0
Vote

Log whether the "do not enroll self-signed certs" feature has been enabled

description

On Windows XP SP3, Windows Vista, Windows 2008 and beyond, there is a setting that allows an Administrator to prevent any future enrollment of self-signed EFS certificates.  This is enabled through a Registry setting (which can also be set through Group Policy).
 
Research:
  • what that Registry setting is
  • which KB article first documented the hotfix for pre-SP3 XP
  • how to determine whether (OS >= XPSP3 | OS >= Vista | OS >= 2008)

comments