Export (0) Print
Expand All

Encrypting File System Troubleshooting

Updated: January 21, 2005

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2


What problem are you having?

The Advanced button is unavailable.

Cause: Encrypting File System (EFS) only works on files and folders on NTFS file system volumes. If the folder or file you are trying to encrypt is on a FAT or FAT32 volume, the Advanced button does not appear in the properties of that folder or file.

Solution: Convert the volume to NTFS with the convert utility.

  1. Open Command Prompt.

  2. Type:

    convert drive /fs:ntfs

    where drive is the drive letter of the intended drive.

See also: Convert.

When encrypting a file, a message appears: "Recovery policy configured for this system contains invalid recovery certificate" or "ERROR_BAD_RECOVERY_POLICY."

Cause: The Encrypting File System (EFS) recovery policy that is implemented on this computer contains one or more EFS recovery agent certificates that have expired. These certificates cannot be used.

Solution: Either renew the existing certificates or generate new certificates for the EFS recovery agents and reapply the recovery agent policy with those certificates.

See also: Requesting certificates or Renewing certificates.

The "Access denied" message appears when opening an encrypted file.

Cause: The file was encrypted by Encrypting File System (EFS) using a public key certificate, and the associated private key for this certificate is not available on this computer.

Solution: Locate the private key for the appropriate certificate and import it onto this computer using the Certificates snap-in.

See also: Import a certificate and Encrypting File System at the Microsoft Windows XP Resource Kits Web site.

The message "Key not valid for use in specified state" appears when encrypting a file on a remote computer.

Cause: Both computers must reside in the same Active Directory domain to use Encrypting File System (EFS) on remote shares. The remote computer must also be trusted for delegation in the Active Directory.

Solution: Join both computers to the same Active Directory domain and trust the remote computer for delegation.

See also: Join a domain and Enable a remote server for file encryption.

The message "You do not have permission to request a certificate based on the selected certificate template" appears when using theCreate Data Recovery Agentoption to create an EFS data recovery agent.

Cause: EFS is unable to connect to a certification authority (CA) to obtain a new certificate and store it in Active Directory.

Solution: Install a certification authority to issue certificates for EFS.

See also: Certificate Services.

Community Additions

© 2016 Microsoft