Configure EFS Using Group Policy Settings

Select Group Policy Management. Select Settings. Right Click Public Key Policies/Encrypting File System and select Edit. Right Click Encrypting File Systems and select Properties. Select Allow to enable the group policy.

Use the buttons below to navigate through the lesson


File Encryption Using Encrypting File System (EFS) – By default, EFS is allowed. If you select Don’t Allow, users will be unable to encrypt files with EFS.

Encrypt The Contents Of The User’s Documents Folder – Enable this option to automatically encrypt the user’s Documents folder. Although many other folders contain confidential information, encrypting the Documents folder significantly improves security, especially for mobile computers, which are at a higher risk of theft.

Require A Smart Card For EFS – Select this check box to prevent the use of software certificates for EFS. Enable this if users have smart cards and you want to require the user to insert the smart card to access encrypted files. This can add security, assuming the user does not always leave the smart card in the computer.

Create Caching-Capable User Key From Smart Card – If this and the previous option are enabled, users need to insert a smart card only the first time they access an encrypted file during their session. If this option is disabled, the smart card must be present every time the user accesses a file.

Enable Pagefile Encryption – Encrypts the page file. Windows uses the page file to store a copy of data that is stored in memory, and, as a result, it might contain unencrypted copies of EFS-encrypted files. Therefore, a very skillful attacker might find unencrypted data in the page file if this option is disabled. Encrypting the page file can impact performance.

Display Key Backup Notifications When User Key Is Created or Changed – If enabled, Windows prompts the user to back up EFS keys when encryption keys are created or changed.

Allow EFS To Generate Self-Signed Certificates When A Certification Authority Is Not Available – If disabled, client computers will need to contact your certification authority (CA) the first time an EFS file is encrypted. This would prevent users who are disconnected from your network from enabling EFS for the first time. To allow EFS to retrieve a certificate from a CA instead of generating a self-signed certificate, you should configure a CA and enable autoenrollment.

Select all relevant options and click OK.

Configure a Data Recovery Agent

Select Group Policy Management. Select Settings. Right Click Public Key Policies/Encrypting File System and select Edit. Right Click Encrypting File Systems and select Create Data Recovery Agent. The logged on user will be created as a Data Recovery Agent.

Create Caching-Capable User Key From Smart Card If this and the previous option are enabled, users need to insert a smart card only the first time they access an encrypted file during their session. If this option is disabled, the smart card must be present every time the user accesses a file.