/
/

How to Enable or Disable NTFS File Encryption in Windows

by Angelo Salandanan, IT Technical Writer
How to Enable or Disable NTFS File Encryption in Windows blog banner image
How to Enable or Disable NTFS File Encryption in Windows blog banner image

Key points

  • Configure via Group Policy: To change the encryption policy system-wide, navigate to Computer Configuration\Administrative Templates\System\Filesystem\NTFS and set the Do not allow encryption on all NTFS volumes policy to Disabled (to allow encryption) or Enabled (to block it).
  • Manage via Command Line: Run fsutil behavior set disableencryption 0 in an elevated Command Prompt to enable EFS system-wide, or use fsutil behavior set disableencryption 1 to disable it, followed by a system restart.
  • Control via Windows Services: Open services.msc, locate the Encrypting File System (EFS) service, and change the startup type to Manual or Automatic to ensure it can run, or select Disabled to turn it off completely.
  • Encrypt Individual Folders and Files: Once EFS is active, right-click an item in File Explorer, select Properties, click Advanced under attributes, and check Encrypt contents to secure data.
  • Encrypt via Cipher Command: Execute cipher /e “C:\full\path\to\folder” in PowerShell or Command Prompt to instantly encrypt a target directory, ensuring quotation marks are used for paths containing spaces.

 

⚠️ Important Note on Windows Editions
EFS requires an NTFS file system and is only supported on Windows Pro, Enterprise, and Education editions. If you are running Windows Home, the options detailed below will be greyed out or missing.

The built-in Encrypting File System (EFS) is one of Windows’ best and most accessible NTFS file encryption tools. As the administrator, you can turn the program on or off using the Local Group Policy Editor (GPO), Command Prompt, PowerShell, or Services. If it’s your first time looking to run EFS, check out our guide below to see how and when you should use the NTFS file encryption system.

Understanding NTFS file encryption (EFS)

The NTFS, or New Technology File System, is the file system used on hard drives and solid-state drives (SSDs). On the other hand, EFS is an integrated utility that can encrypt files and folders in NTFS drives. When enabled, EFS restricts users or applications from accessing the encrypted files without a key.

Unlike BitLocker, which can lock access to an entire drive or volume, EFS provides file-level encryption. As such, EFS often adds a layer of security in computers shared by multiple users. To further solidify your understanding of EFS operations, you may view this short visual walkthrough: ‘IT Guide: What Is Encrypting File System (EFS)?’.

How to enable NTFS file encryption in Windows

We have several ways to enable or disable EFS. Let’s go through the steps below.

Enable NTFS encryption using the Group Policy Editor (GPO)

  1. Open the Local Group Policy Editor. (See how)
  2. Navigate to Computer Configuration\Administrative Templates\System\Filesystem\NTFS.
  3. In the right pane, double-click the Do not allow encryption on all NTFS volumes policy to modify it.
  4. Toggle Disable or leave it as Not Configured (default) to allow NTFS File Encryption.
  5. Click Apply, then OK.

Enable NTFS encryption using Command Prompt or PowerShell

  1. Open Command Prompt or PowerShell with Administrator privileges.
  2. Type fsutil behavior set disableencryption 0. Press Enter.
  3. Restart the computer to apply changes.

Enable NTFS encryption using Services

  1. Press Windows+R and type services.msc. Press Enter.
  2. Find and double-click on Encrypting File System (EFS) to open Properties.
  3. Click the Startup type drop-down menu and select Manual (the Windows default) or Automatic.
  4. Click Apply and then click OK to save these changes.

Technical Note: By default, Windows uses a “Trigger Start” for EFS. Leaving it on Manual allows the operating system to spin up the service instantly the moment you access an encrypted file, saving background system resources when it’s not in use.

How to disable NTFS file encryption in Windows

We can also disable EFS using the GPO, Command Prompt, PowerShell, or Services.

Disable NTFS encryption using the Group Policy Editor (GPO)

  1. Open the Local Group Policy Editor.
  2. Navigate to Computer Configuration\Administrative Templates\System\Filesystem\NTFS.
  3. In the right pane, double-click on the Do not allow encryption on all NTFS volumes policy to modify it.
  4. Toggle Enable to prevent NTFS File Encryption.
  5. Click Apply, then OK.

Disable NTFS encryption using Command Prompt or PowerShell

  1. Open Command Prompt or PowerShell with Administrator privileges.
  2. Type fsutil behavior set disableencryption 1. Press Enter.
  3. Restart the computer to apply changes.

Disable NTFS encryption using Services

  1. Press Windows+R and type “services.msc”. Press Enter.
  2. Find and double-click on Encrypting File System (EFS) to open Properties.
  3. Click the Startup type drop-down menu to select Disabled.
  4. Click Apply and then click OK to save these changes.

How to encrypt individual files or folders in Windows

Once you enable NTFS file encryption, you can now manually encrypt a file or folder using these methods:

Using File Explorer to encrypt a file or folder

  1. Right-click on the file or folder you’d like to modify.
  2. Select Properties.
  3. Under Attributes, select Advanced.
  4. Tick the box beside Encrypt contents to secure data and click OK to confirm.
  5. Select Apply.

The system will also prompt you to decide whether to extend the encryption to related files and folders. Follow the prompts to proceed. The encrypted files or folders will now have a lock icon. To unlock them, follow the same steps.

Using Command Prompt or PowerShell to encrypt a file or folder

  1. Use Windows Search and type cmd or PowerShell. Run as an Administrator.
  2. Use the cipher command to encrypt a file or folder by typing: cipher /e “C:\full\path\to\folder”. (Be sure to include the quotation marks around your path if any folder names contain spaces.)

If used without parameters, the cipher command will show the encryption state of the current directory. Here’s the complete list of cipher parameters.

Managing encrypted files

Windows EFS encryption is a powerful tool for IT administrators and content managers. However, data protection at this level is incomplete without an excellent backup system. Here’s how you can backup and export security certificates for recovery:

  1. Press Windows + R, type certmgr.msc, and press Enter.
  2. Expand Personal > Certificates.
  3. Right-click the EFS certificate and select All Tasks > Export.
  4. In the Certificate Export Wizard, select Yes, export the private key.
  5. Choose Personal Information Exchange (.PFX) and include all certificates in the certification path.

To access encrypted files on another NTFS-formatted computer, you need to import the EFS certificate and private key. Go to the Certificate Manager to import the certificate.

Security implications and best practices

EFS provides reliable encryption, especially on the most recent versions of Windows. However, it’s still crucial for admins to enforce a strong group policy and maintain a reliable backup system. On that note, here are some security considerations and recommended practices in managing NTFS File Encryption.

Control access to private keys

Unauthorized users can use the key to decrypt data. Hence, it’s imperative to store the private key in a secure location. It might also help to limit its access to IT admins or security personnel. It’s also common practice for organizations to regularly replace their keys. This is to keep the integrity of the overall data security policy.

Beware of Forced Password Resets: If an administrator forces a password reset on a local user account using management tools, that user will instantly lose access to all of their EFS-encrypted files. Windows destroys the master key linkage during a forced reset to protect data integrity. Always ensure a Domain Data Recovery Agent (DRA) is configured in your network environment before relying heavily on EFS.

Maintain backups of recovery certificates

It’s essential to maintain a secure backup of private keys and recovery certificates. Preferably, assign at least two security agents to prevent complete data loss. Especially when one of the keys or certificates is lost. If you are part of a managed environment, these actions can be automated and monitored remotely.

Be careful when transferring files

EFS-encrypted files lose encryption when moved in non-NTFS storage since EFS isn’t designed to protect data when it’s transferred. When transferring files, consider cloud storage or another NTFS-formatted storage device or location. Additionally, ensure the receiving device observes a strong password and data security policy.

In addition to Windows BitLocker and EFS, you can use third-party encryption key management software. This can strengthen your backups, improve monitoring, and support organizational compliance.

Secure sensitive files or remove encryption when needed. Watch How to Enable or Disable NTFS File Encryption in Windows.

Manage NTFS file encryption status in real-time

NTFS file encryption can help organizations control sensitive data on an individual level. However, without a centralized solution and monitoring system, this can take significant resources to maintain. To manage devices with ease, consider adopting a cross-platform IT solution. Alternatively,. an endpoint management software can help monitor encryption status in real-time and automate the management of recovery keys.

Check out NinjaOne Endpoint Management FAQ to learn how NinjaOne helps IT teams automate encryption policies and ensure compliance across all devices.

FAQs

NTFS encryption uses Windows’ Encrypting File System (EFS) to secure individual files and folders on NTFS drives. It restricts unauthorized access by requiring a valid user-specific public key and private key pair to open or modify the files.

You can enable EFS system-wide using either of these methods:

  • Group Policy: Navigate to System > Filesystem > NTFS and change the Do not allow encryption… policy to Disabled.
  • Command Line: Run fsutil behavior set disableencryption 0 in an elevated Command Prompt, then restart your PC.

To block or turn off EFS system-wide, use either of these methods:

  • Group Policy: Navigate to System > Filesystem > NTFS and change the Do not allow encryption… policy to Enabled.
  • Command Line: Run fsutil behavior set disableencryption 1 in an elevated Command Prompt, then restart your PC.

EFS provides flexible, file-level encryption for specific files or folders and is tied to individual user accounts. BitLocker provides full-volume encryption, locking down the entire hard drive or partition to protect the operating system and data from offline attacks.

Yes. On supported Windows editions (Pro, Enterprise, and Education), EFS is active by default. You can immediately right-click a file or folder, go to Properties > Advanced, and check “Encrypt contents to secure data.” You only need to use Group Policy or command-line tools if an administrator has previously disabled EFS system-wide.

Windows automatically changes the text color of EFS-encrypted files and folders to bright green in File Explorer to make them instantly recognizable. If you prefer to turn this off, open File Explorer Options, navigate to the View tab, scroll down, and uncheck “Show encrypted or compressed NTFS files in color.”

Yes, but not automatically. Because EFS links data directly to a single user’s digital profile, other users on the same computer will receive an “Access Denied” error if they try to open it. To grant access to others, right-click the file, go to Properties > Advanced, click Details next to the encryption checkbox, and manually add the recovery certificates of the users you want to share it with.

EFS only protects data while it resides locally on an NTFS-formatted storage drive. The moment you attach the file to an email, upload it to a web browser, or move it to a FAT32/exFAT formatted USB flash drive, Windows automatically decrypts the file on the fly. To keep data secure while in transit or in the cloud, you should use alternative methods like BitLocker or password-protected ZIP archives.

You might also like

Ready to simplify the hardest parts of IT?