Windows 10 EFS files are inaccessible after reboot for several minutes

Question

On a Windows 10 Pro machine (10.0.19042.685), local EFS-ecnrypted files are inaccessible (ERR_ACCESS_DENIED) for several minutes after reboot or logout/login. Files are local to the machine, but the machine itself is accessed via RDP.

It seems like the private key of a user is not accessible to the system for some reason (access denied in PID 0). Because if I open the MMC certmger snap-in, it says that I have the private key for my EFS cert, but if I try to export the cert, the option to export with private key is grayed out.

After several minutes, file access restores by itself and private key become exportable in the MMC certmger snap-in.

Issuing of a new cert, making it default and update all encrypted files to the new cert did not help.

Answer 1

Crypto-DPAPI Event:

DPAPI Unprotect failed .

        Status: 0x8009000B
        ReasonForFailure:   Could not get the master key

Crypto-DPAPI Event:

Master key access failed.

Answer 2

This does not help.

My "certutil -store My" output is:

My "Personal"                                                                                                                     
CertUtil: -store command completed successfully. 

I don't have Nvidia hardware. I do have Hyper-V (most likely because of Windows Sandbox enabled), but I have it for a long time and it was not a problem.

cipher /c for an encrypted file says "The specified file could not be decrypted." And after about 10 minutes after reboot, cipher /c for an encrypted file says "Key Information: [...]"

Answer 3

Hi,

A failure audit event is triggered when a defined action is not completed successfully. So the failure events may simply mean the failed access but does not necessarily mean that something is wrong with your system.

But I did some research and found below possible causes.

1. Have NVidia based graphics card on your computer: https://answers.microsoft.com/en-us/windows/forum/windows_10-security-winpc/security-audit-failure-event-5061-in-windows-10/6de3cdd6-cb0a-478b-aca6-2f36e2eb85f6
2. Related to hyperV: https://answers.microsoft.com/en-us/windows/forum/windows8_1-performance/event-log-security-audit-failure/dde5c76f-1bb0-46cb-bc33-90a958b13de2
3. Expired certificate exists under Certificates > Trusted Root Certification Authorities > Certificates: https://social.technet.microsoft.com/Forums/en-US/3e88df37-d718-4b1f-ac90-e06b597c0359/event-5061-audit-failures-every-reboot-cryptography-win-10-pro-64bit?forum=win10itprogeneral

I am not sure if your issue has above situations. In order to figure out the exact cause, you might need to capture some dumps or traces to further investigate the issue, which I suggest to contact Microsoft Customer Support and Services where more in-depth investigation can be done so that you would get a more satisfying explanation and solution to this issue.
 
You may find phone number for your region accordingly from the link below:
Global Customer Service phone numbers
https://support.microsoft.com/en-us/help/4051701/global-customer-service-phone-numbers

Thanks,

Eleven

If the answer is helpful, please click "Accept Answer" and up-vote it.

Answer 4

It is running and the problem is more complex than that.

For each failed access, there is a message in the event log:

But then after some time there is a series of Logon/Special logon events which lead to access success. But there are no events about successful key read.

Answer 5

Hi,

From my knowledge, there's a process named lsass.exe that's responsible for the security part (auth., logon, encryption, etc...).

During the several minutes that EFS files are inaccessible after reboot, please check if Isass.exe is running in task manager. It might take some time to start this process after reboot.

Thanks,

Eleven

If the answer is helpful, please click "Accept Answer" and up-vote it.