Fixing EFS Certificate Configuration Updater Errors in Windows
The Encrypting File System (EFS) is a built-in Windows feature that encrypts files and folders to protect sensitive data. Windows relies on the EFS Certificate Configuration Updater task to automatically manage and renew the certificates required for this encryption process. When this task fails, Event Viewer displays error codes like 0x80070005 (Access Denied) or 0x80040154 (Class Not Registered). These errors disrupt automated certificate updates and clutter your system logs.
Follow this guide to troubleshoot and resolve EFS Certificate Configuration Updater errors. Verify and Restart the EFS Service
The updater task cannot run properly if the underlying EFS service is stopped or misconfigured. Press Windows Key + R, type services.msc, and press Enter. Scroll down and locate Encrypting File System (EFS).
Check the Status column. If it is not running, right-click the service and select Start. Right-click the service again and select Properties.
Change the Startup type to Manual or Automatic based on your organization’s policy, then click OK. Reset the Task Scheduler Permissions
Many EFS updater errors stem from permission corruption within the Windows Task Scheduler. Resetting the task or running it with elevated privileges often resolves the issue.
Open the Start menu, type Task Scheduler, and select Run as administrator.
In the left sidebar, navigate to: Task Scheduler Library > Microsoft > Windows > CertificateServicesClient.
Locate the UserTask-EFSInitialization or CryptoPolicyTask (depending on your Windows version). Right-click the task and select Properties.
Under the General tab, look at the security options. Ensure the task is set to run under the LOCAL SERVICE or SYSTEM account.
Check the box for Run with highest privileges, then click OK.
Right-click the task and click Run to test if it executes without errors. Fix Corrupt Cryptographic Keys
If the system cannot read or write to the folders where encryption keys are stored, the updater task will fail with an access denied error. Reassigning permissions to the Crypto folder resolves this.
Press Windows Key + R, type %AppData%\Microsoft, and press Enter. Locate the Crypto folder. Right-click the Crypto folder and choose Properties. Go to the Security tab and click Advanced.
Ensure your active user account and the SYSTEM account both have Full Control permissions.
If permissions are missing, click Add, select your principal account, check Full Control, and apply the changes to all subfolders. Repair Corrupt System Files
Corrupted system binaries or registry entries can prevent the certificate client from registering its required programming classes.
Right-click the Start menu and select Terminal (Admin) or Command Prompt (Admin).
Run the Deployment Image Servicing and Management tool first by typing:DISM.exe /Online /Cleanup-image /Restorehealth Press Enter and wait for the process to reach 100%. Next, run the System File Checker by typing:sfc /scannow
Press Enter. Once the scan finishes, restart your computer to apply any automated repairs. Generate a New EFS Self-Signed Certificate
If the existing EFS certificate is completely corrupted, forcing Windows to generate a brand-new certificate will bypass updater task errors. Open Command Prompt (Admin).
Type the following command to generate a new EFS certificate:cipher /x
If no certificate exists or the current one is broken, use this command to create a new self-signed certificate backed up to your desktop:cipher /g
This action refreshes the EFS configuration and allows the background updater task to sync with a valid, clean certificate.
To help narrow down the cause of your EFS error, could you tell me:
What specific error code or Event ID is appearing in your Event Viewer?
Which Windows version (Home, Pro, or Enterprise) are you currently running?
Leave a Reply