"The cryptographic operation failed due to a local security option setting"...Indeed.
Kinda a one off odd one.. but I’ve seen it more than once… so it gets a blog entry.
Failure to install any items digitally signed.
My most recent experience was with a chap who was getting this error and failed to install MDAC update. His environment: Windows 2000 Server in an NT4 domain. ( not that the domain etc.. matters much for this to occur )
Here was the mdac update failure:
Run MDAC_TYP.EXE and you see a popup.
After this you see another error.
---------------------------
Advanced INF Installer
---------------------------
INF Install failure. Reason: The cryptographic operation failed due to a local security option setting.
Additionally – if you look in the local certificate store. MMC -> add certificates snapin for local machine.
Any attempt to view any cert in the Trusted Root store you will see the failure below:
“The cryptographic operation failed due to a local security option setting”
What is going on here?? ( yes Joe.. I am an actor... )
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
State: 63c00
Here we see the defined flags:
Value |
Meaning |
WTPF_TRUSTTEST |
Trust any test certificate. |
WTPF_TESTCANBEVALID |
Check any test certificate for validity. |
WTPF_IGNOREEXPIRATION |
Use expiration date. |
WTPF_IGNOREREVOKATION |
Do revocation check. |
WTPF_OFFLINEOK_IND |
If the source is offline, trust any individual certificates. |
WTPF_OFFLINEOK_COM |
If the source is offline, trust any commercial certificates. |
WTPF_OFFLINEOKNBU_IND |
If the source is offline, trust any individual certificates. Do not use the user interface (UI). |
WTPF_OFFLINEOKNBU_COM |
If the source is offline, trust any commercial certificates. Do not use the checking UI. |
WTPF_VERIFY_V1_OFF |
Turn off verification of version 1.0 certificates. |
WTPF_IGNOREREVOCATIONONTS |
Ignore time stamp revocation checks. |
WTPF_ALLOWONLYPERTRUST |
Allow only items in personal trust database. |
"C:\Program Files\Microsoft Visual Studio 8\VC\PlatformSDK\Include\WinTrust.h
The ones related to this blog are in bold below:
#define WTPF_TRUSTTEST 0x00000020 // trust any "TEST" certificate
#define WTPF_TESTCANBEVALID 0x00000080
#define WTPF_IGNOREEXPIRATION 0x00000100 // Use expiration date
#define WTPF_IGNOREREVOKATION 0x00000200 // Do revocation check
#define WTPF_OFFLINEOK_IND 0x00000400 // off-line is ok individual certs
#define WTPF_OFFLINEOK_COM 0x00000800 // off-line is ok commercial certs
#define WTPF_OFFLINEOKNBU_IND 0x00001000 // off-line is ok individual certs, no bad ui
#define WTPF_OFFLINEOKNBU_COM 0x00002000 // off-line is ok commercial certs, no bad ui
#define WTPF_VERIFY_V1_OFF 0x00010000 // turn verify of v1 certs off
#define WTPF_IGNOREREVOCATIONONTS 0x00020000 // ignore TimeStamp revocation checks
#define WTPF_ALLOWONLYPERTRUST 0x00040000 // allow only items in personal trust db.
So when it has the 0x00040000 flag set – it will only allow items in the trusted publisher store.
Most folks will find that their trusted publisher store is empty.
You can add the required trusted root cert to the trusted publisher store – or simply change the flags to State: 23c00
How would your flags be set to such a value? If you are using software restricion policies ( SAFER ) and have configured Trusted Publisher settings perhaps?
Another time it may be handy to edit these trusted publisher flags – is if you have a proxy\firewall which requires machine authentication and something is installing in the machine context.
Like:
Symptom: Unable to upgrade to SMS 2003 SP1 Advanced clients to SMS 2003 SP2 Advanced client.
Push install fails
Manual install fails
Installation process hangs - does not complete; does not end.
You can change the state to 23e00 which will change it so “Do revocation check.” Is off, and then perform the installation. This would be a temporary measure.
A friendlier method may be to use setreg from https://msdn.microsoft.com/library/default.asp?url=/workshop/security/authcode/signing.asp
SetReg
The SetReg utility is used to set the value of the registry keys controlling the behavior of the Authenticode certificate verification process. These keys are called the Software Publishing State Keys. When SetReg has completed the requested action, the current state of the Software Publishing State Keys is displayed.
EDIT:: one more - if you have this set the "wrong" way - you will also get a failure trying to download new security
updates from Windows Update web site.. you will see error: 0x80092026
spat
Comments
Anonymous
June 07, 2006
Thanks a million for this one. I've been trying to resolve it for weeks! I have a Windows 2003 DC that wouldn't get updates and installing them manually was a pain.Anonymous
June 08, 2006
wow - cool , im glad to see it helped someone! Maybe this blog thing really works... ive been wondering if any of these tips mini KB's help anyone. thx for the feedback!Anonymous
June 23, 2006
Hi, i am getting this on a site and this is affecting all the DCs. Tried the flags (were set as recommended already) so not sure what else to try from here?Anonymous
June 25, 2006
You may also want to try some of the steps in http://support.microsoft.com/kb/822798Anonymous
August 21, 2006
I've been seeing this error for a while now - not only on Windows Update but also because it prevents Windows Live Messenger from signing in... I must have visited dozens of sites which suggest the options noted in the KB article that SpatDSG posted earlier, but nothing worked except your solution. Great work!Anonymous
March 23, 2007
After days of reading, fussing and cussing, this solved my problem. Thanx a millionAnonymous
September 10, 2007
Wonderfull !!! Thank you m@xAnonymous
November 14, 2007
Yet another salvation story! I grumbled about my MS installer failure problems for weeks until I happened to try and set up a secure website on this server and noticed the certificate error. That's when I found this site and it fixed me right up. Thanks a bunch!Anonymous
November 14, 2007
Wow - thanks! :) Yaknow the interesting thing about this post - is that I started the thing with saying "Kinda a one off odd one.. but I’ve seen it more than once… so it gets a blog entry." But there seem to be quite a few of these cases.. I wonder how the policy is being changed. odd.Anonymous
February 18, 2008
Thanks - I had major problems starting Symantec Antivirus and accessing Windows Update. I knew it was a code signing problem, but I was unable to find how to cure it. To fix the problem I applied your solution, but instead of HKEY_CURRENT_USER I had to change the settings under HKEY_USERSS-1-5-18Software... to get the settings applied to LocalSystem. -LarsPAnonymous
April 04, 2008
The comment has been removedAnonymous
April 28, 2008
Your solution works like a charm. Once I change the state to 23c00 the install worked. So simple and quick compared to the microsoft solutions (which didn't work). MANY MANY THANKS. SimonAnonymous
January 13, 2009
The comment has been removedAnonymous
January 17, 2009
PingBack from http://www.hilpers.com/1175925-update-ueber-wsus-schlaegt-fehlAnonymous
April 29, 2009
Hello, I had to change it back to 63c00 to make my windows update work. http://msn-errors.blogspot.com/2007/02/fix-8004888d-error.htmlAnonymous
April 29, 2012
thanks soo much for this solution man , u really helped a lotAnonymous
April 02, 2014
I really love your write-ups guys continue the good work. <a href="www.best-5-home-security-companies.com/">adt security reviews</a>Anonymous
August 31, 2015
This solved my Problems with WindowsUpdates, DirectX Update, Origin and GTA5. I nearly reistalled Windows because of this. But everything seems to be back to normal now. Thanks a lot!