Fix: SCCM Updates Install Error 0x800b0109 | 0x8024b303

This article provides multiple solutions to resolve SCCM updates install error 0x800b0109 and error 0x8024b303. If you are encountering error 0x800b0109 while installing the third-party software updates, there are series of steps required to resolve this issue.

You may be using solutions such as PatchMyPC, ManageEngine to patch the updates for third-party applications. These tools integrate with ConfigMgr and Intune and help you to package and deploy the applications including the updates. Although the updates deployment is streamlined and works without any issues, occasionally you may encounter some errors.

When attempting to install third-party software updates, you receive error 0x800b0109 or 0x8024b303. Both these errors are interlinked, and you need to perform multiple steps in order to resolve both the errors. I hope the steps provided in this article will help you to resolve both the errors.

With Configuration Manager, troubleshooting issues and errors begins with the log files. I would suggest bookmarking this important post that lists all the SCCM log files which are helpful to troubleshoot issues for different site components. In addition, you must also make use of tools available in SCCM to translate the error codes to error messages. To review the error logs, you can use the ConfigMgr Log viewer tools.

SCCM Updates Install Error 0x800b0109

While installing third-party application updates, I encountered error 0x800b0109 in Software Center. I have been running the latest version of Patch My PC publishing service in my lab setup to deploy third-party applications including the updates.

I noticed that when installing the updates for third-party applications, the updates failed to install. In the screenshot below, we see that the updates failed to install for VMware Tools.

Clicking on the Failed link in the Software Center reveals the error code 0x800b0109. At this point, it is not possible to guess why this error came up but by reviewing the log files and using error translation tools, you can figure out the root cause.

Translate Error 0x800b0109 with Error Lookup Tools

Using SCCM error lookup tools, you can translate any error to readable message. From my experience, the tool works for most of the commonly encountered errors in SCCM, but not all. In this case, when I perform the error lookup for 0x800b0109 using the Support Center Log Viewer, I get the following message.

A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

The error 0x800b0109 occurs when the certificate signed with patches is missing in the client certificate store. Installing the WSUS signing certificate on the client computers will resolve the error 0x800b0109.

Troubleshoot Update Scan Errors with WUAHandler.log

There are several reasons that a software update scan could fail. Most problems involve communication or firewall issues between the client and the software update point computer. When you troubleshoot software update scan failures, focus on the WUAHandler.log Which records the activity about scanning and installing updates.

In the WUAHandler.log, I noticed the machine needed the update for VMware tools. However, the updates failed to download and the following error was logged in the WUAHandler.log: Failed to download updates to the WUAgent datastore. Error = 0x800b0109.

Going to search using WSUS update source.
Synchronous searching of all updates started...
Successfully completed synchronous searching of updates.
Update: 0012e149-8595-4e2d-ad55-ec46f2c5d26a, 1   BundledUpdates: 0
Update (Missing): VMware Tools 12.2.0.41219 (x64) (0012e149-8595-4e2d-ad55-ec46f2c5d26a, 1)
Failed to download updates to the WUAgent datastore. Error = 0x800b0109
Going to search using WSUS update source.
Synchronous searching of all updates started...
Successfully completed synchronous searching of updates.
Update: 0012e149-8595-4e2d-ad55-ec46f2c5d26a, 1   BundledUpdates: 0
Update (Missing): VMware Tools 12.2.0.41219 (x64) (0012e149-8595-4e2d-ad55-ec46f2c5d26a
Failed to download updates to the WUAgent datastore. Error = 0x800b0109.

Get the UpdateID of the Failed Update

The most common reason error 0x800b0109 or 0x8024b303 occurs is that the specific WSUS signing certificate isn’t properly deployed to the client device. The signing certificate needs to be in the Trusted Root Store and Trusted Publishers certificate store.

In the below screenshot, we see that the updates for VMware tools are failing to install. In the WUAHandler.log, look for the line that begins with Update (Missing): and copy the UpdateID that is usually at the end of the line. The UpdateID for the failed update in the below example is 0012e149-8595-4e2d-ad55-ec46f2c5d26a.

Once you have copied the UpdateID of the failed update, we will look for this update in the Configuration Manager and download the cab file corresponding to that update. Launch the ConfigMgr console and navigate to Software Library > Software Updates > All Software Updates. In the search box, type the UpdateID that you copied from the WUAHandler.log in the previous step and select Search. This will now pull up the update, and we see it’s the VMware Tool update which is correct. Right-click the Update and select Properties.

