Troubleshooting EFS

  • Article

Typical EFS problem situations and approaches to solving them are discussed in this section.

When I try to encrypt my files, it doesn't work.

Make sure that the following conditions are true:

  • A recovery agent policy has been defined.

  • The file volume is NTFS.

  • The file is not compressed.

  • You have write access to the file.

Sometimes users think that the file is not encrypted because they can open it and read the file. Remind them to verify that the file is encrypted by checking the file's attribute.

Sometimes a user tries to encrypt a folder that has the compression attribute set or is on a compressed drive. First, you have to remove the compression attribute, and then you can encrypt.

I can't open files I have encrypted.

Make sure you have the correct EFS certificate and private key for the file. If it is an old file, the public key and private key set might no longer be available. Expired certificates and private keys are archived. However, users can delete archived certificates and private keys, or they might be damaged. If so, recover the file as described earlier in this chapter.

If the computer previously operated in stand-alone mode and is now a member of a domain, this can make a difference. The file might have been encrypted by using a local self-signed certificate issued by the computer, whereas the CA designated at the domain level is now the issuing authority.

Are there warnings to a user that a file goes from an encrypted state to an unencrypted state when copying or moving?

There is no warning. Always check the properties of the resulting file to ensure that it is still encrypted.

I can't open an EFS file after upgrading from a previous build of Windows 2000. A message that read "Access denied" appeared, but I can still encrypt and open new EFS files.

It is possible that the previous build is a domestic, nonexportable build with support for strong cryptography, and the new build is an international, exportable build with weaker cryptography. The weaker cryptography technology cannot handle files that have been encrypted using the stronger cryptography.

If you qualify to use and deploy nonexportable cryptography, you can obtain the Encryption Pack CD from Microsoft and use it to convert Windows 2000 to support nonexportable, strong cryptography technology. This CD is not exportable. The Microsoft Enhanced Cryptographic Provider for Windows 2000 is available on this CD. Instructions on how to use the CD are provided with the CD.

For more information about the availability of the Encryption Pack CD and current cryptography export policies for Microsoft products, see the Microsoft Security Advisor Web site at https://www.microsoft.com/security .

When my virus check program runs, it cannot check all the files on my hard disk and I get "Access Denied" error messages.

Your virus check program can only read files that have been encrypted by you. If other users have encrypted files on your hard disk, access to these files is denied to the virus check program. To perform a virus check for files that have been encrypted by other users, the other users must log on and run the virus check program.