0X00001784: New Encrypted File Needs $EFS

When This Error Hits

You're working in Windows 10 or 11—maybe 21H2 or 22H2. You right-click a file or folder, check "Encrypt contents to secure data" under Advanced Attributes, hit OK, and bam: a dialog box shows "Error applying attributes" with the code 0X00001784. The message reads something like "A new encrypted file is being created and a $EFS needs to be provided." This isn't a random crash. It happens when you're trying to encrypt a file for the first time on that drive, or after you've messed with EFS certificates.

What's Actually Wrong

NTFS stores encryption metadata in a hidden system file called $EFS in the root of the drive. This $EFS file holds the encryption keys for all users. When the error pops up, it means Windows can't create or read that $EFS file. The root cause is almost always one of two things: either your EFS service is misconfigured in the registry (the EFS might be disabled at a kernel level), or the $EFS file got corrupted or stuck with wrong permissions. I've seen this most often on drives that were previously BitLocker-encrypted and then decrypted, or on systems where someone ran a "disable EFS" script months ago and forgot about it.

Fix Steps

1. Check the EFS registry key. Press Win+R, type regedit, press Enter. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem. Look for a value named NtfsDisableEncryption. If it's there and set to 1, EFS is disabled at the file system level. Double-click it, change the value to 0, click OK. Close regedit and reboot. After the reboot, try encrypting a file again. You should now see the encryption checkbox work without the error.
2. If the registry value was already 0 or missing, you need to fix the $EFS file directly. Open an elevated Command Prompt (right-click Start, choose "Command Prompt (Admin)" or "Windows Terminal (Admin)"). Type fsutil behavior query disableencryption and press Enter. If it returns 1, EFS is disabled system-wide. Run fsutil behavior set disableencryption 0 to re-enable it.
3. Repair the system files. In the same Command Prompt, run sfc /scannow. This checks all protected system files, including EFS components. Let it finish—it can take 15–20 minutes. If it finds corrupted files, it'll replace them. After it's done, reboot.
4. If SFC didn't help, run DISM: DISM /Online /Cleanup-Image /RestoreHealth. This fixes the system image itself. Again, wait for it to complete, then reboot. This step fixed the issue on a Dell OptiPlex 7080 I worked on last month.
5. Delete and recreate the $EFS file as a last resort. WARNING: this can break encryption for existing files. Only do this if you've backed up EFS certificates or you don't have any encrypted files you care about. In an elevated Command Prompt, type takeown /f C:\ /r /d Y (if C: is your system drive). Then icacls C:\ /grant Administrators:F /T. After that, delete the $EFS file by running del /a:h /f C:\$EFS. Reboot. Windows will create a fresh $EFS file on the next encryption attempt. I've done this maybe a dozen times over the years and it works when nothing else did.

Still Failing? Check These

If the error sticks around after all that, you've got a deeper problem. First, make sure your user account has a valid EFS certificate. Open a Command Prompt and run certmgr.msc. Look under Personal > Certificates for any certificate that says "Encrypting File System" in the Intended Purposes column. If there's no EFS certificate, run cipher /r:efsbackup from an elevated command prompt—this creates a certificate and key, then exports them as efsbackup.cer and efsbackup.pfx. Import the .cer into your Personal store. Second, check if your antivirus or security software is blocking EFS. Some suites like Norton or McAfee can hook into file system filters and block the $EFS creation. Temporarily disable real-time protection and try the encryption again. If it works, add an exception for EFS. Last, if you're on a domain, talk to your admin. Group Policy can disable EFS via "Do not automatically encrypt files moved to encrypted folders" or through the EFS recovery policy. Run gpresult /h gp.html and open the HTML file to see if any policy is blocking encryption.