EFS certificate enrollment
I've enabled EFS via Group Policy: Computer Configuration | Policies | Windows Settings | Security Settings | Public Key Policies/Encrypting File System Allow users to encrypt files using Encrypting File System (EFS): Enabled Encrypt the contents of the user's Documents folder: Enabled EFS template for automatic certificate requests: MyCompanyEFS One the MyCompanyEFS Certificate template I've assigned Read | Enroll | AutoEnroll permission to a user group. When I logon as a user that is a member of this user group, I'm not obtaining my EFS certificate (the certificate request is not even being sent to the CA). What am I missing? Is the setting in the GP not enough? Do I also need to enable autoenrollment? Thanks, Paul
June 29th, 2011 4:32pm

You need to enable autoenrollment and be sure to be using Windows Vista or higher Brian
Free Windows Admin Tool Kit Click here and download it now
June 29th, 2011 6:36pm

Brian, Thanks for the reply. I've enabled autoenrollment and still no luck. Here are the setting in my GPO: Computer Configuration | Policies | Windows Settings | Security Settings | Public Key Policies/Encrypting File System Allow users to encrypt files using Encrypting File System (EFS): Enabled Encrypt the contents of the user's Documents folder: Enabled EFS template for automatic certificate requests: MyCompanyEFS User Configuration | Policies | Windows Settings | Security Settings | Public Key Policies/Certificate Services Client - Auto-Enrollment Settings Automatic certificate management Enabled Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates Enabled Update and manage certificates that use certificate templates from Active Directory Enabled The permissions on the MyCompanyEFS Certificate template are Read | Enroll | AutoEnroll permission to a user group and I'm logging into a workstation that is applying this GPO with a user account that is a member of the user group assigned to he template. Any other thoughts? Because EFS is a computer Configuration setting, do I need to assign the Read | Enroll | AutoEnroll permission to a computer group? Thanks for your help! Paul
June 29th, 2011 11:15pm

Brian, I was able to figure it out. The root cause of the issue was that on the MyCompanyEFS Template I enable key archive but did not setup the CA to support key archive. Once I updated the template to not "achive the subject's encryption private key" the certificate was issued. (my next test will be to enable the CA for archive). What I also determined though is that autoenrollment is not required to be enabled for the user. The only requirements are: EFSGPO | Computer Configuration | Policies | Windows Settings | Security Settings | Public Key Policies/Encrypting File System Allow users to encrypt files using Encrypting File System (EFS): Enabled Encrypt the contents of the user's Documents folder: Enabled EFS template for automatic certificate requests: MyCompanyEFS Read | Enroll | AutoEnroll permission on the MyCompanyEFS template. Login to a computer that will apply the EFSGPO | Computer Configuration settings, with a user account that has access to the MyCompanyEFS template and it all works. Thanks for all your help. Regards, Paul
Free Windows Admin Tool Kit Click here and download it now
June 30th, 2011 8:01pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics