Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Security Update for Microsoft .NET Framework 4.X (KB3135996 or KB3136000) may fail with the below error message: Installation failed with error code: (0x800B010A), "A certificate chain could not be built to a trusted root authority."
As per the install log:
C:\65760b35b9bcb98aad5de44ad83b\NDP45-KB3135996.msp Signature could not be verified for NDP45-KB3135996.msp
No FileHash provided. Cannot perform FileHash verification for NDP45-KB3135996.msp
File NDP45-KB3135996.msp (C:\65760b35b9bcb98aad5de44ad83b\NDP45-KB3135996.msp), failed authentication(Error = -2146762486). It is recommended that you delete this file and retry setup again.
Failed to verify and authenticate the file -C:\65760b35b9bcb98aad5de44ad83b\NDP45-KB3135996.msp
Please delete the file, C:\65760b35b9bcb98aad5de44ad83b\NDP45-KB3135996.msp and run the package again
According to the CAPI2 event messages inside the log:
<CryptRetrieveObjectByUrlWire>
<URL scheme="http">https://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt</URL>
<Object type="CONTEXT_OID_CERTIFICATE" constant="1"/>
<Timeout>PT15S</Timeout>
<Flags value="286005" CRYPT_RETRIEVE_MULTIPLE_OBJECTS="true" CRYPT_WIRE_ONLY_RETRIEVAL="true" CRYPT_LDAP_SCOPE_BASE_ONLY_RETRIEVAL="true" CRYPT_OFFLINE_CHECK_RETRIEVAL="true" CRYPT_AIA_RETRIEVAL="true" CRYPT_PROXY_CACHE_RETRIEVAL="true"/>
<AdditionalInfo>
<Action name="NetworkRetrievalTimeout">
<Error value="5B4">This operation returned because the timeout period expired. </Error>
</Action>
</AdditionalInfo>
<EventAuxInfo ProcessName="Setup.exe"/>
<CorrelationAuxInfo TaskId="{98B7F5D9-09DF-4158-8662-72272FA6171C}" SeqNumber="9"/>
<Result value="5B4">This operation returned because the timeout period expired.</Result>
</CryptRetrieveObjectByUrlWire>
This issue occurs when this certificate MicRooCerAut2011_2011_03_22.cer is missing particularly when you operate in an environment that's disconnected from the Internet or that has a firewall that blocks content from the following URL: https://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en This behavior is due to recent changes to Microsoft Windows Enforcement of Authenticode Code Signing and Timestamping.
In order to resolve this issue, please try the below steps:
· Download the certificate https://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt locally (Example: C:\Temp)
· You can use the certmgr.exe utility to add the certificate by using command line. For more information, see the Certmgr.exe (Certificate Manager Tool) topic at MSDN.
· Open an admin command prompt and run this command: certmgr.exe /add C:\Temp\MicRooCerAut2011_2011_03_22.cer /s /r localMachine root
· Next try installing the patch KB3135996 or KB3136000
Alternatively, you can download and install KB2813430 and then manage certificates individually: https://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
For more information, see the Configure trusted roots and disallowed certificates & Install a Root Certification Authority on offline machines topics at TechNet.
Comments
- Anonymous
April 20, 2016
The comment has been removed- Anonymous
August 11, 2016
You made my day!!
- Anonymous
- Anonymous
April 25, 2016
Worked perfectly. - Anonymous
July 06, 2016
Thank you. The command above should read with a .crt instead of a .cer. "certmgr.exe /add C:\Temp\MicRooCerAut2011_2011_03_22.crt /s /r localMachine root" - Anonymous
August 09, 2016
Works like a charm! Thank you! - Anonymous
August 23, 2016
You can also extract the .exe and run the .msp.[patch.exe] /s /x /b '[export path]' /v '' /qn ''Then run the [export path].msp. - Anonymous
October 31, 2016
it works. Thannks!@ - Anonymous
December 17, 2016
Thank you for the solution is working perfectly. - Anonymous
March 07, 2017
You have the extension wrong for the cert file!!! - Anonymous
March 20, 2017
It was great to get here and at last it worked perfectly