Click Start, click Run, and type MMC in the Open box. Click OK.

Click Console, click Add/Remove Snap-In. Click Add.

Click Group Policy and click Add.

Accept the default of Local Computer and click Finish. Click Close and click OK.

Click the + next to Local Computer Policy to expand it. In the same way, expand Computer Configuration, Windows Settings, Security Settings, Public Key Policies, and then click Encrypted Data Recovery Agents. The screen should look something like the one below.

See full-sized image.

There is a self-signed Administrator certificate in the policy. This makes the local administrator account the default recovery agent. If this certificate is deleted, there will be an empty recovery policy, which turns EFS off. EFS does not allow encryption of data if there are no recovery agents set up.

To protect the recovery key associated with this certificate, click Console, and click Add/Remove snap-ins. Click Add.

Click Certificates, and click Add. Click Current User. Click Finish. Click Close. Click OK.

Click the + next to Certificates–Current User. In the same way, expand the Personal folder. Click Certificates in the left pane.

Click Administrator in the right pane and scroll to Intended Purposes. This should be set to File Recovery. Use the procedure in the subsection, "Restoring Files to a Different Computer, " to export the certificate and private key in a .pfx file.

After creating the .pfx file, delete the certificate and the private key associated with it from the Personal store. This ensures that the only copy of the key is in the .pfx file. To do so, click Administrator in the right pane and then click the red X on the toolbar. There will be a warning message saying that the user will not be able to decrypt data encrypted using this certificate. Click Yes to continue.

Secure the .pfx file in a safe or locked cabinet. This file should be used only when a file needs to be recovered.