The Encrypting File System (EFS) allows you to secure data on NTFS volumes, but it also adds some processor overhead to your machine and can affect the performance of some applications, particularly SQL Server.
On Windows Vista and later, you can prevent users from encrypting their files in two ways. First, by running the command fsutil behavior set disableencryption 1 you can disable EFS on all NTFS volumes on your machine, so by deploying this command using a logon script you can disable EFS on targeted users’ computers.
And second, since all the above fsutil command does is to modify NtfsDisableEncryption, a REG_DWORD value found under HKLM\SYSTEM\CurrentControlSet\Control\FileSystem, this means that you could also create a custom ADMX file to deploy this registry modification using Group Policy. For more information on how to create a custom ADMX file, see KB 918239
Note that if either method is used, the registry modification doesn’t take effect until after a reboot. In addition, before you disable encryption you should decrypt any previously encrypted files and folders on the machine, otherwise you won’t be able to access them once encryption has been disabled.
Mitch Tulloch was lead author for the Windows Vista Resource Kit from Microsoft Press, which is THE book for IT pros who want to deploy, maintain and support Windows Vista in mid- and large-sized network environments. For more information see www.mtit.com.