Automated Application Management for Microsoft Endpoint Manager

Simplify third-party application management

Knowledge Base ArticlesRequest Trial

Third-Party Updates Fail to Install with Error 0x800b0109 in SCCM

When attempting to install third-party software updates, you receive error code 0x800b0109.


In WUAHandler.log, you will also see the following error in the log.

Failed to download updates to the WUAgent datastore. Error = 0x800b0109

Why does Error 0x800b0109 Happen?

Error code 0x800b0109 translates to: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

This error occurs when a client is attempting to install third-party software update(s) that are signed using a WSUS signing certificate that isn’t trusted or the allow third-party updates policy isn’t enabled the machine. The signing certificate needs to be in the Trusted Root and Trusted Publishers certificate store.

If the certificate appears to be trusted on the client, but you still receive 0x800b0109, you also need to validate the GPO/Client Settings for Allow signed updates for an intranet Microsoft update service location is enabled and deployed. You can check the client has the policy to allow third-party updates by reviewing the registry value: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate:AcceptTrustedPublisherCerts=1 | (REG_DWORD)


Resolution to Error 0x800b0109 (Video)

To resolve error code 0x800b0109, you need to distribute the WSUS signing certificate to the Trusted Root and Trusted Publishers certificate stores on your client devices.

We also have a detailed step-by-step video guide below that covers deploying the WSUS signing certificate using SCCM 1806+ or using group policy to resolve error 0x800b0109 on your clients.


If you prefer a non-video format, you can use the following guides to distribute the WSUS signing certificate: