Can't use EFS: "This machine is disabled for encryption."

[Marlan]

I have not been able to find this problem documented anywhere. My
platform is Windows XP Professional SP-2. I am logged in as a member of
the Administrators group, and am using NTFS.

The problem is that I can't encrypt anything. Whenever I try enabling
EFS for any file or folder, I get this message:

Error Applying Attributes
This machine is disabled for encryption.

Please point me in the right direction to solve this, if you can.

 

[Rick \Nutcase\ Rogers]

Hi Marlan,

Sounds like a group policy in effect - are you on a domain? If so, you need
to check with the network administrator.

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP

Associate Expert - WindowsXP Expert Zone

Windows help - www.rickrogers.org

 

[Torgeir Bakken \(MVP\)]

Hi Marlan,

Sounds like a group policy in effect - are you on a domain?
If so, you need to check with the network administrator.

Hi

That is what we have done on our domain, disabled EFS with a GPO.

 

[Marlan]

Thank you very much for the reply. But no, I'm not on a domain; this is
for all intents and purposes a standalone machine.

I had looked over stuff in Group Policy, but didn't see anything that I
thought would affect this. Any idea what specific setting(s) would
cause this? Unless I missed something, everything under Computer
Configuration > Administrative Templates is "Not configured" on my
system, except for some options under Terminal Services.

 

[Marlan]

Actually, everything in every area of GP is "Not configured", except for
a few settings under Terminal Settings, which I can't imagine have any
effect on EFS. Maybe something under "User Rights Assignment" or
"Security Options"? I don't see anything obvious...

 

[Marlan]

I have not been able to find this problem documented anywhere. My
platform is Windows XP Professional SP-2. I am logged in as a member
of the Administrators group, and am using NTFS.

The problem is that I can't encrypt anything. Whenever I try enabling
EFS for any file or folder, I get this message:

Error Applying Attributes
This machine is disabled for encryption.

Please point me in the right direction to solve this, if you can.

I think I found the problem. The article here has provided (what I
assume will be) an answer:

http://www.microsoft.com/resources/documentation/windows/xp/all/reskit/en-us/prnb_efs_dgwp.asp

(Sorry for the wrapping on that URI)

My "EfsConfiguration" value is set to 1. I have *NO* idea how this
happened, because I know I never did it. This is strange and annoying.
One other thing is that the message they say occurs is different from
mine ("An error occurred applying attributes to the file: filename. The
directory has been disabled for encryption."). So this may not do it
after all, I guess I'll find out.

 

[Torgeir Bakken \(MVP\)]

Thank you very much for the reply. But no, I'm not on a domain; this is
for all intents and purposes a standalone machine.

I had looked over stuff in Group Policy, but didn't see anything that I
thought would affect this. Any idea what specific setting(s) would
cause this? Unless I missed something, everything under Computer
Configuration > Administrative Templates is "Not configured" on my
system, except for some options under Terminal Services.

Hi

But this one is not a ordinary entry in gpedit.msc

1.. In the Group Policy Object Editor, expand Computer Configuration,
expand Windows Settings, expand Security Settings, expand Public Key
Policies, and then click Encrypting File System.

2.. Right-click Encrypting File System, and then click Properties.

3.. There you will find a "Allow users to encrypt files using Encrypting
File System (EFS)" check box.


Anyway, using encryption is overkill in many cases, and also "dangerous",
at least when using EFS to do it.

It is not without reason that many calls EFS the "delayed Recycle Bin",
and I advise people to not use EFS unless they are in a domain. Several
times a week posts cries for help in the newsgroups after having lost
their encrypted files, some even if they exported their keys/certs.
To many thing can go wrong in a non-domain environment.

From a previous posting of mine in the
microsoft.public.windowsxp.security_admin newsgroup:

Read and understand the information in the links below before you start
using Encrypting File System (EFS), or you will very likely loose your
files one time in the future:

Best Practices for the Encrypting File System
http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316

Encrypting File System in Windows XP and Windows Server 2003
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/CryptFS.asp

(58 pages, will also tell the differences between Win2k and WinXP
regarding EFS)

also gives information/links on to how to export keys, e.g.

