to secure data' box in Folder Options should become ticked. As I said, it might take a few seconds for the settings to be applied, it should work eventually. All of the above information is available at various points around the web, except for the fact that even if the Group Policy setting is enabled, it won't be applied to a 'fresh' Offline Files cache until the next Group Policy refresh interval, which IMO is a bit of a flaw in the design. Nevertheless, that is how it works at the moment, so if you have been struggling to get it to work, and have applied the updated ADM file settings to all of your GPOs, give the 'gpupdate' command a try. Hope this helps, -- Chris Hill ICT Technician - Colchester Royal Grammar School |
Ads |
Thread Tools | |
Display Modes | |
|
|