The "Encrypt the Offline Files cache" Group Policy setting does not take effect when a user logs on to a Windows XP-based computer (810859)

RESOLUTION

A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Only apply it to systems that are experiencing this specific problem. This hotfix may receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next Windows XP service pack that contains this hotfix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

32-bit versions of Windows XP

File name	File version	File size	Date	Time	Platform	SP requirement
Cscui.dll	5.1.2600.1656	312,320	31-Mar-2005	20:16	x86	SP1
Regedit.exe	5.1.2600.1656	134,144	31-Mar-2005	00:36	x86	SP1
System.adm	Not Applicable	1,521,538	01-Feb-2005	02:58	Not Applicable	SP1

64-bit versions of Windows XP

File name	File version	File size	Date	Time	Platform	SP requirement	Service branch
Cscui.dll	5.1.2600.1656	690,688	31-Mar-2005	04:14	IA-64	SP1	Not Applicable
Regedit.exe	5.1.2600.1656	369,152	30-Mar-2005	08:56	IA-64	SP1	Not Applicable
System.adm	Not Applicable	1,521,538	02-Feb-2005	02:21	Not Applicable	SP1	Not Applicable
Wcscui.dll	5.1.2600.1656	312,320	31-Mar-2005	04:16	x86	SP1	WOW

Applying the hotfix

This hotfix changes the way that the EncryptCache Group Policy setting is implemented. Before you apply the hotfix, the EncryptCache policy is implemented as a Client Side Caching extension in Cscui.dll. After you apply the hotfix, the Cscui.dll client extension is used when this Group Policy setting is applied to a computer. The Cscui.dll client extension encrypts or decrypts the Client Side Caching cache, depending on your setting. This Client Side Caching extension is used in a privileged context. Therefore, an administrator does not have to log on to the computer interactively to encrypt the cache.

To apply this hotfix, make sure that you do both of the following:

Update the Active Directory Group Policy setting to reference the new Client Side Caching extension.
Install this hotfix on all your Windows XP-based computers.

Note The local Group Policy System.adm file is also updated when you apply the hotfix.

While you apply this hotfix, your production environment may contain one or more of the following:

An old Active Directory Group Policy setting that does not have the Client Side Caching extension.
A new Active Directory Group Policy setting that has the Client Side Caching extension.
A Windows XP-based computer that does not have the hotfix applied.
A Windows XP-based computer that has the hotfix applied.

The following table explains what occurs when the old settings are mixed with the new settings.

The CLIENTEXT line in the System.adm file and in the Active Directory Group Policy object	The Group Policy extension in Cscui.dll	Expected behavior
No	No	This is Windows XP without the hotfix installed. The encryption policy requires the administrator to be logged on to the client computer.
No	Yes	The Group Policy extension exists but is not used by the Group Policy engine. The original encryption code has been removed from Cscui.dll. Therefore, no encryption occurs in response to the Group Policy setting.
Yes	No	The Group Policy setting tries to use the Group Policy extension, but the Group Policy extension does not exist in Cscui.dll. The original encryption code exists in Cscui.dll and will be executed as in the original version of Windows XP. You must log on as an administrator to encrypt the Client Side Caching cache.
Yes	Yes	The hotfix is applied as a Group Policy extension.

Based on this table, use the following deployment strategy.

Part 1: Modify the Active Directory Group Policy setting

To modify the Active Directory Group Policy setting to reference the new Group Policy Client Side extension, use the new Client Side extension in an Active Directory Group Policy setting.

