Encrypting File System (EFS) Access Denied Error Message Appears when Encrypting

Applies to 

Windows Server 2008, Windows Server 2008 R2, Windows Vista, Windows 7.

There are many different reasons that a user might experience an access-denied message. Many of those reasons have to do with access control list (ACL) permissions, network access control permissions and devices, credential presentation errors, and application compatibility errors.

EFS, RSA, and Version 3 templates do not function properly

A specific issue that may arise when you deploy certificates to be used by EFS and using the Rivest-Shamir-Adelman (RSA) algorithm on version 3 certificate templates. The Encrypting File System (EFS) only supports the use of the Rivest-Shamir-Adelman (RSA) algorithm on version 2 certificate templates, which only use Cryptography API (CAPI).  EFS only supports Elliptic Curve Diffie-Hellman (ECDH) on version 3 certificate templates, which only use Cryptography Next Generation (CNG).  Version 3 templates are the default when Windows Server 2008, Enterprise certificate templates are used. If you plan to utilize EFS with RSA, be sure to select Windows 2003 Server Enterprise, to get the version 2 template, and use a CAPI Cryptographic Service Provider (CSP).

Resolution

To resolve this issue, deploy EFS certificates that employ the RSA encryption algorithm using version 2 templates: Windows Server 2003 Enterprise.