In the first part of this guide you will learn how to install the BitLocker Drive Encryption feature on a Windows Server 2012 R2.
- Log on to Example-Server01.
- On the Start screen click Server Manager.
- On the Server Manager window, click Manage on the top right and from the menu select Add Roles and Features.
- On the Before you begin page, click Next.
- On the Select installation type page, select Role-based or feature-based installation and click Next.
- On the Select destination server page, select Select a server from the server pool and then select Example-Server01.Example.com from the Server pool in the middle table and click Next.
- On the Select server roles page, click Next.
- On the Select features page, select BitLocker Drive Encryption from the list and in the new dialog box select Include management tools (if applicable) and click Add Features.
- On the WDS page, click Next.
- On the Select role services page, click Deployment Server and Transport Server and click Next.
- On the Confirm installation selections, Click Install.
- Once the installation finished successfully, click Close.
You can disable EFS for a folder, a computer or even the entire domain. In order to disable EFS for a folder create a file called Desktop.ini that contains:
All you need to do is to save this file in the folder in which you want EFS to be disabled. When the user wants to encrypt the folder or the files in the folder, this will show him/her a message that “An error occurred applying attributes to the file: filename. The directory has been disabled for encryption.”
Please note that only the current folder with all the files in it are affected by the Desktop.ini file. If you create a subfolder, both the subfolder and any files in it can be encrypted. Also, encrypted files can be copied or moved, without losing their encryption, into the directory that contains the Desktop.ini file.
Disabling EFS for a Stand-Alone Computer
If you want to disable EFS for the entire computer, you need to add an entry to the computer Registry:
- In the Run dialog box, type regedit.exe.
- Navigate to the subkey HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows NT\CurrentVersion\EFS.
- On the Edit menu, point to New, and then click DWORD Value.
- Enter EfsConfiguration for the value name and 1 for the value data to disable EFS. (A value of 0 enables EFS.)
- Restart the computer.
- If EFS is disabled and a user tries to encrypt a file or folder, a message tells the user that “An error occurred applying attributes to the file: filename. The directory has been disabled for encryption.”