cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

'Element not Found' when using EFS on Windows 2008

shocko
Iron Contributor

‎Apr 19 2021 02:47 PM

‎Apr 19 2021 02:47 PM

'Element not Found' when using EFS on Windows 2008

Our PKI is Windows 2016 with ADDS forest/domain functional level at 2008 R2. When attempting to encrypt a file on a Domain joined Windows 2008 (not R2!) machine we received the following:

 

  • 'Element not found'

 

Our recovery agent is in place and we have no issues on Windows 2008R2 or above. From troubleshooting this only occurs is KSP is used as the cryptographic provider in the PKI template. If we use the legacy provider in the template the file encrypts without issues.

Labels:
663 Views
0 Likes
2 Replies
Reply
2 Replies
Seshadrr

‎Apr 20 2021 03:22 AM

‎Apr 20 2021 03:22 AM

Re: 'Element not Found' when using EFS on Windows 2008

Recently I had an encounter with a couple of error while migrating from 2k8R2 to 2019

 

Keyset does not exist 0x80090016 (-2146893802 NTE_BAD_KEYSET)
Client has requested stop service 0xc8000531 (ESE: -1329 JET_errClientRequestToStopJetService)
Keyset does not exist
Element not found

Task-I (Existing Server 2008 R2- Prior to migrating to new OS - 2016 / 2019

1) Backup the Root CA and registry configuration
2) Change the Key CSP to KSP
3) Update the algorithm from SHA1 to SHA2
4) Validate the behavior of Root CA and issuance, template issuance

Task-II


1) Deploy temporary Windows Server 2012 R2 in Azure, Patching and Antivirus should be in compliance
2) Backup the Root CA database and Registry configuration
3) Migrate the Root CA from 2008 R2 to 2012 R2
4) Restore the DB and registry changes to the temporary 2012 R2 server name and update ADSI (PKI enrollment), CDP, AIA container accordingly
5) Validate the Root CA health, CRL status, CA issuance, new template request
6) Once the Root CA is healthy on 2012 R2, then back up the Root CA database, registry configuration,
7) Migrate the Root CA from temporary 2012 R2 to 2016/2019 server
8) Restore the DB and registry changes to the temporary 2012 R2 server name and update ADSI (PKI enrollment), CDP, AIA container accordingly
9) Validate the Root CA health, CRL status, CA issuance, new template request
10) Once the Root CA is healthy in 2019, then configure the CA backup scheduler, other baselines, etc.
11) Decommission the old Root CA W2k8R2 and temporary 2012 R2 server

 

Ref : ADCS migration :-
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn...
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc...

0 Likes
Reply
shocko

‎Apr 21 2021 04:06 PM

‎Apr 21 2021 04:06 PM

Re: 'Element not Found' when using EFS on Windows 2008

I logged to MS support and they advised that only option to move away form KSP on windows 2008 was to go to 2008 R2 or higher.
0 Likes
Reply