On the update properties window, select the Content Information tab and select the content ID row and press the Ctrl+C keys to copy the information. Paste this information to the notepad and copy the source path which is the URL to download the cab file.

Check if WSUS Signing Certificate is present on Client Computer

If you are encountering 0x800b0109 while installing the third-party application updates, you must first check the presence of WSUS signing certificate on the client computer. If the WSUS signing certificate is missing on the client computer, you must deploy it to client computer using GPO or Configuration Manager.

Open the browser on the computer and paste the cab URL that you copied in the previous step. The browser will now download the cab file to your computer. Right-click the cab file and select Properties. Go to the Digital Signatures tab, and select the signer and view the Details.

On properties of the file, review the Certification Path tab, and review if there are any trust errors. If the certificate shows trust errors, you will need to deploy this certificate to all client devices. However, if the certificate shows no error and appears to be trusted and valid, you should next validate the presence of this certificate in both the Trusted Root and Trusted Publishers certificate store on the client. In the event of a certificate trust error, not one but all the third-party updates will fail to install.

Allow signed updates for an intranet Microsoft update service location

If the certificate appears to be installed in Trusted Root and Trusted Publishers on the client, and you still receive error 0x800b0109 or 0x8024b303, it’s likely due to the policy Allow signed updates for an intranet Microsoft update service location not being enabled.

To check if the policy is enabled, perform the following actions. Launch the registry editor on the computer by running the command regedit.exe. Navigate to: the following registry path:

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

If you see the AcceptTrustedPublisherCerts key with value 1, it means the policy is already enabled. You don’t have to make any changes here.

If the AcceptTrustedPublisherCerts entry isn’t present in the computer’s registry, you can manually create one using the following steps. Right-click WindowsUpdate folder and select New > DWORD (32-bit Value). Enter the name as AcceptTrustedPublisherCerts and set the value to 1.

When you have multiple computers experiencing error 0x800b0109 during third-party updates installation, manually creating reg key is not the viable solution. If the value isn’t set, you can use a Configuration Manager client setting or group policy to deploy this policy to devices.

The AcceptTrustedPublisherCerts with value 1 is now created. You must log off your computer for the changes to take effect.

Fix Error 0x800b0109 by Installing the WSUS Signing Certificate

As mentioned earlier, the most common reason error 0x800b0109 occurs is that the specific WSUS signing certificate isn’t properly deployed to the client device. The signing certificate needs to be in the Trusted Root and Trusted Publishers certificate store.

I wanted to check if the certificate signed with patches is missing in the client certificate store. There are two ways to do that: Check the certificate on the client computer by running the certlm.msc or copy the signing certificate to the computer and view the cert properties.

To accomplish that, I had to first export the signing certificate. Launch the Patch My PC tool and on the General tab, use the option Export Certificate to export the signing certificate.

Copy the exported signing certificate to the client computer and open the certificate. Now we see that the certificate shows the following error: This CA Root certificate is not trusted. To enable trust, install this certificate in the Trusted Root Certification Authorities Store.

All you need to do is install this certificate and place it in the Trusted Root Certification Authorities Store. To complete that, select the Install Certificate option and use the wizard to install the cert. This should resolve the SCCM updates install error 0x800b0109.

Error 0x8024b303 while installing SCCM Updates

After installing the WSUS signing certificate on the client computer, the error 0x800b0109 got resolved. However, when attempted to install the third-party updates, I encountered a new error 0x8024b303 in the Software Center.

This time the VMware tools update failed to install with a new error code 0x8024b303 appearing in the Software Center.

Reviewing the WUAHandler.log reported the same error 0x8024b303. Failed to download updates to the WUAgent datastore. Error = 0x8024b303.

The error 0x8024b303 appears when the certificate signed with patches is missing in the Trusted Publishers store. So, remember that the WSUS signing certificate must be placed in two stores: Trusted Root Certification Authorities Store and Trusted Publishers.

After installing the WSUS signing certificate on the client computer, manually verify if the certificate is installed correctly by going to Trusted Publishers > Certificates folder. The screenshot below shows the Patch My PC WSUS signing certificate present in the Trusted Publishers store.

On the client computer, when I attempted to reinstall the failed update, the VMware tools update got installed successfully. That’s how I resolved SCCM updates install error 0x800b0109.