/
  • Last updated
/
  • 6 min read

How to Enable or Disable NTFS File Encryption in Windows

How to Enable or Disable NTFS File Encryption in Windows blog banner image

The built-in Encrypting File System (EFS) is one of Windows’ best and most accessible NTFS file encryption tools. As the administrator, you can simply turn the program on or off using the Local Group Policy Editor (GPO), Command Prompt, PowerShell, or Services. If it’s your first time looking to run EFS, check out our guide below to see how and when you should use the NFTS file encryption system.

Understanding NTFS file encryption (EFS)

NTFS, or New Technology File System, is the file system used on hard drives and solid-state drives (SSDs). On the other hand, EFS is an integrated utility that can encrypt files and folders in NTFS drives. When enabled, EFS restricts users or applications from accessing the encrypted files without a key.

Unlike BitLocker, which can lock access to an entire drive or volume, EFS provides file-level encryption. As such, EFS is more often used as an additional layer of security in computers shared by multiple users.

How to enable NTFS file encryption in Windows

We have several ways to enable or disable EFS. Let’s go through the steps below.

Enable NTFS encryption using Group Policy Editor (GPO)

  1. Open the Local Group Policy Editor. (See how)
  2. Navigate to Computer Configuration\Administrative Templates\System\Filesystem\NTFS.
  3. In the right pane, double-click the Do not allow encryption on all NTFS volumes policy to modify it.
  4. Tick the radio button beside Enable to allow NTFS File Encryption. Click OK to confirm.
  5. Restart the device to apply the changes.

Enable NTFS encryption using Command Prompt or PowerShell

  1. Open Command Prompt or PowerShell with Administrator privileges.
  2. Type fsutil behavior set disableencryption 1. Press Enter.
  3. Restart the computer to apply changes.

Enable NTFS encryption using Services

  1. Press Windows+R and type services.msc. Press Enter.
  2. Find and double-click on Encrypting File System (EFS) to open Properties.
  3. Click the Startup type drop-down menu to select Automatic.
  4. Click Apply and then click OK to save these changes.

How to disable NTFS file encryption in Windows

We can also disable EFS using the GPO, Command Prompt, PowerShell, or Services.

Disable NTFS encryption using Group Policy Editor (GPO)

  1. Open the Local Group Policy Editor.
  2. Navigate to Computer Configuration\Administrative Templates\System\Filesystem\NTFS.
  3. In the right pane, double-click on the Do not allow encryption on all NTFS volumes policy to modify it.
  4. Tick the radio button beside Disable to prevent NTFS File Encryption. Click OK to confirm.
  5. Restart the device to apply the changes.

Disable NTFS encryption using Command Prompt or PowerShell

  1. Open Command Prompt or PowerShell with Administrator privileges.
  2. Type fsutil behavior set disableencryption 0. Press Enter.
  3. Restart the computer to apply changes.

Disable NTFS encryption using Services

  1. Press Windows+R and type “services.msc”. Press Enter.
  2. Find and double-click on Encrypting File System (EFS) to open Properties.
  3. Click the Startup type drop-down menu to select Disabled.
  4. Click Apply and then click OK to save these changes.

How to encrypt individual files or folders in Windows

Once NTFS file encryption has been enabled, you can now manually encrypt a file or folder using these methods:

Using File Explorer to encrypt a file or folder

  1. Right-click on the file or folder you’d like to modify.
  2. Select Properties.
  3. Under Attributes, select Advanced.
  4. Tick the box beside Encrypt contents to secure data and click OK to confirm.
  5. Select Apply.

The system will also prompt you to decide whether to extend the encryption to related files and folders. Follow the prompts to proceed. The encrypted files or folders will now have a lock icon. To unlock them, follow the same steps.

Using Command Prompt or PowerShell to encrypt a file or folder

  1. Use Windows Search and type cmd or PowerShell. Run as an Administrator.
  2. Use the cipher command to encrypt a file or folder cipher /e <full path of file or folder>. Include the extension name of the file.

If used without parameters, the cipher command will show the encryption state of the current directory. Here’s the complete list of cipher parameters.

Managing encrypted files

Windows EFS encryption is a powerful tool for IT administrators and content managers. However, data protection at this level is incomplete without an excellent backup system. Here’s how you can backup and export security certificates for recovery:

  1. Press Windows + R, type certmgr.msc, and press Enter.
  2. Expand Personal > Certificates.
  3. Right-click the EFS certificate and select All Tasks > Export.
  4. In the Certificate Export Wizard, select Yes, export the private key.
  5. Choose Personal Information Exchange (.PFX) and include all certificates in the certification path.

To access encrypted files on another NTFS-formatted computer, you need to import the EFS certificate and private key. Go to the Certificate Manager to import the certificate.

Security implications and best practices

EFS provides reliable encryption, especially on the most recent versions of Windows. However, it’s still crucial for admins to enforce a strong group policy and maintain a reliable backup system. On that note, here are some security considerations and recommended practices in managing NTFS File Encryption.

Control access to private keys

Unauthorized users can use the key to decrypt data. Hence, it’s imperative to store the private key in a secure location and limit its access to IT admins or security personnel. It’s also common practice for organizations to regularly replace their keys to keep the integrity of the overall data security policy.

Maintain backups of recovery certificates

It’s essential to maintain a secure backup of private keys and recovery certificates. Preferably, assign at least two security agents to prevent complete data loss when one of the keys or certificates is lost. If you are part of a managed environment, these actions can be automated and monitored remotely.

Be careful when transferring files

EFS-encrypted files lose encryption when moved into non-NTFS storage since EFS isn’t designed to protect data when it’s being transferred. When transferring files, consider cloud storage or another NTFS-formatted storage. Additionally, ensure the receiving device observes a strong password and data security policy.

In addition to Windows BitLocker and EFS, you can use third-party encryption key management software to strengthen your backups, improve monitoring, and raise organizational compliance.

Manage NTFS file encryption status in real-time

NTFS file encryption can help organizations control sensitive data on an individual level. However, without a centralized solution and monitoring system, this can take significant resources to maintain. To manage devices with ease, consider adopting a cross-platform IT solution or an endpoint management software to help monitor encryption status in real-time and automate the management of recovery keys.

Start your Free Trial

You might also like

How to Enable or Disable Power Throttling in Windows

How to Enable or Disable Power Throttling in Windows

How to Schedule a Windows Defender Scan

Guide: How to Schedule a Windows Defender Scan

How to Configure SuperFetch (SysMain) in Windows

How to Configure SuperFetch (SysMain) in Windows

What is Strict Google Chrome Site Isolation and How to Configure it

What is Strict Google Chrome Site Isolation and How to Configure it

How to Manage Registry Favorites in Windows

How to Manage Registry Favorites in Windows

How to Enable or Disable PIN Reset at Sign-in in Windows 10

How to Enable or Disable PIN Reset at Sign-in in Windows 10

Back to Blog Home
Ready to simplify the hardest parts of IT?
Start a Free Trial
Get a demo
×

See NinjaOne in action!

By submitting this form, I accept NinjaOne's privacy policy.

NinjaOne Terms & Conditions

By clicking the “I Accept” button below, you indicate your acceptance of the following legal terms as well as our Terms of Use:

  • Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms.
  • Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party.
  • Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library belonging to or under the control of any other software provider.
  • Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations.
  • Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks.
  • Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script.
  • EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).
I Accept