EFS through Certificates

[Dan]

I would like to be completely in control of recovering users certificates
that they may use for signing email and encrypting files.

But what about the users default ability to encrypt files? How can I stop
this so I issue them user certificates to acheive this? Something about
superseding templates?

 

[Guest]

In an Active Directory environment, you can disable the ability of end users
to encrypt files by using Group Policy:

Under the Windows Settings - Security Settings - Public Key Policies -
Encrypting File System. Right Click on Encrypting File System and remove the
checkbox from
'Allow users to encrypt files using EFS'.

If not using Active Directory, you can find the same settings in the Local
Security Policy on each computer.