Back Up EFS-encrypted Objects Using SYSTEM Account (code 1602)
Some files on the backup source may be encrypted with EFS. To learn more about this Windows feature, refer to the File Encryption article.
The issue can be solved using the SYSTEM account that accesses EFS-encrypted files. By default, the SYSTEM account does not have an EFS certificate.
If you want to use any other account, you must grant it with permissions to back up EFS objects
Note that allowing SYSTEM account to access EFS-encrypted files can be dangerous, since anyone with access to instance with the SYSTEM account open, is able to decrypt sensitive data
To Grant SYSTEM Account Access to EFS-encrypted Files
- Make sure you have a PsExec tool installed.
- In case you do not have PsExec, download the PSTools.zip from Mircosoft Sysinternals website, unpack it and copy the PsExec to the executable path. To learn more, refer to the PsExec 2.2 article at docs.microsoft.com.
- Run cmd utility as an administrator.
- Run PsExec using the following command: psexec -i -s -d.
- In the opened window execute echo "temp" > C:\PsExec\Temp\system_EFS_object.file.
- Encrypt the scratch.txt file using the following command: cipher /e C:\PsExec\Temp\system_EFS_object.file.
- EFS certificates can be managed in the Certificates MMC snap-in. To learn more about MMC sdnap-in, refer to the How to: View certificates with the MMC snap-in article at docs.microsoft.com.
- Alternatively, run certlm.msc.
- Run a command prompt as a file owner.
- Run cipher /adduser /certhash: with the target user's EFS thumbprint smushed against the colon without spaces. (Double-click an entry in the Certificates MMC window, then switch to the Details tab to see the thumbprint.)
- The target filename is an additional parameter, and
/s:<dir>still works if you're applying this to a folder
- Once you are done, run the backup plan again.