EFS certificate type and enrollment
Enabled: You can restrict the EFS certificate type. You can also enable the enrollment of external EFS certificates by specifying the Certification Authority's web address.
1.EFS certificate type: Specify whether you want to allow all certificate types (domain, external and self-signed certificates) or only certain certificate types. This restriction will apply when users are going to enroll or select certificates.
2.Certificate request URL: Enter a CA's certificate request web address to be used for EFS certificate enrollment, e.g. https://www.companyname.com/foldername.
This target path will be used when an EFS certificate is requested from an external Certification Authority (CA).
The certificate request URL is optional. If you do not specifiy a path here, users will not be able to request external EFS certificates. If you want to enable external EFS certificates, then enter a valid path which will be accessible to all Security Platform PC's. Otherwise the EFS certificate enrollment will fail.
Disabled: The EFS certificate type is not restricted. The web adress to be used to retrieve EFS certificates is not set, i.e. users cannot request external EFS certificates.
Notes:
Note that EFS certificates are not only used for EFS, but also for PSD.
While this setting is valid only for EFS certificates (to be used for EFS or PSD), there is also a user policy which is independent of the certificate usage (URL to start from wizard for certificate enrollment).
Default value: Disabled
| Registry Hive | HKEY_CURRENT_USER |
| Registry Path | Software\Policies\Infineon\TPM Software |
| Value Name | EFSCertificateEnrollmentPol |
| Value Type | REG_DWORD |
| Enabled Value | 1 |
| Disabled Value | 0 |
- Allow all types
Registry Hive HKEY_CURRENT_USER Registry Path Software\Policies\Infineon\TPM Software Value Name EFSCertificateTypes Value Type REG_DWORD Value 1 - Allow only domain certificates
Registry Hive HKEY_CURRENT_USER Registry Path Software\Policies\Infineon\TPM Software Value Name EFSCertificateTypes Value Type REG_DWORD Value 2 - Allow only domain and external certificates
Registry Hive HKEY_CURRENT_USER Registry Path Software\Policies\Infineon\TPM Software Value Name EFSCertificateTypes Value Type REG_DWORD Value 3
| Registry Hive | HKEY_CURRENT_USER |
| Registry Path | Software\Policies\Infineon\TPM Software |
| Value Name | EFSCertificateEnrollmentURL |
| Value Type | REG_SZ |
| Default Value |
ifxsppol.admx
- Security Platform
- All Versions Settings
- Allow administrators to retrieve the SRK public key remotely
- Allow administrators to take ownership remotely
- Allow administrators to use platform keys remotely
- Allow reading of unprotected TPM NV memory
- Configure dictionary attack threshold
- Enable stringent password field security
- Enhanced Authentication providers
- Prepare TPM enrollment
- Purge keys when entering energy-saving states
- Previous Product Versions Settings
- Stand-alone Computer Version Settings
- Owner Password
- Allow platform enrollment
- Backup archive location
- Enforce configuration of Backup including Emergency Recovery
- Enforce configuration of Password Reset
- Enforce immediate System Backup
- Use public key of Emergency Recovery Token from archive
- Use public key of Password Reset Token from archive
- All Versions Settings
- Security Platform
- All Versions Settings
- Basic User Passphrase
- Basic User Password
- Allow EFS configuration
- Allow key import for User
- Allow PSD configuration
- Allow secure e-mail configuration
- Allow user to temporarily disable the Security Platform Features
- Control Quick Initialization
- Creation of non-migratable Basic User Key
- EFS certificate expiration warning occurrence
- EFS certificate type and enrollment
- EFS self-signed certificates validity period
- Enable caching of Basic User Password
- Enforce enabling of Password Reset
- Enforce Enhanced Authentication
- Enforce strong private key protection for MS-CAPI signing keys
- File location for Personal Secure Drive
- Minimum free space after PSD creation
- URL to start from wizard for certificate enrollment
- Stand-alone Computer Version Settings
- All Versions Settings