How to Disable/Enable EFS on a Stand-Alone Windows 2000-Based Computer

• Microsoft Windows 2000 Advanced Server
• Microsoft Windows 2000 Datacenter Server
• Microsoft Windows 2000 Professional
• Microsoft Windows 2000 Server

SUMMARY

This article describes how to disable and enable the Encrypting File System (EFS) on Windows 2000-based computers that are not members of a Windows 2000-based domain. EFS is designed to work only when a recovery agent is available before a file can be encrypted. By default, the local Administrator account is used as the designated recovery agent for stand-alone Windows 2000-based computers.

NOTE: You must repeat the steps to disable EFS if you install or reinstall Windows 2000 on a computer.

MORE INFORMATION

WARNING: Microsoft strongly recommends that you decrypt any encrypted files on your computer before following this procedure. If you do not first decrypt the files, you are unable to recover them after performing this procedure. If you do not first back up the recovery agent's certificate (using the following steps), you must reinstall Windows 2000 if you want to re-enable EFS in the future.

To Back Up the Recovery Agent's Certificate

1. Log on to your computer using the local Administrator account.
   
   NOTE: You must use the built-in Administrator account, not just an account with administrator privileges.



2. Click Start, click Run, type secpol.msc, and then click OK.



3. Click the plus sign (+) next to Public Key Policies to expand it.



4. Click the Encrypted Data Recovery Agents category.



5. In the right pane, a certificate that is issued to "Administrator" with an intended purpose of "file recovery" is displayed. Right-click this item, and then click All tasks > export.



6. Click Next.



7. Make sure that the No, do not export the private key option is selected, and then click Next.



8. In the Export File Format box, make sure that the DER Encoded Binary X.509 (.CER) option is selected.



9. Click Next.



10. When you are prompted to save the certificate to a file, back up the file to a disk or removable media device, and then store the backup in a location where physical security of the backup is ensured. Type an appropriate file name, and then click Next.



11. When the Completing the Certificate Export Wizard dialog box is displayed, verify the options that you selected, and then click Finish.



12. When the The export was successful dialog box is displayed, click OK.

To Disable EFS

1. Log on to your computer using the local Administrator account.
   
   NOTE: You must use the built-in Administrator account, not just an account with administrator privileges.



2. Click Start, click Run, type secpol.msc, and then click OK.



3. Click the plus sign (+) next to Public Key Policies to expand it.



4. Click the Encrypted Data Recovery Agents category.



5. In the right pane, a certificate that is issued to "Administrator" with an intended purpose of "file recovery" is displayed. Right-click this item, and then click Delete.



6. At the Permanently delete the selected certificate? prompt, click Yes.



7. Close the Microsoft Management Console (MMC) window.



8. Restart your computer for the change to take effect.

To Enable EFS After Disabling It

1. Log on to your computer using the local Administrator account.
   
   NOTE: You must use the built-in Administrator account, not just an account with administrator privileges. If you did not previously back up the certificate using the steps in this article, you must reinstall Windows 2000 to re-enable EFS.



2. Click Start, click Run, type secpol.msc, and then click OK.



3. Click the plus sign (+) next to Public Key Policies to expand it.



4. Right-click the Encrypted Data Recovery Agents category, and then click Add.



5. In the Welcome to the Add Recovery Agent Wizard dialog box, click Next.



6. Click Browse Folders.



7. In the Open dialog box, locate and click the certificate you previously exported, and then click Open.
   
   NOTE: At this point the certificate is imported, but is displayed as "USER_UNKNOWN" for the user. The Certificates value displays "OU= EFS File Encryption..."



8. Click Next, and then click Finish. When you receive the "The certificate cannot be validated" message, click OK to continue. Note that the Administrator account is now the recovery agent. EFS is now re-enabled on your computer.

Additional query words:

Keywords : kbenv kbtool
Version : WINDOWS:2000
Platform : WINDOWS
Issue type : kbhowto