If you are one of the few companies that is moving ahead with a migration from Windows XP to Windows Vista and you have a lot of computers using Encrypting File System (EFS) to protect data, then you have to make sure to use the correct tools to perform the migration, otherwise you could lose access to important data.
If you don’t have many computers using EFS, it’s probably easies to follow the instructions written by Microsoft for exporting and importing EFS certificates. If, however, you have many computers on your domain using EFS, then you need to use a different method.
User State Migration Tool 3.0 is a free tool from Microsoft that allows IT Administrators easily migrate a large number of users from one operating system to another. In the new version, you can use the tool to migrate users from XP to Vista or from Vista to XP.
The program captures all of the desktop settings, application settings and files for a user and moves them to a new Windows installation. Note that you don’t need this tool if you are simply performing an upgrade.
If you don’t already know, USMT uses tool commands to perform the migration, ScanState.exe ad LoadState.exe. In order to migrate encrypted files and certificates, you have to change the default behavior by adding command line switches.
Note that by default, if you are migrating to Windows Vista, USMT will automatically migrate EFS certificates. However, it will not migrate EFS files by default and will fail if it finds any encrypted files.
In order to migrate the encrypted files also, you have to add the following switch to the ScanState command:
/efs:copyraw
Note that this command will copy all of the files in the encrypted format and will only be viewable on the destination computer once the EFS certificates are copied over. Only use this option if you are migrating to Windows Vista.
If you are migrating to Windows XP, you can use this command, but you will have to manually migrate the EFS certificates using the cipher.exe command.
You can also use the following command switch to decrypt the files and then copy them:
/efs:decryptcopy
ScanState will decrypt the files, then save them to the store. Once you run LoadState, the files will be copied to the new computer WITHOUT encryption.
If you have EFS files stored on the computer, but do not care to migrate them, then you can add the following switch so that ScanState will skip over the encrypted files rather than failing:
/efs:skip
So that’s pretty much the low-down on how to use User State Migration Tool with EFS if you are migrating to Windows Vista or Windows XP. Any questions? Post a comment!
The information regarding Exporting the EFS certificates from the XP OS and importing them in to the VISTA OS was very helpful, but I also need to know how to encrypt on the new Vista PC using my CAC….