Microsoft Windows Error Code 0x800B0109: How to Fix It

Medium 30-60 minutes Medium Severity Verified July 2026
Error Code
0x800B0109
Brand
Microsoft Windows
Product Type
operating_system
Severity
Medium
DIY Difficulty
Medium
Estimated Fix Time
30-60 minutes
Windows error code 0x800B0109 means Windows Update cannot verify the digital certificate chain for an update because a root or intermediate certificate authority is not trusted on your system. This typically happens when your system's trusted root certificate store is outdated, corrupted, or missing key certificates. The good news is this is almost always fixable through Windows' built-in repair tools, manual certificate updates, or resetting the Windows Update components — no hardware work required.
Ad

Tools You'll Need

How to Fix Error Code 0x800B0109

  1. Confirm the Error and Note Your Windows Version

    Do not skip this step — applying the wrong fix for the wrong Windows version can cause additional issues.
  2. Run the Windows Update Troubleshooter

  3. Manually Update Your Trusted Root Certificates

    Run Command Prompt as Administrator or these commands will fail silently. If you are on a corporate or school network, your IT policy may block this — contact your IT department instead.
  4. Sync Your System Clock

  5. Reset Windows Update Components Using the Command Line

    These commands must be run as Administrator. Renaming the catroot2 folder forces Windows to rebuild its certificate store cache, which is safe but may take extra time on the first update attempt afterward.
  6. Repair System Files with SFC and DISM

    Do not interrupt SFC or DISM while they are running. If DISM fails with an error about not being able to connect to the source, you may need an active internet connection or a Windows installation ISO as a repair source.
  7. Manually Download and Install the Failed Update

    Only download updates directly from the official Microsoft Update Catalog (catalog.update.microsoft.com). Never download Windows updates from third-party sites.
  8. Check for Malware Interfering with Certificate Services

    If malware is detected, do not continue using the PC for sensitive tasks (banking, email) until the infection is fully resolved and the system is confirmed clean.
  9. Re-register Cryptographic DLL Files

    You must be running Command Prompt as Administrator or you will receive 'access denied' errors.
Ad

When to Call a Professional

You should contact a professional IT technician or Microsoft Support if: (1) All the above steps have been completed and the error persists. (2) The SFC or DISM tools report errors they cannot repair. (3) Your PC is domain-joined or managed by a company IT policy — your organization's Group Policy may be intentionally restricting certificate updates, and only your IT department can resolve this. (4) Malware was detected but your antivirus cannot fully remove it — a technician may need to perform an offline remediation. (5) You are running a very old version of Windows that has passed its end-of-life date and no longer receives root certificate updates from Microsoft, in which case an OS upgrade is the proper solution.

Frequently Asked Questions

What does Windows error 0x800B0109 mean?
Error 0x800B0109 means Windows could not verify the digital certificate chain for a Windows Update package. In simple terms, Windows checks that every update is signed and trusted all the way back to a root certificate authority. If any link in that chain is missing, expired, or untrusted on your system, the update is blocked and this error is shown.
Can error 0x800B0109 be caused by the wrong date and time?
Yes, absolutely. Digital certificates are only valid within specific date ranges. If your system clock is significantly wrong — even by a day or two — Windows may see a certificate as expired or not yet valid, causing it to reject the entire update. Always check your system clock first, as this is one of the quickest fixes.
Is Windows error 0x800B0109 a virus or a sign of being hacked?
Not necessarily. In most cases this error is caused by an outdated or corrupted certificate store, an incorrect system clock, or corrupted Windows Update components — all of which are normal technical issues. However, some types of malware do tamper with Windows certificates to block security updates. Running a full scan with Windows Defender or Microsoft Safety Scanner will help rule this out.
Why does 0x800B0109 happen after a clean Windows install?
A freshly installed Windows image may have a certificate store that was current at the time the installation media was created, but is now outdated. Microsoft regularly adds new root certificates and removes old ones. A clean install from older media may be missing newer trusted root certificates. Running 'certutil -generateSSTFromWU' or using Windows Update itself (once connected to the internet) will bring the certificate store up to date.
Does error 0x800B0109 affect Windows security?
Yes, indirectly. If this error is preventing security updates from installing, your system is missing important patches that protect against vulnerabilities. You should prioritize resolving this error as soon as possible. In the short term, ensure Windows Defender definitions are still updating separately (they use a slightly different pipeline), and avoid downloading untrusted software until the issue is resolved.