Third-Party Updates Fail to Download in SCCM with Error: Invalid certificate signature Error 0x800b0004
When attempting to download published third-party software updates into a deployment package from the SCCM console or an automatic deployment rule, you receive the error message “Error: Invalid certificate signature“
If are attempting to manually download the patches directly in the SCCM console, you will see the following error message in the PatchDownloader.log in your users %temp% directory. If it’s an ADR failing to download the update, the PatchDownloader.log will be located in the site server logs directory.
Authentication of file C:\Users\%username%\AppData\Local\Temp\CAB7FA4.tmp failed, error 0x800b0004
ERROR: DownloadContentFiles() failed with hr=0x80073633
If you are using the SCCM console during the failure, you will also see the following error in SmsAdminUI.log:
Failed to download content id 16939262. Error: Invalid certificate signature
Why Does Error Invalid certificate signature Happen?
Whenever a software update is being downloaded regardless of whether it’s a Microsoft or third-party update, the certificate used to sign the software update must always be trusted by the machine running the SCCM console or by the site server in the case it’s an automatic deployment rule.
If the WSUS Signing Certificate hasn’t properly been deployed to the Trusted Root and Trusted Publishers certificate store on the SCCM console device or the site server, the update validation check will fail and the update will not be downloaded into the deployment
0x800b0004 = The subject is not trusted for the specified action.
0x80073633 = Invalid certificate signature
Resolution to Error 0x800b0004
To resolve error code 0x800b0004, you need to distribute the WSUS signing certificate to the Trusted Root and Trusted Publishers certificate stores on your console machine, site server, and any clients you wish to deploy third-party updates to.
We also have a detailed step-by-step video guide below that covers deploying the WSUS signing certificate using SCCM 1806+ or using group policy below.
Note: this video guide references resolving error code 0x800b0109 on clients failing to install updates, but the process for deploying the WSUS signing certificate to resolve error 0x800b0004 is the same.
If you prefer a non-video format, you can use the following guides to distribute the WSUS signing certificate: