"Machine Certificate cannot be installed" error message in Windows XP (841798)


The information in this article applies to:

  • Microsoft Windows XP Home Edition
  • Microsoft Windows XP Professional

SYMPTOMS

When you try to install a machine certificate on a Microsoft Windows XP-based computer, you may receive the following error message:
Machine Certificate cannot be installed, Error 0x80090016 NTE_BADKEYSET

CAUSE

This issue may occur if you perform an unattended installation of Windows XP, and you configure the installation to host the user profiles on a drive or drive partition other than the startup drive partition. In this situation, the permissions inheritance from the MachineKeys folder may not work correctly. After the Setup program requests a certificate, the private key file is created in the MachineKeys folder. This file does not inherit full control permissions from the MachineKeys folder.

WORKAROUND

To work around this issue, follow these steps:
  1. Create a batch file named SetMachineACLs.bat with the following commands: 
    convert d: /FS:NTFS
	rmdir "D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys" 
	regsvr32 rsaenh.dll
	rmdir "D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\MachineKeys"
	regsvr32 dssenh.dll
  2. Save SetMachineACLs.bat file in the c:\scripts folder.
  3. Edit the Unattend.bat file to add the following switches to the winnt32 command line:
    /copydir:i386\scripts
/cmd:c:\scripts\SetMachineACLs.bat
Modification Type:MajorLast Reviewed:5/28/2004
Keywords:kbprb KB841798 kbAudOEM
©2004 Microsoft Corporation. All rights reserved.