Symptom

After publishing updates from the Lenovo Patch plugin and deploying the updates using Configuration Manager, the client computer fails to install updates and receives an error on installation: 0x800B0109(-2146762487). The error is found in the More Information section of the Update from Software Center.

Solution

There are 5 parts to the resolution:

Before beginning, obtain the 'Unique Update ID' from the failing update from the the UpdatesHandler.log on the client device.

1. Verify the Server Side Code Signing Certificate against the Digital Signature on the WSUS content

   a. In the Configuration Manager console, navigate to 'Software Library' > 'Overview' > 'Software Updates' > 'Lenovo Patch' > 'Updates'.

   b. In the ribbon bar, click on the 'Settings' button.

   c. In the 'Lenovo Patch Settings' dialog, on the 'WSUS Server' tab, click the 'View certificate' button.

   d. In the 'Certificate' window, on the 'General' tab, take note of the 'Issued to:', 'Issued by', and 'Valid from/to' information. These pieces of information will be referenced in 4d.

   e. In the 'Certificate' window, click on the 'Details' tab.

   f. Take note of the 'Serial number'. The Serial number will be referenced in 1p, 2g, 3g, and 4f.

   g. Close the 'Certificate' window and the 'Lenovo Patch Settings' dialog.

   h. In the Configuration Manager console, navigate to 'Software Library' > 'Overview' > 'All Software Updates'.

   i. Locate the update by the 'Unique Update ID'. (May need to enable this column)

   j. Right click on the update, choose 'Properties', then select the 'Content Information' tab.

   k. Using the URL from the 'Source Path' field, download the .CAB file. Take note of the .CAB file name.  This information will be referenced in 2b and 3b.

   l. In the folder where the file downloaded, right click on the .CAB file and choose 'Properties'.

   m. In the .CAB file Properties window, click the 'Digital Signatures' tab.

   n. Select a signature from the list and click the 'Details' button.

   o. In the 'Digital Signature Details' window, click on the 'Advanced' tab.

   p. In the 'Signature details' section, verify the Serial number matches the Serial number information obtained in 1f.

   q. If the .CAB file does not have the current signature, use Lenovo Patch to re-sign the content with the latest code signing certificate. Once the content is re-signed, download the re-signed content to the Software Update Deployment Package and update the distribution points.

2. Verify the Server Side Code Signing Certificate information against the Digital Signature on the content in the Software Update Deployment Package source folder

   a. Navigate to the Software Update Deployment Packages source folder directory.

   b. Search for the .CAB file name noted in 1k.

   c. If the .CAB file is found, right click on the .CAB file and choose 'Properties'.

   d. In the .CAB file Properties window, click the 'Digital Signatures' tab.

   e. Select a signature from the list and click the 'Details' button.

   f. In the 'Digital Signature Details' window, click on the 'Advanced' tab.

   g. In the 'Signature details' section, verify the Serial Number matches the Serial number information obtained in 1f.

   h. If the .CAB file does not have the current signature, navigate to the corresponding Software Update Deployment Package in the Configuration Manager console.

   i. Locate and delete the update from the Software Update Deployment Package by matching the Unique Update ID.

   j. Navigate to the 'All Software Updates' node, locate the update by the 'Unique Update ID', download the update to the appropriate Software Update Deployment Package, and update the distribution points.

3. Verify the Server Side Code Signing Certificate information against the Digital Signature on the content downloaded to the client

   a. On the client device, navigate to 'C:\Windows\ccmcache'.

   b. Using the .CAB file name noted in 1k, search for the .CAB file name.

   c. Once the file has been located, right click on the .CAB file and choose 'Properties'.

   d. In the .CAB file Properties window, click the 'Digital Signatures' tab.

   e. Select a signature from the list and click the 'Details' button.

   f. In the 'Digital Signature Details' window, click on the 'Advanced' tab.

   g. In the 'Signature details' section, verify the Serial Number matches the Serial number information obtained in 1f.

   h. If the Serial numbers do not match, remove the content from the cache and run the Software Updates Deployment Evaluation cycle in the CM Client Settings.

4. Verify the client side Code Signing Certificate is in the Trusted Root Certification Authorities and Trusted Publishers certificate stores on the device

   a. On the client device, open the 'Local Computer Certificates' management console using Start > Run and enter 'certlm.msc'.

   b. If prompted, accept the User Account Control prompt.

   c. Navigate to the 'Certificates - Local Computer' > 'Trusted Root Certification Authorities' > 'Certificates' node.

   d. Using the certificate information found in 1d, locate the certificate matching the 'Issued To', 'Issued By', and the 'Expiration Date' that matches the 'Valid to' date.

   e. Select the appropriate certificate in the list and double click to open the certificate.

   f. Switch to the 'Details' tab and verify the Serial number information obtained in 1f matches.

   g. Repeat steps 2c-2f for the 'Trusted Publishers' certificate store. If either certificate store is missing the code signing certificate, import the missing certificate.

5. Verify the Allowed signed updates from an intranet Microsoft update service location policy setting is set to Enabled on the device.
   In the registry, verify the following entries.

   a. 'HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' 'AcceptTrustedPublisherCerts' REG_DWORD set to '1'

   b. 'HKLM\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\WindowsUpdate' 'AcceptTrustedPublisherCerts' REG_DWORD set to '1'