Troubleshooting generic error messages related to EFS

When Encrypting File System (EFS) has trouble decrypting a file, Windows usually displays a generic error message that is fairly meaningless. This article discusses what some of the more common error messages mean so you'll know where to begin the troubleshooting process.

Although Microsoft Windows' Encrypting File System (EFS) usually works pretty well, things do go wrong occasionally. The problem is that when EFS problems do occur, the user who is trying to open an encrypted file typically receives a somewhat generic error message. The message often says something like "Access Denied." Windows offers no explanation and no apologies. Hopefully, this article will help clarify what these error messages mean so that you can troubleshoot the messages more easily.

"No Valid Key Set"

The No Valid Key Set error message occurs when encrypted files are stored on a remote file share. For example, a user might have saved an encrypted file to a server's hard drive.

Encryption extras
New encryption options in Windows Vista

TrueCrypt 4.3: A full-volume encryption option for Windows Vista

What this message is really telling you is that EFS could not find a private key that is able to decrypt the file. Private keys are stored as a part of a user's profile and oftentimes when this message is generated, Windows is unable to locate the user's profile. One common cause is that the user logged on to a different computer than the one that was used to encrypt the files. If roaming profiles are not in use, then the user's profile and the necessary keys are left behind on the computer that encryption was originally performed.

(If you need more information about troubleshooting EFS problems concerning encrypted files that reside on a remote file share, then you will be happy to know that I have recently written an article on the subject in problems accessing encrypted files on remote servers.)

"The Directory Has Been Disabled For Encryption"

As strange as it might sound, this error message can usually be traced to the DESKTOP.INI file. If you attempt to encrypt a file or folder and receive this message, then you can almost bet that a DESKTOP.INI file exists within the folder that you are trying to encrypt or in the same folder as the files that you are trying to encrypt.

If you find that the folder does contain a DESKTOP.INI file, then you can fix the problem by using Notepad to open the DESKTOP.INI file. Once the file has been opened, look for and remove the following lines of code:

[Encryption] Disable=1
Once these lines have been removed, you should be able to encrypt the desired files, as long as they are not Windows system files.

"The Disk Partition Does Not Support File Encryption"

In most cases, this error message indicates that the file or folder that you are trying to encrypt resides on a volume that is formatted as FAT or as FAT-32. EFS can only encrypt files and folders that reside on volumes that are formatted as NTFS.

You can see which file system a volume is using by following these steps:

  • Open My Computer.
  • Right click on the target volume, and select the Properties command from the resulting shortcut menu.
  • The volume's properties sheet's General tab lists the file system that is in use.

If you discover it is using the FAT or FAT-32 file system, you can convert the file system to NTFS. To do so, perform the following steps:

  • Log in with administrative credentials.
  • Open a Command Prompt window.
  • Enter the following command, replacing X: with the drive letter of the volume that you want to convert: CONVERT X: /FS:NTFS

"Access Is Denied"

Of all of the error messages generated by Encrypting File System, none is more vague than Access Is Denied. There are several possible causes of this error message. Some of the more common causes are:

  • You do not have permission to read the file.
  • You are attempting to encrypt a system file or folder. System files and folders cannot be encrypted.
  • You are attempting to share an encrypted file with someone else, but lack the necessary permissions.
  • You are attempting to decrypt a file that was encrypted by someone else.
  • You are trying to decrypt a file that you encrypted, but your private key is unavailable. This problem occurs most frequently when your profile is not available for one reason or another, such as when you log on from a different computer than normal.

About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies.

Dig Deeper on Windows applications