Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

EFS may not be enabled expectedly after you disable a policy and this policy turn off the EFS feature


View products that this article applies to.

Source: Microsoft Support

↑ Back to the top


Rapid publishing

RAPID PUBLISHING ARTICLES PROVIDE INFORMATION DIRECTLY FROM WITHIN THE MICROSOFT SUPPORT ORGANIZATION. THE INFORMATION CONTAINED HEREIN IS CREATED IN RESPONSE TO EMERGING OR UNIQUE TOPICS, OR IS INTENDED SUPPLEMENT OTHER KNOWLEDGE BASE INFORMATION.

↑ Back to the top


Symptom



Consider the following scenario:

1.��� You disable Encrypting File System (EFS) on some clients from a Windows Server 2003-based machine by using a group policy from a policy level, such as an OU policy.

2.��� You disable EFS on these clients using another policy from a different policy level, such as local policy or domain policy.

3.��� You disable the defined policy on the OU level to enable EFS.

In this scenario, EFS is not enabled on these clients. The expected behavior is that EFS is enabled successfully.

�You may experience the following additional symptoms:

1.������������� A policy has a Data Recover Agent DRA defined but it is not applying.�

2.������������� Other settings in the policy apply successfully. �

3.������������� When you review the encryption details for a file you do not see the Data Recovery Agent listed.

4.������������� When you look at the policy on Windows XP or Windows 2003 computer �Allow users to encrypt files using Encrypting File System (EFS)� is checked.

↑ Back to the top


Cause



When EFS is disabled by a group policy, the registry value EfsConfigure is set to 1. When this policy is disabled, the value EfsConfigured is removed. It is not set to zero. If another policy applies to the computer that also disables EFS, the two policies cannot be properly merged because the EfsConfigured value does not exist.

The net result is that, once EFS has been disabled by Group Policy at one level, it cannot be re-enabled at that level if some other policy is also configured to disable EFS, regardless of the order of precedence for the policies.

Additionally, if EFS is disabled � it cannot be re-enabled via policy from an Microsoft Windows XP or Microsoft Windows 2003 computer.� �There is a setting that has a checkbox�that makes the admin think they are enabling EFS. �(The setting �Allow users to encrypt files using Encrypting File System (EFS)�)

↑ Back to the top


Resolution



To work around the issue, you can use one of the method below:

1. Set the original policy to enable EFS and do not try to enable it in a second policy.
2. Push the registry value to clients by using scripts:

KeyName: Software\Policies\Microsoft\Windows NT\CurrentVersion\EFS
ValueName: EfsConfiguration
ValueType: REG_DWORD
Value: 0x00000000

3. Manage EFS policy from a Windows Vista or a Windows Server 2008 machine. The issue is resolved in Windows Vista or Windows Server 2008 systems

↑ Back to the top


More information



Registry Information:

Location: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\CurrentVersion\EFS

Name: EfsConfiguration

Type: REG_DWORD

Value 0 or 1

0 means that EFS is turned on and 1 means that EFS is turned off.

Vista or Windows�2008� - administrator can enable or disable EFS

XP or Windwos 2003�� can only disable EFS.



Note: If EFS has previously been disabled in the policy.� Editing the policy on an XP or�2003 machine by checking the box to �Allow users to encrypt files using Encrypting File System (EFS)� �will not have any affect.� The setting will still be disabled even though the checkbox remains checked. �Enabling EFS can only be accomplished via a Vista or 2008 gpeditor.�

↑ Back to the top


Disclaimer

MICROSOFT AND/OR ITS SUPPLIERS MAKE NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY, RELIABILITY OR ACCURACY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE (THE �MATERIALS�) FOR ANY PURPOSE. THE MATERIALS MAY INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS AND MAY BE REVISED AT ANY TIME WITHOUT NOTICE.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND/OR ITS SUPPLIERS DISCLAIM AND EXCLUDE ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO REPRESENTATIONS, WARRANTIES, OR CONDITIONS OF TITLE, NON INFRINGEMENT, SATISFACTORY CONDITION OR QUALITY, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE MATERIALS.

↑ Back to the top


Keywords: kbnomt, kbrapidpub, KB960050

↑ Back to the top

Article Info
Article ID : 960050
Revision : 1
Created on : 11/13/2008
Published on : 11/13/2008
Exists online : False
Views : 373