Windows 7: Update KB890830 (MSRT) drops Error 0x800B0109

[German]Another supplement to the Patchday (November 12, 2019). A number of users under Windows 7 SP1 and Windows Server 2008/R2 get the error 0x800B0109 when installing the update KB890830 (MSRT). Here is some information about the topic and what was going on.

What does update KB890830 (MSRT) do?

Update KB890830  is the 'Windows Malicious Software Removal Tool' (MSRT). The tool is available for all versions of Windows and is rolled out cyclically on patchday as an update to clean the systems from malicious software (certain common threats such as Trickbot).

Windows needs to be restarted to take effect after installation. Those who want to run the tool manually can download it from the Microsoft Download Center or run an online version of microsoft.com. This tool cannot replace an antivirus product. You should therefore use an antivirus product to help protect your computer.

Installation issues with November 12, 2019 version

The MSRT version that was released on November 12, 2019 as update KB890830 causes problems under Windows 7 SP1 and Windows Server 2008/R2. Already on the patchday there were (German) comments like this:

With KB890830 all my installation attempts fail.
Error Code 0x800B0109

Further comments indicate that there are install issues with the 32-bit version of Windows 7 SP1. The German comment here also shows the installation error with the 64-bit version. I have also received reports that the tool is being installed on a recurring basis. Woody Leonhard also mentioned this installation error in an article at ComputerWorld.

What does error 0x800B0109 means?

The error code 0x800B0109 stands for CERT_E_UNTRUSTEDROOT, and the message is in plain text:

A certificate chain was processed, but ended with a root certificate that is not trusted by the trust provider.

This simply means that the certificate used to verify the signed update file cannot be trusted. A digital signature is included in the update package. But the certificate chain used to verify the trustworthiness of the digital signature ends with a root certificate that is not considered trustworthy.

Ad-hoc I would have suspected a missing Servicing Stack Update (SSU) or a SHA-2 update as the cause for Windows 7 SP1 and Windows Server 2008/R2. The support article for update KB890830 says:

Note: Starting November 2019, MSRT will be SHA-2 signed exclusively. Your devices must be updated to support SHA-2 in order to run MSRT. To learn more, see 2019 SHA-2 Code Signing Support requirement for Windows and WSUS.

But that's not the root cause this time. Rather, Microsoft made a mistake signing the update package in question. There is this Technet Forenthread, where the issue is discussed.

It is interesting to note that the certificate in the MSRT works with Windows 8.1 and higher and its server counterparts – only Windows 7 and Windows Server 2008/R2 had a certificate error.

In the meantime update KB890830 is no longer available via Windows Update (see this German comments within my blog). Within the Microsoft Update Catalog there is update KB890830 still available with v5.77. However, for Windows 7, Windows Server 2008 and Windows Server 2008 R2, this has the update date 11/13/2019, while the counterparts for Windows 8.1 to Windows 10 and the server counterparts have the update date 11/12/2019.

So Microsoft has updated the package for Windows 7 and Server 2008/r2 and replaced the faulty certificate. I have now downloaded the MSRT v5.77 in a 64-bit version for my Windows 7 SP1. The tool ran smoothly.

The Microsoft Update Catalog offerst two MSRT packaged to download. One is a delta update, which may be used in WSUS.

Similar article:
Issues with Update KB890830 (Windows Malicious Removal Tool