RAPID PUBLISHING ARTICLES PROVIDE INFORMATION DIRECTLY FROM WITHIN THE MICROSOFT SUPPORT ORGANIZATION. THE INFORMATION CONTAINED HEREIN IS CREATED IN RESPONSE TO EMERGING OR UNIQUE TOPICS, OR IS INTENDED SUPPLEMENT OTHER KNOWLEDGE BASE INFORMATION.
Consider the following scenario:
1. You disable Encrypting File System (EFS) on some clients from a Windows Server 2003-based machine by using a group policy from a policy level, such as an OU policy.
2. You disable EFS on these clients using another policy from a different policy level, such as local policy or domain policy.
3. You disable the defined policy on the OU level to enable EFS.
In this scenario, EFS is not enabled on these clients. The expected behavior is that EFS is enabled successfully.
You may experience the following additional symptoms:
1. A policy has a Data Recover Agent DRA defined but it is not applying.
2. Other settings in the policy apply successfully.
3. When you review the encryption details for a file you do not see the Data Recovery Agent listed.
4. When you look at the policy on Windows XP or Windows 2003 computer “Allow users to encrypt files using Encrypting File System (EFS)” is checked.
When EFS is disabled by a group policy, the registry value EfsConfigure is set to 1. When this policy is disabled, the value EfsConfigured is removed. It is not set to zero. If another policy applies to the computer that also disables EFS, the two policies cannot be properly merged because the EfsConfigured value does not exist.
The net result is that, once EFS has been disabled by Group Policy at one level, it cannot be re-enabled at that level if some other policy is also configured to disable EFS, regardless of the order of precedence for the policies.
Additionally, if EFS is disabled it cannot be re-enabled via policy from an Microsoft Windows XP or Microsoft Windows 2003 computer. There is a setting that has a checkbox that makes the admin think they are enabling EFS. (The setting “Allow users to encrypt files using Encrypting File System (EFS)”)
To work around the issue, you can use one of the method below:
1. Set the original policy to enable EFS and do not try to enable it in a second policy.
2. Push the registry value to clients by using scripts:
KeyName: Software\Policies\Microsoft\Windows NT\CurrentVersion\EFS
3. Manage EFS policy from a Windows Vista or a Windows Server 2008 machine. The issue is resolved in Windows Vista or Windows Server 2008 systems
Location: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\CurrentVersion\EFS
Value 0 or 1
0 means that EFS is turned on and 1 means that EFS is turned off.
Vista or Windows 2008 - administrator can enable or disable EFS
XP or Windwos 2003 – can only disable EFS.
Note: If EFS has previously been disabled in the policy. Editing the policy on an XP or 2003 machine by checking the box to “Allow users to encrypt files using Encrypting File System (EFS)” will not have any affect. The setting will still be disabled even though the checkbox remains checked. Enabling EFS can only be accomplished via a Vista or 2008 gpeditor.
MICROSOFT AND/OR ITS SUPPLIERS MAKE NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY, RELIABILITY OR ACCURACY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE (THE “MATERIALS”) FOR ANY PURPOSE. THE MATERIALS MAY INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS AND MAY BE REVISED AT ANY TIME WITHOUT NOTICE.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND/OR ITS SUPPLIERS DISCLAIM AND EXCLUDE ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO REPRESENTATIONS, WARRANTIES, OR CONDITIONS OF TITLE, NON INFRINGEMENT, SATISFACTORY CONDITION OR QUALITY, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE MATERIALS.