none
Cannot open EFS encrypted files following changes to resolve Office 365 issue - Windows credentials appear corrupted RRS feed

  • Question

  • I had an error message appearing in my Office 365 applications last week. I contacted Office 365 support, and someone remoted into my PC and took me through a number of steps to resolve this issue. As part of these steps I was asked to delete certain of the "Generic Credentials" in the Windows Credentials list. This fixed the issues I had in Office 365, but I noticed shortly afterwards that I am now unable to access any of my Windows encrypted files.

    I set up encryption on my PC using the built-in Windows functionality last year (i.e. by right-clicking on the folders, going to Properties, Advanced, and then ticking the box next to "Encrypt contents to secure data"). This has always worked very well, and I have never had any issues accessing encrypted files until after my call with Office 365 Support. I am now given "access denied" and similar error messages when I try to open encrypted files (Word, Excel, PDF, Power Point). Non-encrypted files can still be opened normally.

    The Office support team was unable to resolve this problem and directed me at Windows support. After going through numerous individuals I ended up with someone who suggested I run a Windows restore. I have tried doing this numerous times, including with anti-virus switched off, and in safe mode, but restore always fails. I am told that restore has "failed to extract" a file.

    I tried getting help with this issue on the Microsoft Community website. After trying several suggestions unsuccessfully (taking ownership of the files, trying to access the files from a newly created local admin account), I have been referred to Technet.

    A few other points to note:

    1. I noticed that when I try to create a copy of an encrypted file I am taken through two steps. First, I am told that I need administrator privileges to perform the task (which I have, so I click continue). Then I am told "You need permission to perform this action. You require permission from [my local Windows username] to make changes to this file". I am actually logged in as [my local Windows username], so it appears that Windows no longer recognises who I am.

    2. There are no other users set up on my PC, and no one other than me uses it or has ever used it.

    3. The encrypted files that I can no longer open have not come from another PC. They were created and encrypted on this PC by me. I could access them, change them, send them by email, and generally do with them as I pleased until the changes made to my PC to deal with the Office 365 issue. In other words, this is not an issue linked to missing encryption certificates from elsewhere.

    4. I have access to a OneDrive cloud storage. When I try to open any file that I saved on OneDrive before the issues with opening encrypted files started, I get the same error messages as I do when I try to open encrypted files saved on my PC. This is strange because (1) I did not set up any encryption on the OneDrive folders or files, and (2) I can still access those same OneDrive files via the OneDrive app on my iPad. This suggests to me that the problem is fundamentally not an encryption issue, but a credentials/ID issue. Not sure if or how this helps, but I'm hoping it's useful information.

    5. Checking the properties - security settings for the encrypted files tells me that I have "allow" permissions for full control, modify, read & execute, read, write. Despite this information I cannot open the files or even copy them to a different location.

    6. On the Control Panel - User Accounts page, I noticed the "Manage your file encryption certificates" link on the left. Going into this function is apparently intended to backup existing file certificates and create new ones. I did not actually do anything using the function, but I noticed that the encryption certificate details showing by default are odd. Clicking on the "View certificate" button shows the following details:

    -----------

    Issued to: [my local Windows username]

    Issued by: [my local Windows username]

    Valid from   27-Feb-17   to    03-Feb-17

    You have a private key that corresponds to this certificate.

    ----------

    It doesn't make sense to me that a certificate would be created with an expiry date in the past. The 27th of February is the date on which I had the call with Microsoft Office 365 Support, following which my issues with the encrypted files started, so I am assuming this may have something to do with the problem. I did not (knowingly) create any new encryption or encryption certificate on that day - my file encryption was set up last year and worked fine until 27 February.

    Any suggestions on how I can fix this issue would be much appreciated.

    Friday, March 10, 2017 5:39 PM

All replies

  • Hi, 

    Considering if your current user profile has been broken, please just create new user account, and double click and import the backup certificate (.pfk file) into your new user profile and see if you can open the EFS files on your computers now. 

    We don't need to copy out these files, keep where they are located in. 


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Monday, March 13, 2017 6:47 AM
    Owner
  • Hi Kate,

    Thank you for your suggestion. I have tried doing this, but I still get an access denied message when I try opening an encrypted file through the new user account. I'm assuming part of the problem might just be that the certificate itself is expired?


    Tuesday, March 14, 2017 11:49 AM
  • Hi, 

    Please try to renew the certificate with Same key to check your issue:


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, March 16, 2017 9:08 AM
    Owner
  • I have tried following this suggestion, but I cannot get past the initial stage on the "Certificate Enrollment" window. I get a message that reads:

    Enrollment error

    The request contains no certificate template information.

    My only option is to click "Finish".

    Thursday, March 16, 2017 4:55 PM
  • Hi, 

    It seems that we can only get out your Private key and Public key to generate a new certificate for your fixing. 

    Sorry to say that I am not familiar with such technology. You may submit a new case to Certificate related forum for further help: 

    https://social.technet.microsoft.com/Forums/windows/en-US/home?forum=winserversecurity

    The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us.  Thank you for your understanding.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, March 23, 2017 5:41 AM
    Owner