Note Update the System.adm file and the Group Policy object in Active Directory. Update the System.adm file first. To do this, follow these steps:

Update the System.adm file to include the CLIENTEXT line, as follows:
```
POLICY!!Pol_EncryptOfflineFiles
   #if version >= 4
      SUPPORTED !!SUPPORTED_WindowsXP
   #endif
   VALUENAME "EncryptCache"
   EXPLAIN !!Pol_EncryptOfflineFiles_Help
      VALUEON  NUMERIC 1
      VALUEOFF NUMERIC 0
      CLIENTEXT {C631DF4C-088F-4156-B058-4375F0853CD8}
END POLICY
```
To find the System.adm location path for the Group Policy setting, follow these steps:
1. Use the Active Directory Users and Computers tool to select a container where the Group Policy setting is applied.
2. Change the container to display the Group Policy setting GUID. An example of this GUID is {9F16DD40-9777-4AD9-870C-9B9F1E73203E}.
3. Use the Active Directory Service Interfaces (ADSI) Edit tool or the EnumProp tool to display the gPCFileSysPath attribute, as in the following exampe:
```
enumprop "LDAP://mydc/CN={3D6FF2C0-1DFC-41A9-AE72-D4502BDA81E8},CN=Po
licies,CN=System,DC=mycompany,DC=com"
```
  The following example shows the gPCFileSysPath attribute:
```
LDAP://machinedc/CN={3D6FF2C0-1DFC-41A9-AE72-D4502BDA81E8},CN=Policies,CN=Syst
em,DC= mycompany,DC=com: 19 set properties.
 gPCFileSysPath: \\Test.net\SysVol\mycompany.com\Policies\{3D6FF2C0-1DFC-41A9-AE72
-D4502BDA81E8}
```
  Note The EnumProp tool is included in the Windows XP Resource Kit.
Update the Active Directory Group Policy object to include the Client Side extension in the gPCMachineExtensionNames attribute. To do this automatically in the Group Policy Editor snap-in, follow these steps:
1. Use the Group Policy Editor snap-in to modify the Group Policy setting.
2. Modify the "Encrypt the Offline Files cache" Group Policy setting.
  
  Note Because the "Encrypt the Offline Files cache" Group Policy setting is now linked to the new CLIENTEXT line in the System.adm file, the Group Policy Editor will automatically update the gPCMachineExtensionNames Active Directory attribute to include the new Client Side extension GUID.

Part 2: Deploy the hotfix to your Windows XP-based computers

After you apply this hotfix, you may receive the following error message in the Application log:

18/03/2003 12:46:31 Offline Files Error None 16 N/A LLDN0114233 Encryption of the Offline Files cache failed with error 12.

If you receive this error message after Windows XP restarts, you can safely ignore it. Every time that Windows restarts, the "Encrypt the Offline Files cache" Group Policy setting determines whether the offline folder cache is encrypted. If the Client Side Caching database is not fully initialized, the policy logs this error message. Because the policy is refreshed at set intervals, you can safely ignore this error message.

MORE INFORMATION

The "Encrypt the Offline Files cache" Group Policy setting determines whether offline files are encrypted. Offline files reside on a user's local drive, not on the network. Offline files are stored in a local cache on the computer. Encrypting this cache helps improve security on a local computer. If the cache on the local computer is not encrypted, any encrypted files that are cached from the network are not encrypted on the local computer. This situation may pose a security risk in some environments.

Notes

If you enable the "Encrypt the Offline Files cache" Group Policy setting, all files in the Offline Files cache are encrypted. This includes existing files and files that are added later. The cached copy on the local computer is affected, but the associated network copy is not affected. The user cannot decrypt Offline Files through the user interface.
If you disable the "Encrypt the Offline Files cache" Group Policy setting, all files in the Offline Files cache are unencrypted. This includes existing files and files that are added later. The cached copy on the local computer is affected, but the associated network copy is not affected. The user cannot encrypt offline files through the user interface.
If you do not configure the "Encrypt the Offline Files cache" Group Policy setting, encryption of the Offline Files cache is controlled by the user through the user interface. The current cache state is retained, and if the cache is only partially encrypted, the operation finishes so that the cache is fully encrypted. The cache does not return to the unencrypted state. The user must have administrator permissions on the local computer to encrypt or to decrypt the Offline Files cache.
By default, the access control list (ACL) helps protect the Offline Files cache on an NTFS file system partition.

The "Encrypt the Offline Files cache" Group Policy setting does not take effect when a user logs on to a Windows XP-based computer (810859)

SYMPTOMS

CAUSE