Windows .NET Server to the rescue
Until now, my recommendations for preventing data loss from Encrypting File System have been to disable EFS (it is enabled by default), then enable it for those few who really need the service and ensure that their keys are archived. Alternatively, I've helped organizations set up a public key infrastructure using Windows 2000 Certificate Services. This infrastructure does not provide any key-archival services, but it does allow a more organized approach to EFS management and allows the setup of multiple data recovery agents.
Neither method provides an easy approach for large numbers of users, and both involve lots of management issues.
The release of Windows .NET Server offers a much better solution. With Windows .NET Server, Certificate Services provides the ability to do key archival. This means that a properly configured system will automatically archive the EFS encryption keys
of each user. Should a user's drive be reformatted, or his keys otherwise destroyed, the keys themselves can be recovered. No data loss, no reliance on a data recovery agent, no inadvertent exposure of data to other individuals. --Roberta Bragg
>> To find out more about avoiding data loss from EFS -- now and with soon-to-be-available security features in Windows .NET Server -- tune in to Roberta's live expert webcast, "Protecting sensitive data with Windows .NET Server.".
>> Ask Roberta an EFS question.