EFS certificate enrollment
I've enabled EFS via Group Policy:
Computer Configuration | Policies | Windows Settings | Security Settings | Public Key Policies/Encrypting File System
Allow users to encrypt files using Encrypting File System (EFS): Enabled
Encrypt the contents of the user's Documents folder: Enabled
EFS template for automatic certificate requests: MyCompanyEFS
One the MyCompanyEFS Certificate template I've assigned Read | Enroll | AutoEnroll permission to a user group. When I logon as a user that is a member of this user group, I'm not obtaining my EFS certificate (the certificate request is not even
being sent to the CA). What am I missing? Is the setting in the GP not enough? Do I also need to enable autoenrollment?
Thanks,
Paul
June 29th, 2011 4:32pm
You need to enable autoenrollment and be sure to be using Windows Vista or higher
Brian
Free Windows Admin Tool Kit Click here and download it now
June 29th, 2011 6:36pm
Brian,
Thanks for the reply. I've enabled autoenrollment and still no luck. Here are the setting in my GPO:
Computer Configuration | Policies | Windows Settings | Security Settings | Public Key Policies/Encrypting File System
Allow users to encrypt files using Encrypting File System (EFS): Enabled
Encrypt the contents of the user's Documents folder: Enabled
EFS template for automatic certificate requests: MyCompanyEFS
User Configuration | Policies | Windows Settings | Security Settings | Public Key Policies/Certificate Services Client - Auto-Enrollment Settings
Automatic certificate management Enabled
Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates Enabled
Update and manage certificates that use certificate templates from Active Directory Enabled
The permissions on the MyCompanyEFS Certificate template are Read | Enroll | AutoEnroll permission to a user group and I'm logging into a workstation that is applying this GPO with a user account that is a member of the user group assigned to he
template.
Any other thoughts? Because EFS is a computer Configuration setting, do I need to assign the Read | Enroll | AutoEnroll permission to a computer group?
Thanks for your help!
Paul
June 29th, 2011 11:15pm
Brian,
I was able to figure it out. The root cause of the issue was that on the MyCompanyEFS Template I enable key archive but did not setup the CA to support key archive. Once I updated the template to not "achive the subject's encryption private key" the
certificate was issued. (my next test will be to enable the CA for archive).
What I also determined though is that autoenrollment is not required to be enabled for the user. The only requirements are:
EFSGPO | Computer Configuration | Policies | Windows Settings | Security Settings | Public Key Policies/Encrypting File System
Allow users to encrypt files using Encrypting File System (EFS): Enabled
Encrypt the contents of the user's Documents folder: Enabled
EFS template for automatic certificate requests: MyCompanyEFS Read | Enroll | AutoEnroll permission on the MyCompanyEFS template.
Login to a computer that will apply the EFSGPO | Computer Configuration settings, with a user account that has access to the MyCompanyEFS template and it all works.
Thanks for all your help.
Regards,
Paul
Free Windows Admin Tool Kit Click here and download it now
June 30th, 2011 8:01pm