2.2.3 EFS Additional Options
Key: Software\Policies\Microsoft\Windows NT\CurrentVersion\EFS
Value: "EfsOptions" or one of the special values in [MS-GPREG] section 3.2.5.1.
Type: REG_DWORD.
Size: Equal to size of the Data field.
The registry value name "EfsOptions" can be replaced with one of the special values in [MS-GPREG] section 3.2.5.1.
Data: A 32-bit value consisting of the bitwise OR of zero or more of the following flags.
|
Value |
Meaning |
|---|---|
|
0x00000001 |
EFS attempts to encrypt the user's Documents folder and its contents. |
|
0x00000002 |
When using a smart card to store the user's private key, EFS derives a symmetric key from the private key, caches it in memory, and performs symmetric key operations with it instead of asymmetric key operations with the private and public keys on the smart card. |
|
0x00000004 |
EFS permits users to use public keys associated with self-signed certificates for encryption. |
|
0x00000010 |
EFS flushes all per-user secrets and keying material from memory after an idle interval as specified in the EFS cache timeout option (see more later in this section). If this flag is supported by an implementation, that implementation MUST also support the cache timeout option described later. |
|
0x00000020 |
For users who are logged on to the client interactively, EFS flushes all per-user secrets and keying material from memory whenever the user temporarily locks the session. |
|
0x00000100 |
EFS rejects attempts by users to create encrypted files or to encrypt existing files using keys not stored on a smart card. |
|
0x00000200 |
This setting is used as a hint to the client to enable encryption of the system page file. |
|
0x00000400 |
EFS reminds users to back up their keys each time they change their EFS key. |
|
0x00001000 |
EFS disallows the use of ECC keys for user and recovery keys. This flag MUST NOT be specified in combination with 0x00002000. If neither 0x00001000 nor 0x00002000 is specified, then both ECC and RSA keys are permitted. |
|
0x00002000 |
EFS requires the use of ECC keys for user and recovery keys. This flag MUST NOT be specified in combination with 0x00001000. If neither 0x00001000 nor 0x00002000 is specified, then both ECC and RSA keys are permitted. |
With the exception of flag 0x00000200, an implementation SHOULD<3> support all the flags described in this section. An implementation MAY<4> support flag 0x00000200.
If the client supports this option but the option is not present, the client SHOULD use a default value of 0x00000002 | 0x00000004 | 0x00000010.