• Welcome to Support Forum: Get Support for Patch My PC Products and Services.
 

Third-Party Updates Fail to Install with Error 0x800b0109 in SCCM

Started by Justin Chalfant (Patch My PC), February 23, 2019, 06:12:06 PM

Previous topic - Next topic

Justin Chalfant (Patch My PC)

Third-Party Updates Fail to Install with Error 0x800b0109 in SCCM

When attempting to install third-party software updates, you receive error code 0x800b0109.

Error-0x800b0109-Third-Party-Updates-SCCM

In WUAHandler.log, you will also see the following error in the log.

Failed to download updates to the WUAgent datastore. Error = 0x800b0109


Why does Error 0x800b0109 Happen?

Error code 0x800b0109 translates to:

A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

This error occurs when a client is attempting to install third-party software update(s) that are signed using a WSUS signing certificate that isn't trusted on the client devices.


Resolution to Error 0x800b0109

To resolve error code 0x800b0109, you need to distribute the WSUS signing certificate to the Trusted Root and Trusted Publishers certificate stores on your client devices.

You can distribute the certificate using the third-party software updates feature in SCCM 1806+ (Microsoft Docs), or you can deploy the certificate using group policy (PDF Guide).

We also have a detailed step-by-step video guide below that covers deploying the WSUS signing certificate using SCCM 1806+ or using group policy to resolve error 0x800b0109 on your clients.


Junge


We have the GPO solution and no https to the SUP. We are using a selfsigned cert right now but that will change soon.
Everything is running fine and the software is installing as we hoped.

The issue here is that we cannot rebuild (OSD) a machine without getting the 0x800b0109 error as its not trusted during the OSD fase. We have several steps "Check for Updates" and it does its job and finds the 3rd party patches but cannot install them and fails.

How would be the clever way to inject the cert during OSD?
Should we modify our TS to inject the cert or is there another way instead?

Justin Chalfant (Patch My PC)

Please try option 3 here: https://patchmypc.com/how-to-deploy-the-wsus-signing-certificate-for-third-party-software-updates

GPO's don't run during a task sequence.

Quote from: Junge on January 27, 2020, 07:06:14 AM

We have the GPO solution and no https to the SUP. We are using a selfsigned cert right now but that will change soon.
Everything is running fine and the software is installing as we hoped.

The issue here is that we cannot rebuild (OSD) a machine without getting the 0x800b0109 error as its not trusted during the OSD fase. We have several steps "Check for Updates" and it does its job and finds the 3rd party patches but cannot install them and fails.

How would be the clever way to inject the cert during OSD?
Should we modify our TS to inject the cert or is there another way instead?

duane.mccullough

Hi Justin,

Let me first start off by saying, I've watched all your setup videos on SCCM and I'm a huge fan and love your work!!
With your help, I was able to understand SCCM and roll out multiple computers and also do inplace upgrades as well.  I wanted to say thank you for everything!

I'm wondering if you can help me or point me to a location

I am running version 1910 and am running into a problem with error 0x800b0109 as well. My issue is not Third-Party Updates. I created two ADR's for patch Tuesday (following your steps on the video "How to Deploy Software Updates Using Microsoft SCCM") . I can see updates downloaded and the package was created and distributed to both of my distribution points. When i go to deploy the updates to my pilot group (IT Department) the updates never deploy to the computers. I've tried removing my computer out from the device collection and read adding them or even deploy to other collections and they still never deploy. I did very that under "Software Update point Components Properties" under Third-Party Updates, the Cert is listed there and I also verified that the cert does populate on all my computers in "Trusted Publishers and "Trusted Root Certification Authorities" 

I've attached logs. Please let me know if you can please assist or at least point me to the correct location.

Thank you again

Justin Chalfant (Patch My PC)

Does the client trust the SSL certificate on the WSUS server and is it still valid? Try browsing out to the WSUS URL in IE to see if there are certificate errors.

duane.mccullough


Justin Chalfant (Patch My PC)

The client doesn't trust the issuing CA for the WSUS SSL cert.

duane.mccullough

That was it!! All working now. Thank you soo much for you help!!!!

allnewsm7

This error occurs when a client is attempting to install third-party software update(s) that are signed using a WSUS signing certificate that isn't trusted or the allow third-party updates policy isn't enabled the machine. The signing certificate needs to be in the Trusted Root and Trusted Publishers certificate store.

adm25881

Hello Justin, I have been reading this thread even though it is quite old!  We have some machines failing with the same cert error.  We have one primary, two secondaries.  One of the secondaries seem to have issues.  When i am on the machine i can reach one wsus server with no issues, the other shows Forbidden, access is denied.  can you give me some idea where to begin.