STATUS_ENCRYPTION_FAILED 0xC000028A Fix — File Encryption Failed

Quick Answer

Run cipher /u /n from an admin prompt, then update or disable EFS certs. If that doesn't work, rebuild the EFS service via Group Policy.

What's Causing This

STATUS_ENCRYPTION_FAILED (0xC000028A) means the Encrypting File System (EFS) flaked out during an encrypt or decrypt operation. You'll see it in Event Viewer under Event ID 8194 or straight in Explorer when you right-click a file and check "Encrypt contents to secure data". The culprit is almost always a corrupt EFS certificate — either expired, missing, or the private key got nuked by a backup restore or disk cleanup tool that didn't know what it was doing. I've also seen this on Windows 10 1809 and Windows 11 22H2 after a feature update when the EFS service started but the certificate store didn't migrate properly. Rarely, it's a permissions issue where the user's profile is hosed or the EFS service itself is disabled.

Step-by-Step Fix

1. Check EFS service status. Open Services.msc, find Encrypting File System (EFS). It should be running, startup type Manual or Automatic. If it's Disabled, set it to Manual and restart the service. I've seen third-party security suites disable this.
2. Back up your EFS certs. Open certmgr.msc, expand Personal → Certificates. Look for a cert with Encrypting File System in the Intended Purposes column. Right-click → All Tasks → Export. Choose Yes, export the private key. Save it as a PFX with a password. If there's no private key, that's your problem — see step 5.
3. Run the cipher command. Open an elevated command prompt (Admin). Run cipher /u /n. This updates the EFS encryption keys for all files on the system. If it complains about a bad cert, it'll tell you which file. Note that path.
4. Decrypt and re-encrypt the problem file. Right-click the file → Properties → Advanced → Uncheck 'Encrypt contents to secure data'. Apply. Then re-check it. If decryption fails, you can't recover with EFS — you'll need to copy the file to a non-NTFS drive (like FAT32 USB) to strip encryption, then copy back.
5. Repair or replace the EFS certificate. If the cert is missing or corrupt, generate a new one by running cipher /r:MyEFS. This creates a CER and PFX file in the current directory. Import both: CER into Trusted Root Certification Authorities for the user, PFX into Personal. Then re-encrypt the file.
6. Reset EFS via Group Policy. For domain-joined machines, the EFS recovery policy may be corrupt. On the DC or local GPO editor, go to Computer Configuration → Windows Settings → Security Settings → Public Key Policies → Encrypting File System. Right-click → Create a Data Recovery Agent. This adds a DRA cert. Force a GP update with gpupdate /force.

If Nothing Works

If you can't get a new cert to stick or the service keeps dying, the nuclear option is to disable EFS entirely. Not great if you need encryption, but it stops the errors cold. Run gpedit.msc (Pro/Enterprise only), go to Computer Configuration → Windows Settings → Security Settings → Public Key Policies → Encrypting File System. Right-click → Properties → set File encryption using EFS to Disabled. Reboot. You can also disable via registry: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS, create EfsConfiguration as DWORD and set to 1. This kills the right-click encrypt option and all EFS operations.

Prevention Tips

First, back up your EFS certs before any OS reinstall or feature update. The moment you encrypt a file, export the cert with the private key and store it somewhere safe. Second, avoid disk cleanup tools that claim to clean certificate stores — they'll strip your EFS key. Third, if you're on a domain, push EFS recovery agents via GPO so IT can recover files if your cert goes bad. And for the love of all that's holy, don't use EFS for anything critical unless you have a solid backup of the cert. It's not cloud-synced like BitLocker recovery keys. Lose the cert, lose the data.