6 Appendix A: Product Behavior
The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include updates to those products.
Windows 2000 operating system
Windows XP operating system
Windows Server 2003 operating system
Windows Server 2003 R2 operating system
Windows Vista operating system
Windows Server 2008 operating system
Windows 7 operating system
Windows Server 2008 R2 operating system
Windows 8 operating system
Windows Server 2012 operating system
Windows 8.1 operating system
Windows Server 2012 R2 operating system
Windows 10 operating system
Windows Server 2016 operating system
Windows Server 2019 operating system
Windows Server 2022 operating system
Windows 11 operating system
Windows Server 2025 operating system
Exceptions, if any, are noted in this section. If an update version, service pack or Knowledge Base (KB) number appears with a product name, the behavior changed in that update. The new behavior also applies to subsequent updates unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.
Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms "SHOULD" or "SHOULD NOT" implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term "MAY" implies that the product does not follow the prescription.
<1> Section 2.2.1.2.2: Windows adds the SID whenever a user manually creates a certificate and key. When the DRA is created automatically as specified in section 3.1.7, no SID is added.
<2> Section 2.2.2: This setting is not supported in Windows 2000.
<3> Section 2.2.3: Windows Vista and Windows Server 2008 support only flags 0x00000001 through 0x00000400.
<4> Section 2.2.3: Windows Vista and Windows Server 2008 use flag 0x00000200 to enable encryption of the system page file by NTFS to avoid the security implications of unintended information transfer through old page file contents. The symmetric key for the encrypted page file is kept in memory at all times, effectively ensuring that the page file becomes unreadable when the system is powered off.
<5> Section 2.2.4: If CacheTimeout is set to a value less than 5 minutes, Windows behaves as though it were set to 5 minutes. If CacheTimeout is set to a value greater than 10080 minutes (1 week), Windows behaves as though it were set to 10080 minutes (1 week).
<6> Section 2.2.5: This field is not supported in Windows 2000, Windows XP, Windows Server 2003, and Windows Server 2003 R2.
<7> Section 2.2.6: If RSAKeyLength is set to a value less than 1024 or greater than 16384, Windows ignores that value and behaves as if RSAKeyLength were set to the default of 2048.
<8> Section 2.2.6: This field is not supported in Windows 2000, Windows XP, Windows Server 2003, and Windows Server 2003 R2.
<9> Section 2.2.7: This field is not supported in Windows 2000, Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, and Windows Server 2008.
<10> Section 3.1.1: The EFS configuration data is stored in registry keys of the managed computer as described in section 2.2.1 and its subsections. Windows 2000, Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, and Windows Server 2008 used code within LSA to handle this configuration data, and that code left a copy of the configuration data in the LSA policy database from which it is available to be accessed using LSAD [MS-LSAD]. Windows does not use LSAD over the wire to access this data. Specifically, in these Windows releases the following behavior applies:
The "Encrypting File System (EFS) Policy Information" specified in [MS-LSAD] section 3.1.1.1 is updated to match the EfsBlob value (specified in section 2.2.1.2).
The Windows EFS reads the "Encrypting File System (EFS) Policy Information" from the Local Security Authority store (as specified in [MS-LSAD]) on the local machine.
This use of LSA was never necessary and is only available in Windows 2000, Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, and Windows Server 2008.
<11> Section 3.1.4: Windows queries Active Directory to obtain a list of available certificate templates and filters out those that are not suitable for use with EFS. The user is then asked to choose among the remaining templates.
<12> Section 3.1.4: Windows requires this value to be a power of 2 between 1024 and 16384, inclusive.
<13> Section 3.1.7: The first time an administrator logs on to a domain controller after domain creation, Windows creates a DRA by generating a certificate and key for that administrator. It then updates the default domain policy Group Policy Object (GPO) by writing the certificate into the EFS recovery policy as specified in section 2.2.1. This implementation-specific update to the default domain policy is identified by the tool extension GUID (specified in section 1.9) in the GPO attribute gPCMachineExtensionNames.
This update to the Default Domain Policy follows a similar sequence of events as defined in the "registry.pol" update sequence in section 3.1.5 except that in Steps 2 and 3 the Administered GPO is set to the Default Domain Policy GPO and the "TOOL GUID" is set to the Tool extension GUID (default domain policy settings) specified in section 1.9.
<14> Section 3.2.4.1: Windows 2000, Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, and Windows Server 2008 register an EFS extension plug-in component.
<15> Section 3.2.5.1: The Windows 2000 implementation configures the EfsDisabled ADM element in the following way:
If the EFS Recovery Policy (section 2.2.1) is not present (that is, there is no recovery policy defined) in the client database or is present but the number of keys under the Certificates subkey defined in section 2.2.1.1 is zero (that is, the recovery policy is empty), then the client sets the EfsDisabled ADM element value to true.