Disabling EFS on Windows Servers

SimplySecure customers who are using Microsoft’s Encrypting File System (EFS) to encrypt their devices should be aware of a recent discovery regarding Microsoft Server products. SimplySecure does NOT provide a product to manage EFS encryption on Microsoft Server products. Unfortunately, unlike previous versions of Microsoft Server products, Microsoft Server 2012 is issued with a default mode for EFS file encryption that is set to ‘ON’.

Because EFS is turned on at the server, when a user copies a file to the server, file encryption remains. However, a different encryption key is applied. As this key is NOT generated by SimplySecure and it is NOT managed at the SimplySecure Administration Console.

We recommend that you modify the Local Security Policy on all Microsoft file servers to disable EFS. Caution: Before you apply this policy, you will need to determine if you have any encrypted files on your server and manually decrypt them. Otherwise you will lose access to these files once EFS is turned off. Please contact Beachhead Support (support@beachheadsolutions.com) to assist you in modifying your policy.

(As shown in the illustration below) To change the policy you will need to run the “gpedit.msc” command on the server. Go to the Public Key Policies folder in the Local Security Policy window, right-click on Encrypting File System, and select Properties. You will select the “Don’t Allow” radio box and click the “Apply” button.


Related Articles