Hi all, I am implementing a PKI solution and I would like to get some advice as to how to stop any already existing EFS users from obtaining a basic EFS certificate from our new 2008 enterprise CA. I have read numerous articles about this (some not so re-assuring re:XP clients) and would like a definitive answer as to keeping all users independant of the new CA. 1) should i delete the basic EFS certificate from AD and or the custom certificate from the CA manager? 2) deny or remove 'enroll' from the custom certicate for domain users? 3) if I delete the custom basic EFS template can I later re-instate it easily? 4) if a user has automatically obtained a basic EFS cert, can i revoke this to have them use their self signed cert once again? any help is really appreciated! cheers Dean

1) the best way is to remove a template from the CA. Open Certification Authority MMC snap-in, expand CA node and select Certificate Templates. Select Basic EFS template and click Delete. This operation removes it from CA template list only. The template will still remains in AD. 4) you can revoke existing EFS certificates.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Thanks for the quick response mate! Dean