Fix ERROR_DIR_EFS_DISALLOWED (0X0000177A) Fast
This error means Windows won't encrypt a folder. Usually happens after a group policy change or when EFS is blocked on that specific directory. Here's how to fix it in under 30 minutes.
The 30-Second Fix: Check if EFS Is Actually Blocked on That Folder
This error pops up when you try to right-click a folder, go to Properties > Advanced > Encrypt contents to secure data, and Windows says no. The error code 0X0000177A translates to ERROR_DIR_EFS_DISALLOWED — Windows is telling you that this specific directory has been disabled for encryption.
Before you dive into registry edits, check the obvious: is this folder inside another folder that's already encrypted? Had a client last month whose entire "Projects" folder was encrypted, and he couldn't encrypt a subfolder because Windows treats EFS differently on nested directories sometimes. If the parent folder is encrypted, you're already good — files inherit encryption from the parent unless you explicitly turn it off.
Try moving the folder to a different location — like straight to C:\Temp or your Desktop — and attempt encryption there. If it works, the original folder's path is the problem, likely due to a policy or permissions issue. Quick check: cipher /q "C:\path\to\folder" in Command Prompt shows if EFS is already active on any files inside.
No luck? Then it's time to look at group policy or the registry.
The 5-Minute Fix: Group Policy Might Be Blocking EFS on This Path
Windows can block EFS on specific directories via group policy. This happens a lot in corporate environments or after a sysadmin push that didn't get fully tested. On a standalone machine, it's often a leftover policy from a previous admin or a misconfigured security template.
Step 1: Open Local Group Policy Editor
- Press
Win + R, typegpedit.msc, hit Enter. - Navigate to: Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Encrypting File System
Step 2: Check the EFS Policy
Right-click Encrypting File System and choose Properties. Look at the General tab — if it says "Do not allow EFS" or "Allow EFS only on NTFS drives" with some weird exceptions, that's your problem. The fix is simple: set it to "Allow EFS" and click Apply.
But wait — there's a subtler culprit. Under Computer Configuration > Administrative Templates > System > File System, there's a policy called "Do not allow encryption on specified directories". If that's enabled and includes your folder's path, disable it. I've seen this one get set by accident when an IT pro was testing folder redirection policies.
After changing the policy, run gpupdate /force in Command Prompt (as admin) to push the change immediately. Then try encrypting the folder again.
If gpedit.msc isn't available (you're on Windows Home or Pro without the Group Policy Management Console), jump straight to the advanced fix below — you'll need the registry for that.
The Advanced Fix (15+ Minutes): Registry Hack for Stubborn EFS Block
When group policy looks clean but the error persists, the registry has a hidden key that directly blocks EFS on specific directories. This is common after a malware cleanup or a failed encryption tool. I fixed this for a client last week whose folder was locked by a leftover security tool called "BitLocker To Go" that had hijacked EFS permissions.
Step 1: Backup Your Registry
Seriously, do this. Open Regedit, click File > Export, save the entire registry. If things go sideways, you can restore it. I've seen people delete the wrong key and lose encryption on their entire profile.
Step 2: Find the EFS Block Key
Navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SystemLook for a DWORD value named EfsBlockedDirectories. If it exists, double-click it and check the data. It might list paths separated by semicolons, like:
C:\Users\Public\Documents;C:\ProjectsIf your folder's path is in there, that's your smoking gun. Delete that path from the list, or delete the entire EfsBlockedDirectories value if you want to unblock everything. Then close Regedit and restart your PC.
Step 3: Alternative — Check for a Per-User Block
Sometimes the block is set under the user hive, not the machine hive. Navigate to:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\EFSLook for a DWORD named EfsConfiguration. If it's set to 1 (disable EFS), change it to 0 (enable EFS). Also check HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System for the same EfsBlockedDirectories key as above — it can exist per-user too.
Step 4: Verify with cipher
After the registry change, open Command Prompt as admin and run:
cipher /e "C:\path\to\folder"If it works, you'll see "Encryption complete" and the folder will have a green overlay in Explorer. If it still fails, double-check your registry edits — you might have missed a stray semicolon or the path didn't match exactly.
When All Else Fails: The Nuclear Option
If you've checked group policy, scoured the registry, and still get the error, the problem is likely a corrupted EFS certificate or a damaged user profile. Export any unencrypted files from that folder, create a new Windows user profile, log into it, and try encrypting a folder fresh. I've seen this rescue a client who spent two hours fighting the 0X0000177A error only to have it work instantly on a new profile.
It's not elegant, but it works. And honestly, sometimes the fastest fix is knowing when to stop fighting a corrupted profile and just start clean.
Was this solution helpful?