C
Christopher Hill
Hi all,
Just thought I would post a quick fix to a problem that I think many people
have been experiencing when enabling the 'Encrypt the Offline Files Cache'
setting in Group Policy, but finding out that the 'Encrypt offline files to
secure data' setting under 'Folder Options / Offline Files' remains greyed
out, and that offline files are not actually encrypted.
(You can find out if Offline Files encryption is working properly by
navigating to "%SystemRoot%\CSC" and looking in the subfolders for any files
that appear in 'green'. If you can see some 'green' files, offline files
encryption is working fine. If not, and the box mentioned above in Folder
Options / Offline Files remains greyed out, you might have this problem).
After some searching and testing, I have found the following checks & steps
which seem to fix the problem in my environment at least:
1. Make sure you have the KB810859 hotfix installed ('The "Encrypt the
Offline Files cache" Group Policy setting does not take effect when a user
logs on to a Windows XP-based computer',
http://support.microsoft.com/kb/810859). This really is the key to the whole
thing, and thankfully it seems to be included in XP SP3.
2. Once you have installed the hotfix / SP3, make sure that your copy of
system.adm is up-to-date. You can check this by going to %windir%\inf and
opening the file in Notepad. Search for the string
'{C631DF4C-088F-4156-B058-4375F0853CD8}' (without quotes) - if you can find
it, you should be fine.
3. ON THE SYSTEM WHICH HAS THE UPDATED VERSION OF SYSTEM.ADM, go into the
Group Policy where you have set the 'Encrypt the Offline Files Cache'
setting, REMOVE the policy (set it to 'Not Configured', click Apply), and
then RE-ENABLE the policy (set it to 'Enabled', click Apply), then close the
policy. As KB810859 describes, this will set the gPCMachineExtensionNames
attribute on this particular Group Policy object to 'trigger' the new
functionality in the hotfix - if you don't do this, then none of this will
work.
4. Perform the above step on any other policies on your domain which include
the 'Encrypt the Offline Files Cache' setting. Any policies which have this
setting included need to be 'touched' with the new version of system.adm in
order to have any effect on patched computers.
5. Make sure that the computer where you are trying to enable offline files
encryption on actually has some offline files set. It might sound obvious,
but the Group Policy setting won't apply until there are some actually some
offline files to encrypt - it won't work on a 'clean' cache.
6. Once the computer has some offline files set, *wait for Group Policy to
refresh* before checking if Offline Files encryption is working or not.
Unfortunately, even if the Group Policy setting is enabled, the encryption
process won't begin until the next Group Policy refresh interval occurs - by
default 90 minutes on most clients. If you can't wait this long (or want to
make sure it's working), type 'gpupdate' into a Command Prompt and wait -
after a few seconds the encryption process should begin, you should see the
files in %SystemRoot%\CSCCSC files start to go 'green', and the 'Encrypt
offline files to secure data' box in Folder Options should become ticked. As
I said, it might take a few seconds for the settings to be applied, it should
work eventually.
All of the above information is available at various points around the web,
except for the fact that even if the Group Policy setting is enabled, it
won't be applied to a 'fresh' Offline Files cache until the next Group Policy
refresh interval, which IMO is a bit of a flaw in the design. Nevertheless,
that is how it works at the moment, so if you have been struggling to get it
to work, and have applied the updated ADM file settings to all of your GPOs,
give the 'gpupdate' command a try.
Hope this helps,
Just thought I would post a quick fix to a problem that I think many people
have been experiencing when enabling the 'Encrypt the Offline Files Cache'
setting in Group Policy, but finding out that the 'Encrypt offline files to
secure data' setting under 'Folder Options / Offline Files' remains greyed
out, and that offline files are not actually encrypted.
(You can find out if Offline Files encryption is working properly by
navigating to "%SystemRoot%\CSC" and looking in the subfolders for any files
that appear in 'green'. If you can see some 'green' files, offline files
encryption is working fine. If not, and the box mentioned above in Folder
Options / Offline Files remains greyed out, you might have this problem).
After some searching and testing, I have found the following checks & steps
which seem to fix the problem in my environment at least:
1. Make sure you have the KB810859 hotfix installed ('The "Encrypt the
Offline Files cache" Group Policy setting does not take effect when a user
logs on to a Windows XP-based computer',
http://support.microsoft.com/kb/810859). This really is the key to the whole
thing, and thankfully it seems to be included in XP SP3.
2. Once you have installed the hotfix / SP3, make sure that your copy of
system.adm is up-to-date. You can check this by going to %windir%\inf and
opening the file in Notepad. Search for the string
'{C631DF4C-088F-4156-B058-4375F0853CD8}' (without quotes) - if you can find
it, you should be fine.
3. ON THE SYSTEM WHICH HAS THE UPDATED VERSION OF SYSTEM.ADM, go into the
Group Policy where you have set the 'Encrypt the Offline Files Cache'
setting, REMOVE the policy (set it to 'Not Configured', click Apply), and
then RE-ENABLE the policy (set it to 'Enabled', click Apply), then close the
policy. As KB810859 describes, this will set the gPCMachineExtensionNames
attribute on this particular Group Policy object to 'trigger' the new
functionality in the hotfix - if you don't do this, then none of this will
work.
4. Perform the above step on any other policies on your domain which include
the 'Encrypt the Offline Files Cache' setting. Any policies which have this
setting included need to be 'touched' with the new version of system.adm in
order to have any effect on patched computers.
5. Make sure that the computer where you are trying to enable offline files
encryption on actually has some offline files set. It might sound obvious,
but the Group Policy setting won't apply until there are some actually some
offline files to encrypt - it won't work on a 'clean' cache.
6. Once the computer has some offline files set, *wait for Group Policy to
refresh* before checking if Offline Files encryption is working or not.
Unfortunately, even if the Group Policy setting is enabled, the encryption
process won't begin until the next Group Policy refresh interval occurs - by
default 90 minutes on most clients. If you can't wait this long (or want to
make sure it's working), type 'gpupdate' into a Command Prompt and wait -
after a few seconds the encryption process should begin, you should see the
files in %SystemRoot%\CSCCSC files start to go 'green', and the 'Encrypt
offline files to secure data' box in Folder Options should become ticked. As
I said, it might take a few seconds for the settings to be applied, it should
work eventually.
All of the above information is available at various points around the web,
except for the fact that even if the Group Policy setting is enabled, it
won't be applied to a 'fresh' Offline Files cache until the next Group Policy
refresh interval, which IMO is a bit of a flaw in the design. Nevertheless,
that is how it works at the moment, so if you have been struggling to get it
to work, and have applied the updated ADM file settings to all of your GPOs,
give the 'gpupdate' command a try.
Hope this helps,