Prevent the EFS backup wizard at the first RDM starts
Hi, when our users start the RDM for the first time, they get the following message that they should backup the EFS key. This message confuses our users, they don't know what is the right choice and also they don't have any USB drive available. This creates a bad user experience. Our goal is that the user doesn't get this message.
As far as I could research, RDM creates an EFS certificate in the User Certificate Store on first startup. Based on this, Windows shows the backup dialog. So the message is coming from Windows, but is triggered by RDM creating an EFS certificate. However, as RDM Security Provider we do not use the certificate encryption. Instead we use Default. 
"cipher /u /n c:\" shows RemoteDekstopManager.enb, RemoteDekstopManager.enc, RemoteDekstopManager.stb, RemoteDekstopManager.stv as enrypted files
When I delete the certificate in the User Certificate store, RDM does not create a new certificate the next time I start it. RDM must somehow remember that it has already created a certificate.
When I create an EFS certificate by myself with the command "cipher /K", the backup wizard is not prompted. So I'm not sure if RDM prompts for the backup wizard or Windows itself and why it doesn't when I create it manually.
What are the options to prevent this message?
Can the message be disabled in Windows or RDM?
Can RDM be instructed not to create an EFS certificate at startup or not prompt the backup wizard (because Windows doesn't if I create it manually)?
Best regards, fabian
All Comments (6)
Hi,
Thank you for contacting us about this issue.
"Can the message be disabled in Windows or RDM?"
"Can RDM be instructed not to create an EFS certificate at startup or not prompt the backup wizard (because Windows doesn't if I create it manually)?"
I reviewed the code and didn't find anything relating to EFS certificate. However, it might be the related to the DPAPI fonctionnality.
Did you enable DPAPI encryption for local files? (Options->Security->Enable DPAPI cryptography on local files)
Regards,
Mathieu Morrissette
Mathieu Morrissette
Sorry for my late answer, I was out of office. I did not change the default value. But the option is called "Disable DPAPI cryptography on local files". So, no, I didn't disable it but yes the cryptography is enabled.
I think checking the "Disable DPAPI cryptography on local files" would prevent the dialog from showing up.
By default, RDM doesn't use DPAPI for local encryption.
I would also look into the EFS DRA configuration on endpoints.
Regards,
Mathieu Morrissette
Mathieu Morrissette
I will try and give you feedback as soon as possible
What are the ways to set this option computer-wide before starting the application (setup parameters, registry)? We cannot use GPOs because the devices are Azure AD only joined.
Checking the "Disable DPAPI cryptography on local files" option works and prevents the EFS Backup Wizard. Modifying the default.cfg in program directory does the job for the first startup