"Data Recovery on Standalone Machines"

Under "Knowledge Base Articles on EFS" you will find e.g.

241201 How to Back Up Your Encrypting File System Private Key
259732 EFS Recovery Agent Cannot Export Private Keys
255742 Methods for Recovering Encrypted Data Files


Reading 255742, will give you this as well:

241201 HOW TO: Back Up Your Encrypting File System Private Key in
Windows 2000

242296 How to Restore an EFS Private Key for Encrypted Data Recovery


If your computer is not a member of an AD domain, this part of the
document is obligatory reading:

"Using EFS with Standalone Machines or NT 4.0 Domains"

 

[Marlan]

But this one is not a ordinary entry in gpedit.msc

1.. In the Group Policy Object Editor, expand Computer Configuration,
expand Windows Settings, expand Security Settings, expand Public Key
Policies, and then click Encrypting File System.

2.. Right-click Encrypting File System, and then click Properties.

3.. There you will find a "Allow users to encrypt files using
Encrypting File System (EFS)" check box.


Anyway, using encryption is overkill in many cases, and also
"dangerous", at least when using EFS to do it.

Thank you very much for such a thorough reply. The setting you pointed
out in GP was enabled on my system, but in my other post, I mentioned
another registry setting that had been set somehow (the EfsConfiguration
value under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS). I
think that was my problem.

I also appreciate the warnings about EFS. I only intend to use it for
temporary files. I use BestCrypt for the other stuff.

 

[Alex Nichol]

I have not been able to find this problem documented anywhere. My
platform is Windows XP Professional SP-2. I am logged in as a member of
the Administrators group, and am using NTFS.

The problem is that I can't encrypt anything. Whenever I try enabling
EFS for any file or folder, I get this message:

Error Applying Attributes
This machine is disabled for encryption.

Check in a run of gpedit.msc, at Windows Settings - Security Settings -
Public Key Policies - Encrypting File system to see if there is a
Policy defined for it (by default there is none)

And be very sure that if you do encrypt that you also make a secure
backup of the encryption Certificates *off the machine*, or you are
liable after a reinstall or other operation to find the files totally
and permanently inaccessible.

Personally I do not like this system; it has that danger, but at the
same time when the system is working the files are completely
transparent to the owner; so they are in fact no more secure than his
log on password - in a word, not very. Much better use a good third
party encryption package, where you have to give the password separately

 

[Torgeir Bakken \(MVP\)]

Marlan wrote:




Check in a run of gpedit.msc, at Windows Settings - Security
Settings - Public Key Policies - Encrypting File system to see
if there is a Policy defined for it (by default there is none)

Hi

Note that there is also a not so ordinary "entry" in gpedit.msc
for this, you need to right click and select Properties on the
Public Key Policies "folder":

1.. In the Group Policy Object Editor, expand Computer Configuration,
expand Windows Settings, expand Security Settings, expand Public Key
Policies, and then click Encrypting File System.

2.. Right-click Encrypting File System, and then click Properties.

3.. There you will find a "Allow users to encrypt files using Encrypting
File System (EFS)" check box.

 

[Alex Nichol]

1.. In the Group Policy Object Editor, expand Computer Configuration,
expand Windows Settings, expand Security Settings, expand Public Key
Policies, and then click Encrypting File System.

2.. Right-click Encrypting File System, and then click Properties.

3.. There you will find a "Allow users to encrypt files using Encrypting
File System (EFS)" check box.

Thanks for that. I always say 'if in doubt right click'; it had not
occurred to me to r-click there

 

[Marlan]

Thanks for that. I always say 'if in doubt right click'; it had not
occurred to me to r-click there

It didn't occur to me either. By right clicking somewhere in there, I
also found an option to remove the requirement for a data-recovery
agent, which (according to what I read) can cause EFS problems on
stand-alone systems. (No need for warnings about EFS... I only use it
for temp files.)

 

[Tony Lisanti]

I agree. Sounds like a system policy is the problem.

 

[Marlan]

The problem has been solved, and it wasn't a policy issue, per se. It
was another (obscure) registry setting, as noted in my other posts. But
thanks.