Back Up EFS-encrypted Objects Using SYSTEM Account (code 1602)

Description Value
Issue ID 01602
Issue Class Error

Issue Description

Some files on the backup source may be encrypted with EFS. To learn more about this Windows feature, refer to the File Encryption article.


Solution

The issue can be solved using the SYSTEM account which accesses EFS-encrypted files. By default, the SYSTEM account does not have an EFS certificate.

Note that allowing SYSTEM account to access EFS-encrypted files can be dangerous, since anyone with access to instance with the SYSTEM account open, is able to decrypt sensitive data

To Grant SYSTEM Account Access to EFS-encrypted Files

  1. Make sure you have a PsExec tool installed.
  2. In case you do not have PsExec, download the PSTools.zip from Mircosoft Sysinternals website, unpack it and copy the PsExec to the executable path. To learn more, refer to the PsExec 2.2 article at docs.microsoft.com.
  3. Run cmd utility as an administrator.
  4. Run PsExec using the following command: psexec -i -s -d.

  1. Create a scratch file. To do this, type echo. > scratch.txt.

  1. Encrypt the scratch.txt file using the following command: cipher /e scratch.txt.
  2. EFS certificates can be managed in the Certificates MMC snap-in. To learn more about MMC sdnap-in, refer to the How to: View certificates with the MMC snap-in article at docs.microsoft.com.
  3. Alternatively, run certlm.msc.

  1. Run a command prompt as a file owner.
  2. Run cipher /adduser /certhash: with the target user's EFS thumbprint smushed against the colon without spaces. (Double-click an entry in the Certificates MMC window, then switch to the Details tab to see the thumbprint.)

  1. The target filename is an additional parameter, and /s:<dir> still works if you're applying this to a folder

  1. Once you are done, run the backup plan again.