NinjaOne Backup — Error 5: EFS-Encrypted File Access Denied
Audience: T2 Use when: Backup fails with "Error 5: Access denied to agent due to EFS file encryption."
What EFS Is
EFS (Encrypting File System) is a Windows feature that encrypts individual files or folders using the user's certificate. Files encrypted with EFS are tied to the specific user's encryption certificate — even SYSTEM and local Administrators cannot read them without the user's private key.
Lockhart runs as SYSTEM. If a file in the backup path is EFS-encrypted, Lockhart cannot decrypt or read it, and Error 5 fires.
Is EFS Common at Dental Sites?
Uncommon — most dental practices don't deliberately use EFS. When it appears, it's usually:
- A user manually encrypted their Documents or Desktop folder
- A third-party tool applied EFS to a folder (some DLP or security tools)
- EFS was applied during a data migration or Windows upgrade unexpectedly
Step 1 — Identify Which Files Are EFS-Encrypted
# Scan a drive for EFS-encrypted files
# (Run as Administrator — will still not be able to read the files, but can identify them)
cipher /u /n
# Or check a specific folder
Get-ChildItem "C:\Users" -Recurse -ErrorAction SilentlyContinue |
Where-Object {$_.Attributes -band [System.IO.FileAttributes]::Encrypted} |
Select FullName, Attributes | Format-Table -AutoSize
Step 2 — Options for Resolution
Option A — Decrypt the files (preferred if EFS isn't needed)
The file owner (the user whose certificate encrypted the files) must do this:
- Right-click the file/folder → Properties → Advanced
- Uncheck Encrypt contents to secure data
- Apply to this folder, subfolders, and files
- After decryption: trigger a manual backup run
# Alternatively (run as the file owner, not as admin):
cipher /d /s:"C:\Path\To\EFS\Folder"
Option B — Exclude the EFS path from backup
If the files are legitimately encrypted and shouldn't be decrypted:
- NinjaOne → device → Backup → Edit plan → Exclusions → add the EFS folder path
- Save and trigger a manual backup run
- Document in the Halo ticket that this path is excluded and why
Option C — Add Lockhart as a Recovery Agent (Advanced — T3)
EFS supports Data Recovery Agents (DRAs) — accounts that can decrypt any EFS file in a domain. Adding the NinjaOne backup agent or a domain recovery account as a DRA is a T3-level AD configuration task. Not typically warranted at dental sites.
Important Notes
- EFS-encrypted files are not backed up at all when Error 5 fires — they are skipped entirely
- If the user's certificate is lost (e.g., user profile deleted, reinstalled Windows), the EFS-encrypted files may be permanently unrecoverable — this is a data risk worth flagging to the AM
- EFS is distinct from BitLocker — BitLocker encrypts entire volumes, EFS encrypts individual files. Different tools, different solutions.
Escalate to T2 If:
- The EFS-encrypted files are critical dental data (patient records, images) and the user certificate is at risk
- Decryption fails because the user's certificate is missing — data recovery evaluation needed