3.2.5.1 Receiving Updated Policy

When a client of the Group Policy: Encrypting File System Extension receives an updated collection of settings via the procedure in [MS-GPREG] section 3.2.4.1, it directly accesses the public User-Certificate Binding ADM elements ([MS-EFSR] section 3.1.1.1) and configures them in the following way:

RequireV3Template (Public): If the value of the EfsOptions field (section 2.2.3) is present in the client database and flag 0x00002000 is set, the client MUST set this value to True. Otherwise, this element is not modified.

DisallowV3Template (Public): If the value of the EfsOptions field (section 2.2.3) is present in the client database and flag 0x00001000 is set, the client MUST set this value to True. Otherwise, this element is not modified.

RequireSmartCard (Public): If the value of the EfsOptions field (section 2.2.3) is present in the client database and flag 0x00000100 is set, the client MUST set this value to True. Otherwise, this element is not modified.

TemplateName (Public): If the value of the TemplateName field (section 2.2.5) is present in the client database, the client MUST use the value from the database to set the TemplateName (Public) User-Certificate Binding ADM element ([MS-EFSR] section 3.1.1.1). Otherwise, this element is not modified.

A client of the Group Policy: Encrypting File System Extension also directly accesses the public EFSR Server Control ADM elements ([MS-EFSR] section 3.1.1.2) and configures them in the following way:

EfsDisabled (Public): If the value of the EfsConfiguration field (section 2.2.2) is present in the client database and equal to 0x00000001, the client SHOULD set this value to true. A client implementation MAY<15> use an alternative mechanism for configuring the EfsDisabled public ADM element.