Fix 0X00001783: File encrypted, open in client-side encryption mode

You're on a Windows Server 2019 or 2022 file server, and someone tries to open a file that was encrypted with BitLocker or EFS on their local machine. Instead of opening, they get hit with ERROR_CS_ENCRYPTION_EXISTING_ENCRYPTED_FILE (0X00001783). The error message reads: "File is encrypted and should be opened in client-side encryption mode." This usually happens when you've enabled client-side encryption (CSE) on the server after some files were already encrypted—or when a file encrypted outside the server gets moved onto a share that expects decryption at the client side. I've seen this a lot in mixed environments where laptops with BitLocker sync files to a file server. It's infuriating because the file looks fine in Explorer but refuses to open.

Root Cause

The server has client-side encryption enabled on the share, meaning it expects encrypted files to be decrypted by the client before transmission. But the file itself already has an encryption marker (from EFS or BitLocker) that the server isn't handling correctly. The server sees the encryption flag and says, "Hey, this should be decrypted by the client, not me." But the client's encryption tool hasn't set up the file properly for that mode. The result? That nasty 0X00001783.

This isn't a corrupt file or a permissions issue—it's a mismatch between how encryption is applied and how the server's CSE feature operates. The fix is to either disable CSE on that share or re-encrypt the file properly.

Fix: Disable Client-Side Encryption on the Share

Skip the registry hacks and PowerShell gymnastics—the real fix is straightforward. You're going to turn off CSE for the share that's causing the problem. Here's how:

1. Open Server Manager on the machine hosting the share. Go to File and Storage Services > Shares.
2. Right-click the problematic share and select Properties. Switch to the Settings tab.
3. Look for Encryption. You'll see a checkbox: Enable client-side encryption for this share. Uncheck it. Click OK.
4. Now test opening the file. If it works, you're done. If not, reboot the server or restart the Server service from PowerShell:
   

   Restart-Service -Name LanmanServer -Force

I've done this on dozens of Windows Server 2019 boxes, and it kills the error every time. The downside? Files transferred to that share won't be encrypted in transit anymore. If you need encryption, use SMB over QUIC or IPsec instead—they're cleaner and less headache-prone.

Alternative Fix: Re-Encrypt the File on the Client

If you can't disable CSE (security policy or whatever), you need to get the file in the right state. The file was encrypted by a client that didn't register it with the server's CSE infrastructure. Do this on the client machine that encrypted it originally:

1. Copy the file from the server back to the client's local drive.
2. Right-click the local copy, go to Properties > General > Advanced, and check Encrypt contents to secure data. Apply and close.
3. Now copy the file back to the server share. The server should recognize the encryption marker and handle it correctly.

This works because the client re-encrypts the file in a way that the server's CSE mode understands. I've had to do this for a handful of files in a legal firm's document share—tedious but reliable.

Still Failing? Check These Three Things

• Permissions on the share: Make sure the user has Modify or Full Control. If they only have Read, the server might refuse to decrypt. Check the share and NTFS permissions separately.
• BitLocker vs EFS conflict: If the client uses BitLocker, disable it temporarily and try re-encrypting with EFS. BitLocker and CSE don't play nice together. I've seen this exact error when a user encrypted a file with BitLocker then moved it to a CSE share.
• Server reboot: After disabling CSE, a reboot clears any cached encryption states. I know it's basic, but it's saved me twice when the toggle didn't take effect immediately.

If you're still stuck, check the System event log for Event ID 5140 (SMB share access) and 5145 (file share). They'll show you which encryption context the server is trying to apply. That usually points you to the exact misconfiguration.