Windows 10 – Resolve EFS-Encrypted Files Warning When Creating Admin Password

passwordswindowswindows 10

I have a personal Windows 10 Laptop which runs

Edition Windows 10 Home Single Language
Version 21H2
Installed on    ‎11-‎04-‎2021
OS build    19044.2006
Experience  Windows Feature Experience Pack 120.2212.4180.0

From the beginning, I have been running it will an Admin Level local user, which is not password protected. Now I am planning to give the laptop to some vendors, so I wanted to set a password for this user & give a 2nd standard user password to the repair guy.

When I try to create a password for my original user, I get the following scary message

enter image description here

What exactly does this mean? Will I lose all the cached passwords on my Firefox Browser? Or Edge? or what?

Best Answer

Technically – you will lose everything that was protected using Windows' Data Protection API (DPAPI), which would use your login password to unlock the master encryption key. Examples:

  • Everything in the "Credential Manager" Control Panel section is protected using DPAPI. (However, the "Web Credentials" subsection there is pretty much just Internet Explorer – it is not used by Chrome/Edge nor Firefox, both of which use their own databases.)

  • Certificates in certmgr.msc are also DPAPI-protected, which might include certificates used to connect to your work VPN, or the certificate used for EFS file encryption. (EFS is the "Encrypt this file" checkbox in a file's Properties dialog.)

  • Chrome/Edge do use DPAPI to protect their stored password databases, but someone has said earlier that they use "machine scope" protection which isn't tied to your Windows account personally.

    Firefox/Mozilla do not use DPAPI as far as I know, but this may change in the future.

  • The software-based "Windows Hello" WebAuthn token most likely uses DPAPI.

  • The ssh-agent component of OpenSSH for Windows uses DPAPI to protect the SSH private keys that were loaded using ssh-add.

  • Dropbox encrypts its entire configuration file using DPAPI – you will not lose your files, but you will need to re-login and re-setup sync (and wait for it to reindex everything).

But you can avoid all of this by not going through the administrative password reset feature. Instead have the user change their own password – that is, you need to log in as the user whose password you want to change, then hit CtrlAltDel and use the "Change a password" option. In this mode, both the old and new passwords are provided to the OS so it can properly re-encrypt the DPAPI master keys.