Windows Update Error 0x800B0109 — Fix Certificate Validation Error

What Does This Error Mean?

Windows Update error 0x800B0109 means Windows cannot verify the digital signature on an update package. This is a certificate chain error — Windows checks that updates come from Microsoft and have not been tampered with. It usually points to an outdated root certificate, incorrect system date/time, or a problem with the Windows trust store.

Affected Models

Windows 10
Windows 11
Windows 8.1
Windows Server

Common Causes

Your system clock is set to the wrong date or time, causing certificate validity checks to fail
Outdated root certificates on your computer are no longer trusted by Windows Update
A proxy server or security tool on your network is intercepting HTTPS traffic and breaking the certificate chain
The Windows certificate store is corrupted or missing trusted root certificates
Windows has not been updated in a very long time and its root certificate list is too old

How to Fix It

Check your system date and time. Right-click the clock in the taskbar, choose 'Adjust date/time,' and make sure the date, time, and time zone are correct. Enable 'Set time automatically.'

An incorrect date is the single most common cause of certificate errors. A certificate that is 'not yet valid' or 'expired' will fail if your clock is wrong.
Run Windows Update Troubleshooter. Go to Settings > System > Troubleshoot > Other troubleshooters > Windows Update > Run.

The troubleshooter can detect and fix some certificate store issues automatically.
Update your root certificates manually. Open Command Prompt as Administrator and run: certutil -generateSSTFromWU roots.sst — then: certutil -addstore -f root roots.sst

This downloads the latest trusted root certificates directly from Windows Update and adds them to your trust store.
Run System File Checker to repair the Windows certificate infrastructure. Open Command Prompt as Administrator and type: sfc /scannow

Corrupted certificate service files can cause Windows to fail signature verification even when certificates are valid.
Temporarily disable any VPN, proxy, or network security tools and try running Windows Update again.

Security tools that inspect HTTPS traffic can break certificate chains. If updates work with the tool disabled, contact the software vendor for proper Windows Update exclusion settings.

When to Call a Professional

If you are on a corporate network and this error appears on multiple computers, the issue is likely a network security appliance doing HTTPS inspection. Your IT department will need to configure the proxy to allow Windows Update traffic without intercepting its certificates.

Frequently Asked Questions

Why does Windows check certificates on updates?

Digital certificates prove that an update package was created by Microsoft and has not been modified. Think of it like a tamper-evident seal on medicine. If the seal is broken or unrecognized, Windows refuses to install the update to protect your computer.

Can this error happen after a long period without updates?

Yes. If your computer has not been updated for a year or more, your root certificate list may be outdated. Some old root certificates have expired and been replaced. Windows Update itself is responsible for keeping root certificates current, creating a chicken-and-egg problem that the certutil command in the fix steps above can break.

Is it safe to add root certificates manually?

The certutil command above only downloads certificates from Microsoft's own Windows Update service. It is safe and is the recommended method for fixing an outdated certificate store. Do not manually import certificate files from random websites — only use trusted Microsoft sources.