How to Locate EFS Encrypted Files and Disable EFS
On occasion, an EFS certificate may be issued to your domain user account. You may never have even knowingly used EFS, but if a certificate has been issued there are usually some EFS encrypted files on the system drive.
Encrypting File System is a technology that allows users to encrypt files, EFS was introduced in Windows long before BitLocker and is typically no longer in use. EFS is sometimes enabled by default, in this situation users can self-encrypt files without having implemented procedures that will allow them to recover the files when needed.
Locating EFS Encrypted Files
Most users have never knowingly used EFS and do not know where these EFS encrypted files are located.
Fortunately, there is a utility included with Windows that can help us locate these files. From an elevated command prompted you need to run the following command.
To easily open the Command Prompt with admin privileges. Press Windows+R to open the “Run” box. Type “cmd” into the box and then press Ctrl+Shift+Enter to run the command as an administrator.
Ctrl+Shift+Enter to run the command as an administrator
In your command window, move to the root of your system drive.
Type the command
Once you are at C:\ you can run the cipher utility with the following command.
cipher /u /n /h
This command will generate a list of all of the EFS encrypted files. The search process is recursive so it will look through sub-directories as well. We are including the /n switch to prevent cipher from triggering an update on the file which means that it will not try to use or renew the EFS certificate on the file. This is important where you may not have permissions to currently access the files but only traverse directory permissions.
When the process is complete, Cipher will display a list of encrypted files with their locations.
If there are no files listed as shown in the example above, you do not have any EFS encrypted files on your system drive.
Disable EFS via Group Policy
If you want to prevent any new EFS encrypted files from appearing, you can easily do this with Group Policy editor.
Press Windows+R to open the “Run” box. Type “gpedit.msc” and press enter.
In the Group Policy Editor navigate to
Computer Configuration > Windows Settings > Security Settings > Public Key Policies
Right-click on the Encrypting File System folder in the left side navigation area. Select Properties and In the EFS Properties window choose "Don't allow", Click OK. This will disable the ability for users to use EFS.