Error message when you try to validate a copy of Windows: The cryptographic operation failed due to a local security option setting

When you try to validate a copy of Windows, you may receive an error message that resembles the following:

Update installation failed. Error information: 0x80092026

When you try to validate Windows from, Windows downloads an update 971033, however when Windows tries to install the update, the update shows an error message that is mentioned above. Additionally, if you try to download the update KB971033 on your machine and run it manually, you may receive following error message:

Installer encountered an error: 0x80092026
The cryptographic operation failed due to a local security option setting.

This error occurs when the 'State' value of below mentioned registry key is incorrectly set. This value corresponds to the Internet Explorer security setting "Check for publisher’s certificate Revocation" and "Check for signatures on downloaded programs"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing

You can find a key with the name ‘State’. By default the values is set to – ‘23c00’
To resolve this problem, change the registry key to a valid setting, e.g.

State = 0x00023e00 - ‘Check for publisher’s certificate Revocation’ Unchecked
State = 0x00023c00 - ‘Check for publisher’s certificate Revocation’ Checked

The wrong value might result from an issue described in following Knowledge Base article:
982606 The value of the "State" registry item is changed after a Group Policy preferences setting is applied in Windows Server 2008, in Windows Vista or in Windows Server 2008 R2

Use one of the methods:

Method 1: Editing the Registry

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
  1. Start Registry Editor (Regedit.exe)
  2. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
  3. On the left side pane look for State key and double click to open it
  4. Change the Value data to 23c00 or 23e00 (Hexadecimal)
  5. Quit Registry Editor.

Method 2: Create a reg file
  1. Start Notepad.
  2. In Notepad, paste the following information.
    Windows Registry Editor Version 5.00[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing"State"=dword:00023c00
  3. Save the file as a .reg file.
  4. Double-click the .reg file that you saved in step 3.
Above registry changes does not requires any reboot. You can try to install the update manually or can go to validate Windows online.
You would be able to validate your Windows successfully.
In some cases, you might be required to update the 'State' value for following two registry as well. 

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
HKEY_USERS\.DEFAULT \Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing

Note: Ensure whatever value is updated for HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing, should be exact for above two registry.
Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Article ID: 2715304 - Last Review: 06/01/2012 17:25:00 - Revision: 1.0

Windows Vista Home Basic, Windows Vista Home Premium, Windows Vista Business, Windows Vista Enterprise, Windows Vista Ultimate, Windows Vista Service Pack 2, Windows Server 2008 Standard, Windows Server 2008 Standard without Hyper-V, Windows Server 2008 Enterprise, Windows Server 2008 Enterprise without Hyper-V, Windows Server 2008 Datacenter, Windows Server 2008 Datacenter without Hyper-V, Windows Server 2008 for Itanium-Based Systems, Windows Server 2008 Service Pack 2, Windows 7 Home Basic, Windows 7 Home Premium, Windows 7 Professional, Windows 7 Enterprise, Windows 7 Ultimate, Windows 7 Service Pack 1, Windows Server 2008 R2 Standard, Windows Server 2008 R2 Standard without Hyper-V, Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Enterprise without Hyper-V, Windows Server 2008 R2 Datacenter, Windows Server 2008 R2 Datacenter without Hyper-V, Windows Server 2008 R2 for Itanium-Based Systems, Windows Server 2008 R2 Service Pack 1

  • KB2715304