I'm looking for a way to programmatically (any language) add a Data Recovery Agent (DRA) certificate for Encrypting File System (EFS) in Windows OS.
Manually it's easy to perform by: gpedit.msc - Security Settings -> Public Key Policies -> Encrypting File System -> Add DRA;
but I want to automate it (without using Active Directory Group Policies!).
A command line solution would also be acceptable.
The solution is to use (Local) Group Object Policy API to publish registry keys described in MSDN documentation "[MS-GPEF]: Group Policy: Encrypting File System Extension" (MS-GPEF). Two main keys must be created \EFS\!Blog and \EFS!EFBBlob. Similar solution can be used for Bitlocker.
Remarks: - MS-GPEF registry keys must be modified according to GPO publishing rules. Direct insertion will be automatically removed by OS;