Encryption/decryption happens automatically with most of the regular api calls if the right cert is installed.
However there are situations when if the drive was taken out of the computer for forensic analysis, you would need to access the encrypted files.
In that situation there is usually a delegated decryption user's certificate is stated in the encrypted files metadata, usually it is a active directory primary administrator who allowed the EFS to be used by regular users. So you would need to acquire the
cert from that admin to the computer which will try to decrypt affected files.
I think think we could add some extra methods when the right Windows license with EFS lands on one of our hands.