Description
CRYPT_E_REVOKED (hex code 0x80092013, decimal -2146885613) is a Windows critical-level error code in the VPN & Remote Access family. Microsoft surfaces this code through the Win32 API, the Common Language Runtime, the kernel, the event log, PowerShell, command-line tools (sfc, dism, gpupdate, sc), and Windows-side applications such as Outlook, Teams, Office, and System Center.
The certificate is revoked. Check CRL or OCSP connectivity.
This page documents what triggers 0x80092013, the most common scenarios where it appears, the likely root causes, and a step-by-step troubleshooting workflow you can run against affected endpoints. It is intended for system administrators, MSP technicians, helpdesk engineers, and anyone diagnosing Windows behavior in a managed environment.
In-depth explanation
This is a critical-severity Windows error. It typically indicates a kernel-mode failure, an unrecoverable security violation, hardware failure, or a fatal driver bug. Treat any occurrence as a P1 incident: isolate the host, capture a memory dump if available, and pull the latest minidump from C:\Windows\Minidump for analysis.
It is part of the RAS / VPN / certificate error space. It surfaces in the Always On VPN logs, the RasMan service log, the Microsoft-Windows-NetworkProfile event log, and certificate validation traces.
The code can be looked up programmatically in PowerShell with [ComponentModel.Win32Exception]::new(-2146885613).Message (for Win32 / NTSTATUS codes that map cleanly), or with net helpmsg <decimal> for the legacy decimal range. For HRESULT-style codes, decode the facility and code with err.exe from the SDK or via the WinDbg !error command.
Common causes
- VPN gateway certificate expired, revoked, or signed by an untrusted root.
- Server hostname does not match the certificate Subject Alternative Name.
- RAS / IKEv2 / SSTP service stopped on the client.
- Firewall or ISP blocking IKE (UDP 500/4500), SSTP (TCP 443), or PPTP/L2TP.
- Always On VPN profile pushed via Intune / SCCM corrupted — re-deploy.
Troubleshooting steps
- Verify the VPN server's TLS / IKE certificate is trusted by the client (root CA installed, not expired, CRL/OCSP reachable).
- Confirm the server hostname matches the certificate Subject Alternative Name exactly.
- Restart the client services:
Restart-Service RasManandRestart-Service RemoteAccess. - Check that IKE (UDP 500/4500), SSTP (TCP 443), or the configured protocol is open end-to-end.
- For Always On VPN, regenerate the device tunnel with
Add-VpnConnectionand re-deploy the Intune profile.
Decode in PowerShell
# Decode 0x80092013 (-2146885613) in PowerShell
[ComponentModel.Win32Exception]::new(-2146885613).Message
# Or via WinDbg / err.exe (Windows SDK)
# err 0x80092013
# Or net helpmsg (legacy decimal range only)
# net helpmsg <decimal>Frequently asked questions
What does the Windows error code 0x80092013 mean?
CRYPT_E_REVOKED (decimal -2146885613). The certificate is revoked. Check CRL or OCSP connectivity.How do I decode 0x80092013 in PowerShell?
[ComponentModel.Win32Exception]::new(-2146885613).Message in any PowerShell session. For HRESULT-style codes, use err.exe from the Windows SDK or the WinDbg !error command.Where does Windows typically log this error?
%WinDir%\WindowsUpdate.log; AD/Kerberos → Security event log on the DC; BSOD → minidump under C:\Windows\Minidump; MSI → %TEMP%\msi*.log; WMI → Microsoft-Windows-WMI-Activity). Always cross-reference the timestamp and module name with the Application and System event logs.Is this code recoverable?
Should I open a Microsoft support case for this?
Get-WinEvent export ready before opening the case.