We have observed some puzzling behavior from the CAs we have set up in both the past and present. For some reason unknown to us, it seems that our CAs are randomly issuing "Basic EFS" certificates to our users. This is evident through the "Issued Certificates" log on the CA. I personally set up a CA yesterday, and the instant that I installed certificate services it started dishing out Basic EFS certs to our users. They seem to be issued at random times: 1:51am, 2:20am, then 7:54am, then 8:03am… etc
I looked at the certificate template for Basic EFS and there isn't even an option for Autoenrollment, so I'm seriously in a state of "WTF?!"…
Can anyone clue me in as to why my CA has a mind of its own? Do CAs tend to become self-aware and lash out at their owners? Please help…
EDIT:
OK, so I did some digging and it appears that all users have Enroll permission. I highly doubt all these users are explicitly requesting these certificates. There must be some service running on their computers that is performing the Enroll. Can anyone verify this?
Best Answer
Well, I think I found the answer all on my own. When users attempt to encrypt a file or folder, their computer looks for a certificate to perform the encryption with. If they do not have a valid certificate to encrypt with, their computer looks for a CA that will issue them Basic EFS certificate. If no CA exists, then their computer will create its own self-signed Basic EFS certificate.
I'm paraphrasing Microsoft's explanation, which can be found here.