3.1.4 Higher-Layer Triggered Events

The EFS Group Policy administrative plug-in is invoked when an administrator launches the user interface for editing Group Policy settings. The plug-in displays the current settings to the administrator, and when the administrator requests a change in settings, it updates the stored configuration appropriately as specified in section 2.2, after performing additional checks and actions as noted in this section.

When the administrator requests an update of the EFS recovery policy, the administrative plug-in MUST also create or update the EfsBlob entry as specified in section 2.2.1.

The administrative plug-in SHOULD<11> take measures in its UI to ensure that the user cannot unknowingly set the EFS user template name to an invalid value. If the implementation supports the flag requiring smart cards for EFS (specified in section 2.2.3) and if that option is configured to require smart cards for EFS, the administrative plug-in SHOULD ensure that this template is compatible with smart cards.

Implementations SHOULD<12> prevent users from configuring very low values for the EFS self-signed certificate key length (as specified in section 2.2.6), as short keys are insecure. Implementations can also restrict the maximum key length permitted.