How to disable EFS using Local Group Policy in Windows Seven

How to disable EFS using local group policy in Windows SevenEFS or Encrypted File System is used to encrypt (cipher) files on a hard drive or any other media. Windows Seven like its predecessors gives users the ability to encrypt files and folders. While on portable devices EFS can be very effective for your data getting in the wrong hands if your device gets stolen, it can also be very devastating and painful if used in appropriately. If you change your password incorrectly by resetting it or by not having a recovery agent set up, there is basically no way of getting the data back from an encrypted file or folder. If you don't think your device is going to be stolen (like desktop workstations) its best for system administrators or IT support personnel to disable EFS. In this article we will show you how to disable EFS on machines using local group policy and state some advantages of disabling it using the local group policy.

If you are in a domain environment, its probably better to use a Domain GPO (Domain Group Policy) to disable EFS. However, often in a workgroup environment or a SOHO Small Business setup, a central domain is not available for enforcing the EFS setting, you can then use the local group policy as stated below to disable EFS. Also, sometimes if your machine is disjoined from the domain, it will loose its domain GPO enforcement for EFS, but if you had a local group policy setting also setup, it will still prevail.

 

Lets see how we can enforce the no EFS setting using a local group policy in Windows Seven. You must be logged on as a user with local administrative rights on the machine to do this.

1. Click Start and in the search box type in GPEdit.msc and hit enter

Click Start and in the search box type in GPEdit.msc and hit enter

2. Local Group Policy Editor Launches

Local Group Policy Editor Launches

3. Navigate to Computer Configuration -> Windows Settings -> Security Settings -> Public Keys and then to Encrypting file system. Notice that the right pane shows that there is "No Encrypting File System Settings Defined"

Navigate to EFS setting property in local group policy

4. Right Click the Encrypting File System Node and choose Properties, the encrypting file system policy properties come up, notice that its currently set to "not defined" which means its the system default, allowing users to encrypt files on local drives

Right Click the Encrypting File System Node and choose Properties

5. Change the encrypting file system properties setting from not defined to "don't allow" in local group policy, this will enforce the local group policy which will not let anyone use EFS on local C drive

Change the encrypting file system properties

6. If you try and encrypt a file now, it will tell you EFS is disabled for this machine

If you try and encrypt a file now, it will tell you EFS is disabled for this machine