Am getting an error code 800B010B "Generic trust error" trying to install KB2600217 x64 on Windows 7 SP1 64-bit. Have tried: -- multiple attempts to install via Windows update -- downloaded stand-along installer -- ran repair install of .NET 4 Framework on my PC and retried the above -- tried manually installing from the "untrusted" .MSP file; it installed OK, but my machine still thinks the patch is needed so I am back to square #1 again. --------------------------- log file: OS Version Information: ... [2/15/2012, 14:12:6]OS Version = 6.1.7601, Platform 2, Service Pack 1 [2/15/2012, 14:12:6]OS Description = Windows 7 - x64 Service Pack 1 [2/15/2012, 14:12:6] OS Version Information [2/15/2012, 14:12:6] Environment details: ... [2/15/2012, 14:12:6]CommandLine = c:\d0dcca852362c13272\Setup.exe [2/15/2012, 14:12:6]TimeZone = AUS Eastern Daylight Time [2/15/2012, 14:12:6]Initial LCID = 3081 [2/15/2012, 14:12:6] Environment details [2/15/2012, 14:12:6]Loading localized engine data for language 1033 from c:\d0dcca852362c13272\1033\LocalizedData.xml [2/15/2012, 14:12:6] Entering Function: LocalizedData::CreateLocalizedData... [2/15/2012, 14:12:6] exiting function/method [2/15/2012, 14:12:6] succeeded [2/15/2012, 14:12:6] Entering Function: EngineData::CreateEngineData... [2/15/2012, 14:12:6]Current SetupVersion = 1.0 [2/15/2012, 14:12:6]SetupVersion specified in ParameterInfo.xml is '1.0' [2/15/2012, 14:12:6]patch NDP40-KB2600217.msp added [2/15/2012, 14:12:6]Adding Item type "Patches", local path (not applicable) [2/15/2012, 14:12:6]No ProcessBlock element [2/15/2012, 14:12:6]No ServiceBlock element [2/15/2012, 14:12:6]Using Simultaneous Download and Install mechanism [2/15/2012, 14:12:6] exiting function/method [2/15/2012, 14:12:6] succeeded [2/15/2012, 14:12:6] MaintenanceMode determination: evaluating EnterMaintenanceModeIf... [2/15/2012, 14:12:6]evaluating EnterMaintenanceModeIf: [2/15/2012, 14:12:6]returning false [2/15/2012, 14:12:6] MaintenanceMode determination evaluates to 'not in maintenance mode' [2/15/2012, 14:12:6] Operation Type: ... [2/15/2012, 14:12:6]Operation: Installing [2/15/2012, 14:12:6] Operation Type [2/15/2012, 14:12:6] Package details: KB2600217... [2/15/2012, 14:12:6]Package Name = KB2600217 [2/15/2012, 14:12:6]Package Version = 10.0.30319 [2/15/2012, 14:12:6] Package details [2/15/2012, 14:12:6] User Experience Data Collection Policy: ... [2/15/2012, 14:12:6]User Experience Data Collection Policy: Disabled [2/15/2012, 14:12:6] User Experience Data Collection Policy [2/15/2012, 14:12:6] Entering Function: UiDataT<class CCmdLineSwitches=""></class>::CreateUiDataT... [2/15/2012, 14:12:6]Loading file - c:\d0dcca852362c13272\UiInfo.xml [2/15/2012, 14:12:6]Add to schema collection schema file - c:\d0dcca852362c13272\SetupUi.xsd [2/15/2012, 14:12:6]Successfuly found file c:\d0dcca852362c13272\1033\SetupResources.DLL [2/15/2012, 14:12:6]Successfuly found file c:\d0dcca852362c13272\Strings.xml [2/15/2012, 14:12:6] exiting function/method [2/15/2012, 14:12:6] succeeded [2/15/2012, 14:12:6] Global Block Checks: Checking for global blockers... [2/15/2012, 14:12:6] Global Block Checks no blocking conditions found [2/15/2012, 14:12:6]OpenFileMapping fails with last error: 6 [2/15/2012, 14:12:6]The handle to the section is Null [2/15/2012, 14:12:6]OpenFileMapping fails with last error: 6 [2/15/2012, 14:12:6]The handle to the section is Null [2/15/2012, 14:12:6] Applicability for Installing: evaluating each item... [2/15/2012, 14:12:6] Determining state: of c:\d0dcca852362c13272\NDP40-KB2600217.msp... [2/15/2012, 14:12:6]evaluating ApplicableIf: [2/15/2012, 14:12:6] Exists: evaluating... [2/15/2012, 14:12:6]MsiXmlBlob: this patch is applicable [2/15/2012, 14:12:6] Exists evaluated to true [2/15/2012, 14:12:6]evaluating IsPresent: [2/15/2012, 14:12:6] Exists: evaluating... [2/15/2012, 14:12:6]MsiGetCachedPatchPath with patch code {4DFA8287-EA36-3469-99FE-F568FEC81653}, returned: C:\Windows\Installer\9e7ca.msp [2/15/2012, 14:12:6] Exists evaluated to true [2/15/2012, 14:12:6] Determining state of c:\d0dcca852362c13272\NDP40-KB2600217.msp - available but not verified yet [2/15/2012, 14:12:6] Determining state: of c:\d0dcca852362c13272\SetupUtility.exe... [2/15/2012, 14:12:6] Determining state of c:\d0dcca852362c13272\SetupUtility.exe - available but not verified yet [2/15/2012, 14:12:6]evaluating ApplicableIf: [2/15/2012, 14:12:6] Exists: evaluating... [2/15/2012, 14:12:6]MsiXmlBlob: this patch is applicable [2/15/2012, 14:12:6] Exists evaluated to true [2/15/2012, 14:12:6]evaluating IsPresent: [2/15/2012, 14:12:7] Exists: evaluating... [2/15/2012, 14:12:7]MsiGetCachedPatchPath with patch code {4DFA8287-EA36-3469-99FE-F568FEC81653}, returned: C:\Windows\Installer\9e7ca.msp [2/15/2012, 14:12:7] Exists evaluated to true [2/15/2012, 14:12:7] Applicability for Installing determination is complete [2/15/2012, 14:12:7] Applicability Result Count: ... [2/15/2012, 14:12:7]Number of applicable items: 1 [2/15/2012, 14:12:7] Applicability Result Count [2/15/2012, 14:12:7]evaluating ApplicableIf: [2/15/2012, 14:12:7] Exists: evaluating... [2/15/2012, 14:12:7]MsiXmlBlob: this patch is applicable [2/15/2012, 14:12:7] Exists evaluated to true [2/15/2012, 14:12:7]evaluating IsPresent: [2/15/2012, 14:12:7] Exists: evaluating... [2/15/2012, 14:12:7]MsiGetCachedPatchPath with patch code {4DFA8287-EA36-3469-99FE-F568FEC81653}, returned: C:\Windows\Installer\9e7ca.msp [2/15/2012, 14:12:7] Exists evaluated to true [2/15/2012, 14:12:7] Summary Information: Microsoft .NET Framework 4 Client ProfileMicrosoft .NET Framework 4 Extended [2/15/2012, 14:12:8]Successfuly found file c:\d0dcca852362c13272\1033\EULA.rtf [2/15/2012, 14:12:11] Action: System Requirement Checks... [2/15/2012, 14:12:11] Action: Disk space check for items being downloaded... [2/15/2012, 14:12:11]Drive:[C:\] Bytes Needed:[33189888] Bytes Available:[378549366784] [2/15/2012, 14:12:11] Action complete [2/15/2012, 14:12:11] Action: Enumerating incompatible processes... [2/15/2012, 14:12:11]No Blocking Processes [2/15/2012, 14:12:11] Action complete [2/15/2012, 14:12:11] Action: Enumerating incompatible services... [2/15/2012, 14:12:11]No Blocking Services [2/15/2012, 14:12:11] Action complete [2/15/2012, 14:12:11] Action complete [2/15/2012, 14:12:11] Action: Downloading and/or Verifying Items... [2/15/2012, 14:12:11]Launching Download and Install operations simultaneously. [2/15/2012, 14:12:11]Verifying Digital Signatures: c:\d0dcca852362c13272\NDP40-KB2600217.msp [2/15/2012, 14:12:11] c:\d0dcca852362c13272\NDP40-KB2600217.msp: Verifying signature for NDP40-KB2600217.msp... [2/15/2012, 14:12:12]c:\d0dcca852362c13272\NDP40-KB2600217.msp - Signature verification for file NDP40-KB2600217.msp (c:\d0dcca852362c13272\NDP40-KB2600217.msp) failed with error 0x800b010e (The revocation process could not continue - the certificate(s) could not be checked.) [2/15/2012, 14:12:12] c:\d0dcca852362c13272\NDP40-KB2600217.msp Signature could not be verified for NDP40-KB2600217.msp [2/15/2012, 14:12:12]No FileHash provided. Cannot perform FileHash verification for NDP40-KB2600217.msp [2/15/2012, 14:12:12]File NDP40-KB2600217.msp (c:\d0dcca852362c13272\NDP40-KB2600217.msp), failed authentication. (Error = -2146762482). It is recommended that you delete this file and retry setup again. [2/15/2012, 14:12:12]Failed to verify and authenticate the file -c:\d0dcca852362c13272\NDP40-KB2600217.msp [2/15/2012, 14:12:12]Please delete the file, c:\d0dcca852362c13272\NDP40-KB2600217.msp and run the package again [2/15/2012, 14:12:12] Action complete [2/15/2012, 14:12:11]calling PerformAction on an installing performer [2/15/2012, 14:12:11] Action: Performing actions on all Items... [2/15/2012, 14:12:11]Wait for Item (NDP40-KB2600217.msp) to be available [2/15/2012, 14:12:12]Final Result: Installation failed with error code: (0x800B010B), "Generic trust failure. " (Elapsed time: 0 00:00:06). [2/15/2012, 14:12:15]WM_ACTIVATEAPP: Focus stealer's windows WAS visible, NOT taking back focus

