Third-Party Patching for SCCM

Patch over 335+ third-party updates across 190 products in SCCM

Knowledge Base ArticlesDownload Trial

Third-Party Updates Fail to Download in SCCM with Error: Invalid certificate signature Error 0x800b0004

When attempting to download published third-party software updates into a deployment package from the SCCM console or an automatic deployment rule, you receive the error message “Error: Invalid certificate signature

third-party update download fails in the sccm console error Invalid certificate signature 0x800b0004

If are attempting to manually download the patches directly in the SCCM console, you will see the following error message in the PatchDownloader.log in your users %temp% directory. If it’s an ADR failing to download the update, the PatchDownloader.log will be located in the site server logs directory.

Authentication of file C:\Users\%username%\AppData\Local\Temp\CAB7FA4.tmp failed, error 0x800b0004

ERROR: DownloadContentFiles() failed with hr=0x80073633

If you are using the SCCM console during the failure, you will also see the following error in SmsAdminUI.log:

Failed to download content id 16939262. Error: Invalid certificate signature

Why Does Error Invalid certificate signature Happen?

Whenever a software update is being downloaded regardless of whether it’s a Microsoft or third-party update, the certificate used to sign the software update must always be trusted by the machine running the SCCM console or by the site server in the case it’s an automatic deployment rule.

If the WSUS Signing Certificate hasn’t properly been deployed to the Trusted Root and Trusted Publishers certificate store on the SCCM console device or the site server, the update validation check will fail and the update will not be downloaded into the deployment pacakge.

0x800b0004 = The subject is not trusted for the specified action.

0x80073633 = Invalid certificate signature

Resolution to Error 0x800b0004

To resolve error code 0x800b0004, you need to distribute the WSUS signing certificate to the Trusted Root and Trusted Publishers certificate stores on your console machine, site server, and any clients you wish to deploy third-party updates to.

We also have a detailed step-by-step video guide below that covers deploying the WSUS signing certificate using SCCM 1806+ or using group policy below.

Note: this video guide references resolving error code 0x800b0109 on clients failing to install updates, but the process for deploying the WSUS signing certificate to resolve error 0x800b0004 is the same.

If you prefer a non-video format, you can use the following guides to distribute the WSUS signing certificate: