Windows Server 2012 & IE10 STIG (POSTED AS INFORMATION, NOT A QUESTION)
Image may be NSFW.
Clik here to view.
Installer encountered an error: 0x800b010e
The revocation process could not continue - the certificate(s) could not be checked.
May also appear as 0x80092026 if you have attempted to fix w/o success as well.
After securing a Windows Server 2012, I get the above error when I attempt to apply patches, specifically MSUs in our closed environment. All the research I have done on the internet points only to .NET 4 failures, which doesn't help me, or anyone else who stumbles across this. My fix/workaround is listed below. Remember to revert back to the STIG setting to be compliant, and inform your server teams responsible for patching of the procedure, and to also revert back if required when done.
I have been researching this one for a while, and decided to walk each line of the Security Technical Implementation Guides (STIGs) line by line until I found the error in the IE10 STIG. The requirements below for the STIG are listed, and the setting that causes the error is the registry value, STATE REG_DWORD = 65536 (decimal). Temporarily reverting it back to it's original setting allowed us to implement the patches.
The original vanilla setting appears as:
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing]
"State"=dword:00023c00
Group Title: Publishers Certificate Revocation
Rule Title: Check for publishers certificate revocation must be enforced.
Vulnerability Discussion: Check for publisher's certificate revocation options should be enforced to ensure all PKI signed objects are validated.
Check Content: Open Internet Explorer. From the menu bar select Tools. From the Tools drop-down menu, select Internet Options. From the Internet Options window, select the Advanced tab, from the Advanced tab window scroll down to the Security
category, verify a check mark is placed in the "Check for publisher's certificate revocation" box. Procedure: Use the Windows Registry Editor to navigate to the following key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
Criteria: If the value State is REG_DWORD = 65536 (decimal), this is not a finding.
Fix Text: Check mark the option to enable "Check for publisher's certificate revocation" in the Internet Explorer Options, Advanced page.
NOTE: Manual entry for the value State, set to REG_DWORD = 65536, may first be required.
Mac MacAnanny - Engineer - DoD - Office of the Secretary of Defense - DoD