... and just in case anyone asks, no, I do not have a product called Entrust installed: http://blogs.msdn.com/b/smondal/archive/2011/04/22/installation-failed-with-error-code-0x800b010b-quot-generic-trust-failure.aspx

EDIT: Actually, there's an easier solution. For us poor schmoes who are only domain admin users, we can't install this. However, if you log in with someone who has rights as a LOCAL ADMIN, you're fine. Even if "domain admins" is in the "Administrators" group on the machine in question, that doesn't matter. You need to log in as a user who also has an explicit user on the machine who is in the Administrators group. So if my user on the domain is "proz" and I make a local admin on a machine also called "proz", then the updates will work fine. Tested on XP and Vista and Win7 x64. So... it's some stupid permissions issue? What the heck? As an added bonus, it seems like you have to use a user who was created BEFORE joining the machine to the domain. So if you create an admin user afterward, still no dice. But if you use, say, "Administrator" which pre-exists, you're good to go. CRAZY. Alternate solution detailed below: Same deal for me on WinXP SP3. While we don't use a product called Entrust, we do have Entrust certificates installed in "Trusted Root Certification Authorities". These are required by our vendor (the US Federal Government) so it's not something we can remove from our computers. We did get an update a few months ago and that may be a factor, but I don't know enough about the install process to know if it's hitting an outdated CA or something. This happened with a .NET update a few months ago, too. The only workaround I know of is to download the freestanding installer, extract out everything from the archive into a temporary folder (7zip works for this, open the installer as an archive), right-click NDP40-KB2600217.msp, go to properies, go to Digital Dignatures, highlight the entry, click on Details, you'll see an error, click on View Certificate, you'll see another error, click on Install Certificate. Run NDP40-KB2600217.msp and you should be good to go. I had to re-scan for windows updates (or if you're using WSUS, hammer wuauclt /ReportNow and wuauclt /DetectNow a few times) and that caused the "you need an update" to go away as successfully installed. I've tried this on our Win7 x64 systems and it works as well. You either have to copy the stuff locally (I installed it from a network drive initially) and/or install it twice. The first time it wanted me to reboot and the update still showed up. It could be that I should have done Windows Updates first, then restarted, then done this one by itself. My first attempt I mixed all the updates together and that may have had a detrimental effect. But this method, in one of its iterations, does get the update successfully installed and out of Windows Updates/WSUS/whatever as a needed update. The certificate errors I see are "Windows cannot determine the validity of this certificate because it cannot locate a valid certificate revocation list from one or more of the certification authorities in the certification path." and "Windows cannot determine the validity of this certificate because it cannot locate a valid certificate revocation list from the certification authority that issued this certificate." We block foreign (non-US) IPs to cut down on spam and hackin' attempts but I don't think that's an issue here. I hope Microsoft resolves this issue in subsequent .NET updates because this is getting old in supporting many computers in a business. My error log dump is as follows: OS Version = 5.1.2600, Platform 2, Service Pack 3 [2/15/2012, 8:52:52]OS Description = WinXP - x86 Professional Service Pack 3 [2/15/2012, 8:52:52] OS Version Information [2/15/2012, 8:52:52] Environment details: ... [2/15/2012, 8:52:52]CommandLine = e:\8658a58e8b556bd3d0ab663d6beec7\Setup.exe /q /norestart /chainingpackage NETFX4WUKB [2/15/2012, 8:52:53]TimeZone = Mountain Standard Time [2/15/2012, 8:52:53]Initial LCID = 1033 [2/15/2012, 