Recovery policy configured for this system contains invalid recovery certificate

The Recovery policy configured for this system contains invalid recovery certificate message is known to appear when trying to encrypt a file or a folder using the Windows Encrypting File System. The File Recovery certificate being outdated or expired is the most frequent cause of this invalid recovery certificate message.

The message is shown in the following print screen:

Message about invalid recovery certificate shown after trying to encrypt a file.

When do I get the invalid recovery certificate message?

We already mentioned that the invalid recovery certificate message appears when trying to encrypt a file or folder using the Windows Encrypting File System mechanism. You can encrypt a file or folder in Windows by right clicking a file or folder in your Windows Explorer, entering the Properties screen and going to the Advanced options on the General tab. When you click check the "Encrypt contents to protect data" and hit Apply, you might encounter the Recovery policy configured for this system contains invalid recovery certificate message if your system is not set up the way it needs to be.

Why the invalid recovery certificate message appears?

When you enable encryption on a file or folder, Windows checks your file recovery certificate to see whether it is current and valid. This certificate is your help of last resort in the event when you need to recover encrypted files when the encryption key is lost or damaged. It is obvious that this message can show up "out of the blue sky" leaving the user helpless and wondering – at the moment when the certificate expires.

Security note:

On one hand, Windows does a good thing by checking the recovery certificate to help avoid situations when the data is lost for ever just because the encryption key is lost, but on the other hand, it is necessary to say that the recovery certificate is sort of a back door and as such can be exploited.

How to fix the Recovery policy configured for this system contains invalid recovery certificate message?

Fixing your computer so that the Recovery policy configured for this system contains invalid recovery certificate message does not prevent you from using the Encrypting File System is a bit tricky and involves a number of steps, but we hope this guide can help you in this effort.

First, log into your computer using the built-in Administrator account. Logging into your computer running Windows Vista using another account with administrative privileges is known to cause issues when fixing this issue.

Create a file recovery certificate

Second, create a recovery certificate for encrypted files. You can do this by executing the following steps

Start menu
Run
Cmd
(this can be accessed also through Start -> All Programs -> Accessories -> Command Prompt)
Type cipher /r:recovery_certificate and hit Enter
Type a strong password. This will be your password to your data; it is advised to use at least 10 characters, a combination of lower and upper case, numbers and special characters.

invalid recovery certificate

The print screen above shows how to generate a recovery certificate. The certificate is stored in a file called recovery_certificate.CER located in the directory shown at the command prompt. Note: It is a good idea to move this file to an encrypted USB disk and store the media in a safe. This file will be your key to your data.

Install file recovery certificate (Data Recovery Agent)

The next step is to let the system know about your file recovery certificate by generating so called Data Recovery Agent.

Start menu
Run
Type gpedit.msc and hit Enter to run the Group Policy editor
Navigate to the
-> Local Computer Policy
-> Computer Configuration
-> Windows Settings
   -> Security Settings
    ->Public Key Policies
     -> right click Encrypting File System
      -> and select Add Data Recovery Agent

Follow the wizard and when it asks you for a file with the certificate, browse to the folder containing the recovery_certificate.CER file which you created earlier and select that file.

Data Recovery Agent

Update policies

The next step is to update policies by going to the command prompt and executing the gpupdate /force command.

This did not help – what else should I do?

In some cases, people ran into situations when this solution did not work, or in other words, they were getting the Recovery policy configured for this system contains invalid recovery certificate message even after adding the recovery certificate to the policies. The following are a few additional steps to check.

Delete old certificates

The Encrypting File System screen in the Group Policy editor should list only one Data Recovery Agent (certificate). If you see more than one Data Recovery Agent there, then export them first and delete all but the one with the farthest expiration date.

Delete certificates from certificate stores

Open the certificates Microsoft Management Console snap-in (type mmc in the Start -> Run screen and hit Enter, then go to File -> Add/Remove Snap In and select Certificates from the Available Snap-ins menu, then hit Add and select My user account). Navigate to the following location:

-> Console Root
-> Certificates – current user
-> Personal
-> Certificates

and make sure the right pane shows no File Recovery certificates. If it does show any, then export and delete them.

Check applicable policies and determine used certificates

Go to the Start menu
Run
Type rsop.msc and hit Enter to run the Resultant Set of Policy tool
Navigate to the
-> Computer Configuration
-> Windows Settings
-> Security Settings
-> Public Key Policies
-> Encrypted File System

The right pane should list the defining recovery agent and show its expiration date as well. By default, there should be a certificate given to the Administrator account. If there is no valid certificate or the certificate is expired, the encryption feature will not work and you will see the Recovery policy configured for this system contains invalid recovery certificate message because a valid and unexpired recovery is required for the Encrypting File System to work.

Update certificates

Open the command prompt and run the cipher /u command. This will update previously encrypted files with the new recovery certificate.

All the steps described on this page need to be executed under the default Administrator account.

Invalid recovery certificate and other issues

Everything about invalid recovery certificate has been said on this web page, but you might find some other articles handy for other issues.

Top 10 Risk and Security Audit Findings
The file or folder does not exist
How to find out when a web page was created or updated

How to edit group policy

Discuss this article or this topic in our discussion forum:

(The table bellow shows a list of 8 most recent topics posted in our discussion forum. Visit our discussion forum to see more. It is possible the links below are not related to this page, but you can be certain you will find related posts in the discussion forum. You can post one yourself too.)

Email this article to a friend:

How can I link to this web page?

It is easy, just include the code provided below into your HTML code.

<a href="http://www.maxi-pedia.com/Recovery+policy+configured+for+this+system+contains+invalid+recovery+certificate" title="www.Maxi-Pedia.com: Recovery policy configured for this system contains invalid recovery certificate" target="_blank">Recovery policy configured for this system contains invalid recovery certificate</a>

Bookmark this article with