Fixing the "Encrypt the Offline Files Cache" Setting in Group Policy

Here's a fix to a problem that many people have been experiencing when using the Encrypt the Offline Files Cache setting in Group Policy to encrypt offline files in Windows XP clients.

Chris Hill

August 5, 2010

3 Min Read
ITPro Today logo in a gray background | ITPro Today

I recently encountered a problem when using the Encrypt the Offline Files Cache setting in Group Policy. Even though I enabled this setting in Group Policy and successfully applied it to a Windows XP client, the client's Encrypt offline files to secure data check box remained grayed out and the offline files weren't being encrypted.

When I searched the Internet for a solution, I found that many people were experiencing the same problem, but I couldn't find a definitive solution. So, I did some investigating and came up with a procedure to reliably fix the problem.

Before applying this procedure, you need to determine whether this problem is indeed plaguing your client. On the client, navigate to %SystemRoot%CSC and look in the subfolders for any files whose names appear in green, as Figure 1 shows.

If you can see some green files, offline file encryption is working fine. If you don’t see any green files, check the client's Encrypt offline files to secure data check box. In Control Panel, select Folder Options, then click the Offline Files tab. If the Encrypt offline files to secure data check box is grayed out but not selected, as Figure 2 shows, you have this problem.

 

Here are the steps to fix it:

  1. Make sure you have the KB810859 hotfix installed on the client. Without this hotfix, the Offline Files cache will never be encrypted unless a user with Administrator privileges logs on. SP3 for XP includes this fix. If SP3 hasn't been installed, you can download the hotfix from the Microsoft article "The 'Encrypt the Offline Files cache' Group Policy setting does not take effect when a user logs on to a Windows XP-based computer".

  2. Make sure that the system.adm file is up-to-date on the system that you use to manage Group Policy. Go to %windir%inf and open the system.adm file in Notepad. Search for the line

    CLIENTEXT \{C631DF4C-088F-4156-B058-4375F0853CD8\}

    If you find it, you should be fine. If you don't find it, install the KB810859 hotfix on that machine or add the line manually, following the instructions in "The 'Encrypt the Offline Files cache' Group Policy setting does not take effect when a user logs on to a Windows XP-based computer".

  3. On the system you use to manage Group Policy, open the Group Policy Object (GPO) in which you set the Encrypt the Offline Files Cache option. Remove the GPO by setting it to Not Configured and clicking Apply. Then re-enable the GPO by setting it to Enabled and clicking Apply. This will update the gPCMachineExtensionNames attribute in the GPO, which will trigger the new functionality introduced by the hotfix. If you don't perform this step, the problem won't be resolved.

  4. Perform step 3 on any other GPOs that include the Encrypt the Offline Files Cache setting.

  5. Make sure that the client has some offline files. This might sound obvious, but the Encrypt the Offline Files Cache setting won't be applied until there are some offline files to encrypt.

  6. At this point, even though the Encrypt the Offline Files Cache setting is enabled, it won't be applied to a newly created or unencrypted Offline Files cache until the next Group Policy refresh interval, which is 90 minutes by default in most systems. This is a design flaw. It means that when the offline files are first synchronized, they're not encrypted, leaving a period when the system is potentially insecure. It also means that there's a danger that copies of the unencrypted offline files are still on the hard disk. For these reasons, I recommend that you open a command shell window on the system where the Offline Files have been synchronized and run the command

    gpupdate

    After a few seconds, the encryption process will begin and the files in %SystemRoot%CSC should start to go green. In addition, the Encrypt offline files to secure data check box on the client will be selected.

All the information I've provided is scattered among various websites (except for the information in step 6, which I added). By compiling all the information into this 6-step procedure, you won't have to spend hours searching the Internet for an answer to the question "Why aren't my offline files being encrypted?"

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like