If you have ever used the EFS file system to easily encrypt data on a computer running Windows or a server running Windows Server, you may already know that it's possible to easily add an "Encrypt" or "Decrypt" option. in the context menu.
To do this, simply add a DWORD value to a specific location on your computer or server.
Given that in business, all your computers and servers are generally linked to an Active Directory domain, you can easily add this option to them by modifying the "Default Domain Policy" group policy object.
In the Group Policy Management Editor, go to : Computer Configuration -> Preferences -> Windows Settings -> Registry.
Then, right click "New -> Registry Item" on the right side.
In the "New Registry Properties" window that appears, select "Hive : HKEY_LOCAL_MACHINE", then click the "..." button.
A "Registry Browser" window appears.
Go to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" and select the "Advanced" folder.
Then, click Select.
Then, specify :
In the "Common" tab, you can check the "Apply once and do not reapply" box to avoid reapplying this setting unnecessarily each time the policy is updated (including when starting the computer or the server).
The newly added data appears.
As explained previously, your users need a certificate (based on the "Basic EFS v2" template in our case) to be able to encrypt and decrypt data on a computer or server.
If you don't configure auto-enrollment, the certificate will be requested from your CA when your users attempt to encrypt data for the 1st time.
In this case, there will be a slight delay between the time they attempt to encrypt a file and the time it's actually encrypted (you will see this by the yellow icon that will appear on it or by its name which will become green on previous versions of Windows).
To avoid this slight delay, and to also make it easier to share encrypted files through EFS, you will need to enable auto-enrollment of these certificates.
To do this, go to "User Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies" and double click on : Certificate Services Client - Auto-Enrollment.
By default, this setting is not configured.
Select "Configuration Model : Enabled" to enable the automatic enrollment of user certificates and check the first 2 boxes :
The other options allow you to log events when certificates are about to expire, as well as display expiration notifications to the user when the lifetime drops below 10% if the last box "Display user notifications ..." is also checked.
For the user certificate to be enrolled (issued) automatically from your certification authority, the policy of your computer or server must be updated for the "User" part.
To do this, just open a session for this user or close it and reopen it if it was already open before you configured the above settings.
Alternatively, you can also force the user policy update by opening a command prompt, then running the command :
Then, launch the "mmc" console.
Note : you can also launch the "certmgr.msc" file directly to see the user's certificates.
In the "mmc" console that appears, go to : File -> Add/Remove Snap-in.
Select the "Certificates" component and click Add.
By default, the "Certificates" component will be added for the current user.
Note : if you have administrator rights on the current computer or server, the "mmc" console will ask you if you want to add it for your user account, for a service account or for a computer account.
Select the "My user account" option.
Go to "Certificates - Current User -> Personal -> Certificates" and you will see your user certificate appear.
If you double click on this certificate, you will see that this one :
If you go to the "Details" tab, you will be able to see the serial number of this certificate.
This serial number will allow you later to easily check if certificate roaming works correctly in your case when this feature is enabled.
If you select the "Public Key" field, you will be able to see the public key of this certificate.
This public key is the one that will be used by this user to decrypt (and therefore also read) the data that he has encrypted with his private key.
If you select the "Certificate Template Information" field, you will see that the template used is not a standard template, but a custom certificate template.
Hence the fact that a unique identifier appears instead of the name of the template.
Note that in some cases, the name of the custom certificate template may also appear here.
If you select the "Application Policies" field, you will see that this certificate will be used for the Encrypting File System.
If you select the "Subject Alternative Name" field, you will see that the user's principal name will appear.
Windows Server 11/3/2023
Windows Server 11/24/2023
Windows Server 10/20/2023
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.