8:52:53] Environment details [2/15/2012, 8:52:53]Loading localized engine data for language 1033 from e:\8658a58e8b556bd3d0ab663d6beec7\1033\LocalizedData.xml [2/15/2012, 8:52:53] Entering Function: LocalizedData::CreateLocalizedData... [2/15/2012, 8:52:53] exiting function/method [2/15/2012, 8:52:53] succeeded [2/15/2012, 8:52:53] Entering Function: EngineData::CreateEngineData... [2/15/2012, 8:52:53]Current SetupVersion = 1.0 [2/15/2012, 8:52:53]SetupVersion specified in ParameterInfo.xml is '1.0' [2/15/2012, 8:52:53]patch NDP40-KB2600217.msp added [2/15/2012, 8:52:53]Adding Item type "Patches", local path (not applicable) [2/15/2012, 8:52:53]No ProcessBlock element [2/15/2012, 8:52:53]No ServiceBlock element [2/15/2012, 8:52:53]Using Simultaneous Download and Install mechanism [2/15/2012, 8:52:53] exiting function/method [2/15/2012, 8:52:53] succeeded [2/15/2012, 8:52:53] MaintenanceMode determination: evaluating EnterMaintenanceModeIf... [2/15/2012, 8:52:53]evaluating EnterMaintenanceModeIf: [2/15/2012, 8:52:53]returning false [2/15/2012, 8:52:53] MaintenanceMode determination evaluates to 'not in maintenance mode' [2/15/2012, 8:52:54] Operation Type: ... [2/15/2012, 8:52:54]Operation: Installing [2/15/2012, 8:52:54] Operation Type [2/15/2012, 8:52:54] Package details: KB2600217... [2/15/2012, 8:52:54]Package Name = KB2600217 [2/15/2012, 8:52:54]Package Version = 10.0.30319 [2/15/2012, 8:52:54] Package details [2/15/2012, 8:52:54] User Experience Data Collection Policy: ... [2/15/2012, 8:52:54]User Experience Data Collection Policy: UserControlled [2/15/2012, 8:52:54] User Experience Data Collection Policy [2/15/2012, 8:52:54] Global Block Checks: Checking for global blockers... [2/15/2012, 8:52:54] Global Block Checks no blocking conditions found [2/15/2012, 8:52:54]OpenFileMapping fails with last error: 6 [2/15/2012, 8:52:54]The handle to the section is Null [2/15/2012, 8:52:54]OpenFileMapping fails with last error: 6 [2/15/2012, 8:52:54]The handle to the section is Null [2/15/2012, 8:52:54] Applicability for Installing: evaluating each item... [2/15/2012, 8:52:54] Determining state: of e:\8658a58e8b556bd3d0ab663d6beec7\NDP40-KB2600217.msp... [2/15/2012, 8:52:54]evaluating ApplicableIf: [2/15/2012, 8:52:55] Exists: evaluating... [2/15/2012, 8:52:56]MsiXmlBlob: this patch is applicable [2/15/2012, 8:52:56] Exists evaluated to true [2/15/2012, 8:52:56]evaluating IsPresent: [2/15/2012, 8:52:56] Exists: evaluating... [2/15/2012, 8:52:56]MsiGetCachedPatchPath with patch code {5D9961AC-7C99-36A2-9EF0-34678AED5384} failed [2/15/2012, 8:52:57] Exists evaluated to false [2/15/2012, 8:52:57] Determining state of e:\8658a58e8b556bd3d0ab663d6beec7\NDP40-KB2600217.msp - available but not verified yet [2/15/2012, 8:52:57] Determining state: of e:\8658a58e8b556bd3d0ab663d6beec7\SetupUtility.exe... [2/15/2012, 8:52:57] Determining state of e:\8658a58e8b556bd3d0ab663d6beec7\SetupUtility.exe - available but not verified yet [2/15/2012, 8:52:57]evaluating ApplicableIf: [2/15/2012, 8:52:57] Exists: evaluating... [2/15/2012, 8:52:57]MsiXmlBlob: this patch is applicable [2/15/2012, 8:52:57] Exists evaluated to true [2/15/2012, 8:52:57]evaluating IsPresent: [2/15/2012, 8:52:57] Exists: evaluating... [2/15/2012, 8:52:57]MsiGetCachedPatchPath with patch code {5D9961AC-7C99-36A2-9EF0-34678AED5384} failed [2/15/2012, 8:52:57] Exists evaluated to false [2/15/2012, 8:52:57] Applicability for Installing determination is complete [2/15/2012, 8:52:57] Applicability Result Count: ... [2/15/2012, 8:52:57]Number of applicable items: 1 [2/15/2012, 8:52:57] Applicability Result Count [2/15/2012, 8:52:57] Action: System Requirement Checks... [2/15/2012, 8:52:57]evaluating ApplicableIf: [2/15/2012, 8:52:57] Exists: evaluating... [2/15/2012, 8:52:57]MsiXmlBlob: this patch is applicable [2/15/2012, 8:52:57] Exists evaluated to true [2/15/2012, 8:52:57]evaluating IsPresent: [2/15/2012, 8:52:57] Exists: evaluating... [2/15/2012, 8:52:57]MsiGetCachedPatchPath with patch code {5D9961AC-7C99-36A2-9EF0-34678AED5384} failed [2/15/2012, 8:52:58] Exists evaluated to false [2/15/2012, 8:52:58] Action: Disk space check for items being downloaded... [2/15/2012, 8:52:58]Drive:[C:\] Bytes Needed:[17191936] Bytes Available:[107662675968] [2/15/2012, 8:52:58] Action complete [2/15/2012, 8:52:58] Action: Enumerating incompatible processes... [2/15/2012, 8:52:58]No Blocking Processes [2/15/2012, 8:52:58] Action complete [2/15/2012, 8:52:58] Action: Enumerating incompatible services... [2/15/2012, 8:52:58]No Blocking Services [2/15/2012, 8:52:58] Action complete [2/15/2012, 8:52:58] Action complete [2/15/2012, 8:52:58]Launching Download and Install operations simultaneously. [2/15/2012, 8:52:58] Action: Downloading and/or Verifying Items... [2/15/2012, 8:52:58]Verifying Digital Signatures: e:\8658a58e8b556bd3d0ab663d6beec7\NDP40-KB2600217.msp [2/15/2012, 8:52:58] e:\8658a58e8b556bd3d0ab663d6beec7\NDP40-KB2600217.msp: Verifying signature for NDP40-KB2600217.msp... [2/15/2012, 8:52:59]e:\8658a58e8b556bd3d0ab663d6beec7\NDP40-KB2600217.msp - Signature verification for file NDP40-KB2600217.msp (e:\8658a58e8b556bd3d0ab663d6beec7\NDP40-KB2600217.msp) failed with error 0x800b010e (The revocation process could not continue - the certificate(s) could not be checked.) [2/15/2012, 8:52:59] e:\8658a58e8b556bd3d0ab663d6beec7\NDP40-KB2600217.msp Signature could not be verified for NDP40-KB2600217.msp [2/15/2012, 8:52:59]No FileHash provided. Cannot perform FileHash verification for NDP40-KB2600217.msp [2/15/2012, 8:52:59]File NDP40-KB2600217.msp (e:\8658a58e8b556bd3d0ab663d6beec7\NDP40-KB2600217.msp), failed authentication. (Error = -2146762482). It is recommended that you delete this file and retry setup again.

At first I thought one of Microsoft's CAs hasn't published a valid CRL lately, and it's not something that we can control - that would be up to the Microsoft PKI Ops team to ensure the CA publishes a new CRL. (The alternative theory I had is that the update package that was signed with the offending CA's issued certificate has hard-coded the location of an older CRL, and the only way for this to get resolved is for the team that published this update to re-publish a revised version of the update that points to the current CRL from the publishing CA.) When I browsed down to the signing cert for the NDP40-KB2600217.msp package (as the original poster describes), you can find the location of the CRL from the Details tab of the Certificate, browse the list of Fields to "CRL Distribution Points". That shows us that the location is URL=http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl If you happen to copy this URL into your browser you'll download a tiny file, and if you inspect the "Effective Date" it said "December 12, 2011". I originally thought this was the date the CRL was no longer valid, but now I think that it's just the date when it *became* valid, and that Windows would consider it valid until either the "Next update" date (March 13, 2012) or the "Next CRL Publish" date (March 12, 2012). The reason I'm abandoning these theories is that - while it's still true that Windows isn't able to verify the digital signature (because it can't find the CRL on its own) when automatically trying to run/install this digitally signed update - when I ran the NDP40-KB2600217.msp file manually, it looks like the update installed just fine. I still assert that the original problem is on Microsoft's end, but at least two of us have both been able to work around this with a little elbow grease.

I must wonder, why did MS staff mark as an answer, "this is a problem on MS's end?" Odd. Anyway, it looks like this same issue is back with our buddy KB2656368, another .NET 4 update. What's the deal with this, MS?

Hi, You may want to look at following forum post for some answers/workarounds: http://social.technet.microsoft.com/Forums/en-US/winserverwsus/thread/e29bab28-4b44-48eb-b56c-23a025499ec1 Thanks, Vivek Mishra - MSFTVivek Mishra - MSFT

Thank you, I'll follow that thread and see the progress.