0X80090012

Fix NTE_DOUBLE_ENCRYPT (0X80090012) – Already Encrypted

Cybersecurity & Malware Intermediate 👁 0 views 📅 May 27, 2026

You're trying to encrypt data that's already encrypted. Happens with BitLocker, DPAPI, or certs. Quick fix: reset or skip the double encrypt.

Quick Answer

Stop encrypting what's already encrypted. Use certutil -delstore for certs, disable BitLocker then re-enable, or clear DPAPI master keys.

Why You're Seeing 0X80090012

Last month, a client called me because their backup software kept throwing NTE_DOUBLE_ENCRYPT (0X80090012). They'd run a script that encrypted their backup files twice. The error literally means the data's already been encrypted—Windows won't let you wrap it again. This happens most often with:

  • BitLocker on a drive that's already encrypted (usually from a partial or failed enable)
  • DPAPI (Data Protection API) when an app tries to protect data that's already DPAPI-protected
  • Certificate private keys when a script or tool double-encrypts them

Fix Steps

1. Identify What's Double-Encrypted

Open Event Viewer (eventvwr.msc), look under Windows Logs > System for source Microsoft-Windows-BitLocker or DPAPI. Filter by event ID 245 (BitLocker) or 8197 (DPAPI). That'll tell you which drive or process triggered the error.

2. Fix BitLocker Double Encryption

  1. Run manage-bde -status in an admin command prompt. Check if the drive shows Encrypted or Encrypting.
  2. If it's fully encrypted, your only option: manage-bde -off C: (replace C: with your drive). Wait for decryption—could take hours.
  3. Then manage-bde -on C: to re-encrypt cleanly. This wipes the double-encrypt flag.
  4. If BitLocker won't turn off, try manage-bde -protectors -disable C: first, then retry.

3. Fix DPAPI Double Encryption

If an app like Chrome or a custom tool triggers this, the fix is brutal but sure:

  1. Back up your DPAPI master keys: certutil -backupuserkey -p password .\backup.pfx
  2. Delete the master key from %APPDATA%\Microsoft\Protect\ (the SID folder).
  3. Reboot—Windows regenerates a fresh master key.
  4. Re-import your backup keys if needed via certutil -user -p password -importpfx .\backup.pfx.

Warning: This will break DPAPI-protected data until you re-import. Test on a non-critical machine first.

4. Fix Certificate Double Encryption

Seen this with certreq or certutil scripts that chain encrypt operations:

  1. Open certlm.msc (Local Machine) or certmgr.msc (Current User).
  2. Find the certificate with the issue—check the Private Key properties.
  3. Export the cert with private key to PFX, then delete and re-import.
  4. Or run certutil -delstore My "thumbprint_here" then re-import cleanly.

Alternative Fixes

  • For BitLocker: Use repair-bde if the drive is corrupted. It'll decrypt and let you re-encrypt.
  • For DPAPI: Try gpupdate /force if it's a domain machine—sometimes group policy corrupts the master key.
  • For certs: Use certutil -repairstore to rebuild the key store.

Prevention Tip

Never run encryption scripts or tools without checking the current state first. Before you call ProtectData or manage-bde, write a check: manage-bde -status | find "Encrypted". For DPAPI, check %APPDATA%\Microsoft\Protect\ for existing master keys. A five-second check saves an hour of cleanup.

Client story: a dev wrote a tool that encrypted files on upload. It ran twice due to a race condition. Took me two hours to decrypt and re-encrypt 200 files. One line of code could've prevented it.

Was this solution helpful?

0X80090012 NTE_DOUBLE_ENCRYPT data already encrypted BitLocker error DPAPI error certificate encryption error Windows encryption fix 0x80090012 fix encryption already applied prevent double encryption