Disabling EFS Encryption in Windows XP

We're looking for a way to disable the use of the Encrypting File System (EFS) on our Windows XP clients. We're interested in disabling encryption only for individual files and folders or, alternatively, disabling EFS entirely on all XP systems. Can you give us some hints?

To disable EFS encryption for individual files or folders, you must perform one of the following actions:

  • Make the file or folder a system file or system folder—You can establish a system file or system folder either by setting the file’s or folder’s system attribute or adding the file or folder to your XP system's %systemroot% folder. To include the system attribute, use the attrib.exe command-line utility with the +S flag. For example, to set the system attribute of the file summary.doc in the C:\personaldocs folder, go to the command line and type
Attrib +S c:\personaldocs\summary.doc
  • Deny users the Write permission to the file or folder.
  • To disable EFS encryption at the folder level, create a file called desktop.ini in the folder for which you want to disable EFS—The desktop.ini file must contain the following information:
  • \[Encryption\]

    A desktop.ini file affects only the current folder and its content—it doesn't apply to subfolders and their content.

    To disable the use of EFS completely on an XP computer, you must perform one of the following actions:

  • Create the EfsConfiguration registry value—Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS registry subkey. From the Edit menu, select New, DWORD Value. Type the name
  • EfsConfiguration

    then set it to 1. Setting the registry value to 0 will enable EFS on an XP machine. Reboot your machine for the change to take effect.

  • Clear the Allow users to encrypt files using Encrypting File System (EFS) property check box in an XP machine’s local security policy—To set this property, open the Microsoft Management Console (MMC) Local Security Policy snap-in, expand the Public Key Policies container, then right-click the Encrypting File System container to open its properties. To refresh the local policy, run gpupdate.exe from the command line. Gpupdate is an XP command that refreshes Group Policy application on the local machine.
  • You can also use a Group Policy Object (GPO) setting that you define on the Windows Server 2003 or Windows 2000 domain or organizational unit (OU) level to distribute the EfsConfiguration registry hack I mentioned above to your XP machines. EfsConfiguration is available in the default Windows 2003 GPO settings as part of the properties of the Encrypting File System object, which is in the Public Key Policies container. EfsConfiguration isn't available in Win2K's default GPO settings. For instructions describing how to add it, see the Microsoft article "How to Add Custom Registry Settings to Security Configuration Editor".

    Hide comments


    • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

    Plain text

    • No HTML tags allowed.
    • Web page addresses and e-mail addresses turn into links automatically.
    • Lines and paragraphs break automatically.