locked
Windows Update error 80092026 and Cryptographic problems when installing programs RRS feed

  • Question

  • Hi,

    We are having problems with a couple of our servers running windows server 2008 and a vista client machine.
    1) When installing a program an error comes up "The cryptographic operation failed due to a local security option setting"
    2) Windows Update cannot install updates and repprts back with the error code 80092026

    I have found some information on the web to solve this but it requires deleting a key out of the registry.
    The key that they says needs to be removed is "HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer"

    My knowledge on certificates and related security is limited. Is there going to be any problems if i delete the key as per the instructions
    I have seen? I have done this on the vista client machine and the problem has been solved, but im less keen on doing this on the server
    Monday, November 23, 2009 6:23 AM

Answers

  • Hi,

     

    As far as I know, the Safer registry entry does not exist by default. It is created after you enable the Trusted Publishers in Software Restriction Polices. This issue may occur if you select an option other than the “Allow all administrators and users to manage user’s own Trusted Publishers” option in the Trusted Publishers Properties.

     

    Therefore, if you enable the Trusted Publishers, please select the “Allow all administrators and users to manage user’s own Trusted Publishers” option, and run gpupdate /force on the computer to check if the issue goes away.

     

    If Software Restriction Policies is not configured, it is safe to remove the Safer registry entry. I suggest that you backup the key and then remove it.

     

    For more information about Software Restriction Policies, please refer to the following articles:

     

    How Software Restriction Policies Work

    http://technet.microsoft.com/en-us/library/cc786941(WS.10).aspx

     

    Joson Zhou

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Joson Zhou Friday, November 27, 2009 3:29 AM
    Tuesday, November 24, 2009 2:40 AM

All replies

  • Hi,

     

    As far as I know, the Safer registry entry does not exist by default. It is created after you enable the Trusted Publishers in Software Restriction Polices. This issue may occur if you select an option other than the “Allow all administrators and users to manage user’s own Trusted Publishers” option in the Trusted Publishers Properties.

     

    Therefore, if you enable the Trusted Publishers, please select the “Allow all administrators and users to manage user’s own Trusted Publishers” option, and run gpupdate /force on the computer to check if the issue goes away.

     

    If Software Restriction Policies is not configured, it is safe to remove the Safer registry entry. I suggest that you backup the key and then remove it.

     

    For more information about Software Restriction Policies, please refer to the following articles:

     

    How Software Restriction Policies Work

    http://technet.microsoft.com/en-us/library/cc786941(WS.10).aspx

     

    Joson Zhou

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Joson Zhou Friday, November 27, 2009 3:29 AM
    Tuesday, November 24, 2009 2:40 AM
  • Hi There,

    In-line with Joson suggestion , i would like you to go through the below article and confirm us back.

    http://support.microsoft.com/default.aspx/kb/822798


    Tuesday, November 24, 2009 5:59 AM
  • Thanks for the reply,

    I backed up the key and deleted it this morning off the server and all appears to be fine at the moment.
    I was trying to get some idea of where the key orginated from and was referencing, since we dont have any software
    restriction policies in place.

    Could there have been anything else that caused the safer registry key to exist?

    Thanks for the reply
    Brad
    Tuesday, November 24, 2009 7:17 AM
  • Thanks,

    I had found this article before but there were some slight differences between what was in the article and what was happening.
    I gather the issue is to do with the fact that the programs and upadtes being installed don't have a certificate in the trusted publisher section.
    This would make sense if we had any software restriction policies in place, but we dont.

    Unless i can determine otherwise deleting the safer key hasnt caused any problems yet and solved the problems.

    Tuesday, November 24, 2009 7:21 AM
  • Hi,

     

    As far as I know, the registry SOFTWARE\Policies is used to store policy-related settings. However, please note that user or application can also create entry under that registry key as long as they have permission.

     

    Based on the current situation, I suggest that you double confirm if the policy is configured in domain GPO (rsop.msc) or local GPO (secpol.msc) and check if there is any script creating the entry. If you have confirmed that, you may monitor the registry key to see if it will be created again.

    In addition, enabling audit may help collect more information once the registry entry is created again.

     

    Audit activity on a registry key

    http://technet.microsoft.com/en-us/library/cc757250(WS.10).aspx


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Wednesday, November 25, 2009 8:59 AM
  • I deleted the Safer registry key, and that did not work.  I tuned off Pop Up Blocker, and that worked.  It could have been all that was needed.

    Thanks

    Tuesday, December 1, 2009 4:56 PM
  • I had the same error on an XP Pro box and removing the registry key worked for me.

    No software policies are assigned here either.

    defender and security essentials were both failing with the cryptographic error so first i initiated the defenders msi install package, waited for the error message then shut the power down (not recommending that method) and the next boot up shows the error.
    Defender installed successfully although the service still wouldn't run so i finally deleted the key as recommended and now the error is gone.
    I must have changed some group policy setting to cause the key to be written. Woops

    Thanks Brad and Joson!
    Friday, February 12, 2010 8:17 AM
  • Worked for me. I updated the GPO to use AES as default encryption and the machine in hand (windows 2008) did was not 'respected' as to my recollection AES is newer. Anyway, I was looking for ways to include encryption protocols other than AES and ran into this post when googled "The cryptographic operation failed due to a local security option setting.". Removing the Safer Key resolved my problem. Probably it is going to come back with GPO update and I have to find a permenant fix but for now I am good.

    Aamir Qureshi 


    Aamir M Qureshi http://www.agileconcepts.com/blogs/aq http://www.linkedin.com/in/aamirq

    Sunday, July 28, 2013 6:00 AM
  • Thank you! Deleting that key worked for me.

    Windows 2008 R2


    Leisa

    Tuesday, January 6, 2015 3:55 PM
  • I found the offending key for those that are interested.

    HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing

    State SHOULD be 146432 or 0x00023c00

    If it switches to 408576 or 0x00063c00

    Then it will cause these Crypto Errors


    lforbes


    • Edited by lforbes Thursday, April 6, 2017 6:53 PM
    Wednesday, March 1, 2017 4:35 PM
  • You resolved a very obscure issue for me. Could not install VirtualBox, and a few weeks of research led me here after finally looking at the MSILogs and determining an issue with the root certificates.

    Randomly looked up why Windows Update was giving me the above error code, and that led me here. Your fix resolved my Windows Update error as well as my VirtualBox failing to install.

    Wednesday, August 16, 2017 10:55 PM
  • Thank you. this helped fix my issue
    Thursday, October 25, 2018 2:16 PM