Automated Application Management for Microsoft Endpoint Manager

Simplify third-party application management

Knowledge Base ArticlesRequest Trial

Third-Party Updates Fail to Install with Error 0x800b0109 in SCCM

When attempting to install third-party software updates, you receive error code 0x800b0109.

Topics covered in this guide

Determine if You are Affected

This error generally will occur when attempting to install third-party software updates. You may see the following error in software center based on the deployment visibility.

Error-0x800b0109-Third-Party-Updates-SCCM

In WUAHandler.log, you will see the following error in the log.

Failed to download updates to the WUAgent datastore. Error = 0x800b0109

Error code 0x800b0109 translates to: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

This error occurs when a client is attempting to install an update signed by a WSUS signing certificate that the client doesn’t trust or the allow third-party updates policy isn’t enabled.

Step 1: Check if the WSUS Signing Certificate is Deployed to the Client Device

The most common reason error 0x800b0109 occurs is that the specific WSUS signing certificate isn’t properly deployed to the client device. The signing certificate needs to be in the Trusted Root and Trusted Publishers certificate store.

It’s important to review the certificate used to sign the specific update failing as we often see the failing update was signed using a previous certificate that may not be deployed to clients. To find the certificate used for the update perform the following actions:

1. Get the UpdateID for the update failing. The UpdateID can be found in the line before the error message in the WUAHandler.log.

Copy UpdateID for Error 0x800b0109 in WUAHandler

2. Download the update CAB file using the Configuration Manager console. Navigate to All Software Updates > Search UpdateID > Properties of Update > Content Information tab > Ctrl + C to copy the Source Path > Paste to Notepad and remove non-URL text

Copy Source Path to Download Update for Error 0x800b0109

3. Download or copy the .CAB file to the client receiving error 0x800b0109. On properties of the file, review the Certification Path tab, and review if there are any trust errors.

This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store

If the certificate shows any trust errors, you will need to deploy this certificate to all client devices.

4. If the certificate appears to be trusted and valid, you should next validate the certificate exist in both the Trusted Root and Trusted Publishers certificate store on the client.

4.1 Take note of the thumbprint of the WSUS signing certificate from the Details tab of the .CAB file as shown in step 3. Open certlm.msc on the client receiving the error and check if the certificate exists in both Trusted Root and Trusted Publishers certificate stores by checking the subject name and thumbprint.

Check Trusted Root and Trusted Publishers store certlm

4.2 If the certificate appears is installed in both Trusted Root and Trusted Publishers, and you still receive 0x800b0109, you also need to validate the setting Allow signed updates for an intranet Microsoft update service location is enabled and deployed.

More InformationImportant: We often see cases where the WSUS signing certificate is updated, and only the newest WSUS signing certificate is deployed to the client. If there where any updates signed using a previous certificate, that certificate also needs to be deployed to client devices, or updates published before the new certificate was created will fail with error 0x800b0109.

Step 2: Check policy: Allow signed updates for an intranet Microsoft update service location

If the certificate appears to be installed in Trusted Root and Trusted Publishers on the client, and you still receive error 0x800b0109, it’s likely due to the policy Allow signed updates for an intranet Microsoft update service location not being enabled.

To check if the policy is enabled perform the following actions:

1. Open regedit.exe, and navigate to: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate:AcceptTrustedPublisherCerts=1 | (REG_DWORD). If enabled, you will see the RegValue AcceptTrustedPublisherCerts set to 1 as a REG_DWORD

AcceptTrustedPublisherCerts

2. If the value isn’t set, updates will fail to install with error 0x800b0109. You can use a Configuration Manager client setting or group policy to deploy this policy to devices.

More InformationImportant: Please ensure that the ‘Type of the RegValue is ‘REG_DWORD‘ and NOT REG_QWORD

Video Resolution Guide for Error 0x800b0109

To resolve error code 0x800b0109, you need to distribute the WSUS signing certificate to the Trusted Root and Trusted Publishers certificate stores on your client devices.

We also have a detailed step-by-step video guide below that covers deploying the WSUS signing certificate using SCCM 1806+ or using group policy to resolve error 0x800b0109 on your clients.


If you prefer a non-video format, you can use the following guides to distribute the WSUS signing certificate: