I have a customer that used they default domain group policy to disable Encrypted File System, EFS. Recently, they have a new requirement to use EFS for a particular application’s file storage. At first this project sound very easy; all what we need to do was to create and link another domain policy at the OU level to enable EFS. Unfortunately this is not true for EFS settings. First once you set EFS there is no going back. EFS is either Enabled or Disabled. So once you set this setting, within a policy, there is no way to set it to 'Not defined'.  Below is the technical detail of the bug and the work around

PROBLEM DESCRIPTION

When EFS is disabled by group policy, the registry value EfsConfigure is set to 1. When that policy is disabled (thus re-enabling EFS), the value EfsConfigured is removed, not set to zero. If another policy applies to the computer that also disables EFS, the two policies cannot be properly merged because the EfsConfigured value doesn't exist. The net result is that, once EFS has been disabled by Group Policy at one level, it cannot be re-enabled at that level if some other policy is also configured to disable EFS, regardless of the order of precedence for the policies.

WORKAROUND
First per Microsoft this problem has been fixed in Windows 2008 and Vista clients.  It is not fixed for XP or W2K clients. As for our customer, below are the steps we took as a workaround:

1.       Create a Global Group called “Enable EFS GG” and make the servers where EFS is required member of this global group

2.       Apply a negative filter on the default domain policy for Enable EFS GG

3.       Duplicate the default domain policy and enable EFS settings then only apply to Enable EFS GG

4.       Link the newly created GPO

 

Although this is not an optimal scenario it did the trick. Alternately you can manage EFS key in the registry. Details of the key are below: