Disabling or Reenabling EFS

Disabling or Reenabling EFS
If you want to prevent users from encrypting files on a particular machine, you can disable EFS. If your computer is part of a domain, domain-level policies determine whether EFS can be used on a workstation. For stand-alone computers and computers that are part of a workgroup, the following sections explain how to control the availability of EFS.

Disabling or Reenabling EFS in Windows XP
To disable EFS on a computer running Windows XP Professional that is not part of a domain, follow these steps:

Open Registry Editor. (At a command prompt, type regedit.)
Open the HKLM\Software\Microsoft\Windows NT\CurrentVersion\EFS key.
Choose Edit, New, DWORD Value.
Type EfsConfiguration as the name for the new value.
Double-click the EfsConfiguration value and change its value data to 1.
Restart the computer.
To reenable EFS, return to the same value and change it to 0.

NOTE
--------------------------------------------------------------------------------

Intrepid tweakers might come across a check box called Allow Users To Encrypt Files Using Encrypting File System (EFS) and assume that clearing it disables EFS. Unfortunately, this action has no effect in a workgroup environment. If you want to check it out for yourself, open Local Security Settings (Secpol.msc), select Public Key Policies, right-click Encrypting File System, and choose Properties.
Disabling or Reenabling EFS in Windows 2000
If you're using Windows 2000, follow these steps to disable EFS on a computer that is not part of a domain:

Open Local Security Settings. (In Control Panel, open Administrative Tools, Local Security Policy. Or, more simply, type secpol.msc at a command prompt.)
In Local Security Settings, go to Public Key Policies\Encrypted Data Recovery Agents.
Right-click the Administrator certificate and choose Delete.
CAUTION
--------------------------------------------------------------------------------

Before you delete a certificate, be sure you have exported the file recovery certificate and its private key so that the key is available for data recovery. (For details, see "Backing Up the Data Recovery Agent Certificate.") Without it—or another valid data recovery agent certificate, such as one from a domain controller—you won't be able to reenable EFS unless you reinstall Windows 2000.
In response to the confirmation dialog box, click Yes.
This procedure creates an empty recovery policy. When the policy is empty—that is, all the data recovery agent certificates have been deleted—users who attempt to encrypt files will see the error message "There is no valid encryption recovery policy configured for this system."

To reenable EFS after you've set an empty recovery policy, you reinstall the data recovery agent certificate, as follows:

In Local Security Settings, go to Public Key Policies\Encrypted Data Recovery Agents.
Right-click Encrypted Data Recovery Agents, and choose Initialize Empty Policy. (If the command is not on the shortcut menu, you already have an empty policy; skip this step.)
Right-click Encrypted Data Recovery Agents, and choose Add to launch the Add Recovery Agent Wizard. Click Next.
On the Select Recovery Agents page, click Browse Folders and then navigate to the folder that contains the .cer file for the data recovery agent you want to add. (The Browse Directory button searches Active Directory, a feature of Windows 2000 Server-based domains.) Click Open.

Here's where the wizard becomes confusing. The Select Recovery Agents page now shows the new agent as USER_UNKNOWN. This is normal. Simply click Next and then click Finish.
A message appears: "The certificate cannot be validated." Again, this is normal. Click OK.
The certificate for the data recovery agent (with the correct user name shown) now appears in the details pane, and you can begin encrypting files again.