1.3.2 EFS Group Policy Extension Overview
EFS Group Policy settings are accessible from a GPO through the Group Policy: Encrypting File System Extension to the Group Policy: Core Protocol specified in [MS-GPOL]. The extension provides a mechanism for administrative tools to obtain metadata about registry-based settings.
The process of configuring and applying the EFS Group Policy settings consists of the following steps:
An administrator invokes a Group Policy administrative tool to administer a GPO through the Group Policy: Core Protocol using the Policy Administration Protocol, as specified in [MS-GPOL] section 2.2.8. Through this protocol, the presence of the tool extension GUID for computer policy settings for the Group Policy: Encrypting File System Extension in is retrieved, which indicates that the GPO contains policy settings that are administered through the Policy Administration portion of the Group Policy: Encrypting File System Extension.
The administrative tool invokes a plug-in specific to the Group Policy: Encrypting File System Extension so that the administrator can administer the EFS settings, which results in the storage and retrieval of metadata inside a GPO on a Group Policy server. This metadata describes configuration settings to be applied to a generic settings database (the registry in Windows) on a client that is affected by the GPO.
The administrator views the data and updates it as desired.
A client computer affected by that GPO is started (or is connected to the network, if this happens after the client starts), and the Group Policy: Core Protocol is invoked by the client to retrieve policy settings from the Group Policy server. As part of this processing, two GUIDs are read from the GPO: the registry extension's CSE GUID, as specified in [MS-GPREG] section 1.9, and the EFS extension's CSE GUID.
The presence of the registry extension's CSE GUID, as specified in [MS-GPREG] section 1.9, in the GPO instructs the client to invoke a registry extension plug-in component for policy application. This component parses the file of settings and saves them in the generic settings database (registry) on the local machine.
The presence of the EFS extension's CSE GUID in the GPO instructs the client to invoke an EFS extension plug-in component for policy application. This component is not required for the protocol and does not affect the operation of the protocol. Specifically, this component is intended to adjust the internal state of the EFS on the client, and it is not intended to participate in any network communication.
The EFS on the client recognizes that its configuration has been updated and takes the appropriate actions.
This document specifies the behavior of the administrative plug-in mentioned in step 1. The operation of the Group Policy: Core Protocol in step 2 is specified in [MS-GPOL] section 3.2. The process of retrieving the settings in step 3 is specified in [MS-GPREG] section 3.2. Step 4 and step 5 are specific to EFS and are not specified.