We're looking for a way to disable the use of the Encrypting File System (EFS) on our Windows XP clients. We're interested in disabling encryption only for individual files and folders or, alternatively, disabling EFS entirely on all XP systems. Can you give us some hints?
To disable EFS encryption for individual files or folders, you must perform one of the following actions:
- Make the file or folder a system file or system folder—You can establish a system file or system folder either by setting the file’s or folder’s system attribute or adding the file or folder to your XP system's %systemroot% folder. To include the system attribute, use the attrib.exe command-line utility with the +S flag. For example, to set the system attribute of the file summary.doc in the C:\personaldocs folder, go to the command line and type
Attrib +S c:\personaldocs\summary.doc
A desktop.ini file affects only the current folder and its content—it doesn't apply to subfolders and their content.
To disable the use of EFS completely on an XP computer, you must perform one of the following actions:
then set it to 1. Setting the registry value to 0 will enable EFS on an XP machine. Reboot your machine for the change to take effect.
You can also use a Group Policy Object (GPO) setting that you define on the Windows Server 2003 or Windows 2000 domain or organizational unit (OU) level to distribute the EfsConfiguration registry hack I mentioned above to your XP machines. EfsConfiguration is available in the default Windows 2003 GPO settings as part of the properties of the Encrypting File System object, which is in the Public Key Policies container. EfsConfiguration isn't available in Win2K's default GPO settings. For instructions describing how to add it, see the Microsoft article "How to Add Custom Registry Settings to Security Configuration Editor".