Partager via


2.2.3 EFS Additional Options

Key: Software\Policies\Microsoft\Windows NT\CurrentVersion\EFS

Value: "EfsOptions" or one of the special values in [MS-GPREG] section 3.2.5.1.

Type: REG_DWORD.

Size: Equal to size of the Data field.

The registry value name "EfsOptions" can be replaced with one of the special values in [MS-GPREG] section 3.2.5.1.

Data: A 32-bit value consisting of the bitwise OR of zero or more of the following flags.

 Value

 Meaning

0x00000001

EFS attempts to encrypt the user's Documents folder and its contents.

0x00000002

When using a smart card to store the user's private key, EFS derives a symmetric key from the private key, caches it in memory, and performs symmetric key operations with it instead of asymmetric key operations with the private and public keys on the smart card.

0x00000004

EFS permits users to use public keys associated with self-signed certificates for encryption.

0x00000010

EFS flushes all per-user secrets and keying material from memory after an idle interval as specified in the EFS cache timeout option (see more later in this section). If this flag is supported by an implementation, that implementation MUST also support the cache timeout option described later.

0x00000020

For users who are logged on to the client interactively, EFS flushes all per-user secrets and keying material from memory whenever the user temporarily locks the session.

0x00000100

EFS rejects attempts by users to create encrypted files or to encrypt existing files using keys not stored on a smart card.

0x00000200

This setting is used as a hint to the client to enable encryption of the system page file.

0x00000400

EFS reminds users to back up their keys each time they change their EFS key.

0x00001000

EFS disallows the use of ECC keys for user and recovery keys. This flag MUST NOT be specified in combination with 0x00002000. If neither 0x00001000 nor 0x00002000 is specified, then both  ECC and RSA keys are permitted.

0x00002000

EFS requires the use of ECC keys for user and recovery keys. This flag MUST NOT be specified in combination with 0x00001000. If neither 0x00001000 nor 0x00002000 is specified, then both ECC and RSA keys are permitted.

With the exception of flag 0x00000200, an implementation SHOULD<3> support all the flags described in this section. An implementation MAY<4> support flag 0x00000200.

If the client supports this option but the option is not present, the client SHOULD use a default value of 0x00000002 | 0x00000004 | 0x00000010.