A certificate chain could not be built to a trusted root authority
Security Update for Microsoft .NET Framework 4.X (KB3135996 or KB3136000) may fail with the below error message: Installation failed with error code: (0x800B010A), "A certificate chain could not be built to a trusted root authority."
As per the install log:
C:\65760b35b9bcb98aad5de44ad83b\NDP45-KB3135996.msp Signature could not be verified for NDP45-KB3135996.msp
No FileHash provided. Cannot perform FileHash verification for NDP45-KB3135996.msp
File NDP45-KB3135996.msp (C:\65760b35b9bcb98aad5de44ad83b\NDP45-KB3135996.msp), failed authentication(Error = -2146762486). It is recommended that you delete this file and retry setup again.
Failed to verify and authenticate the file -C:\65760b35b9bcb98aad5de44ad83b\NDP45-KB3135996.msp
Please delete the file, C:\65760b35b9bcb98aad5de44ad83b\NDP45-KB3135996.msp and run the package again
According to the CAPI2 event messages inside the log:
<CryptRetrieveObjectByUrlWire>
<URL scheme="http">https://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt</URL>
<Object type="CONTEXT_OID_CERTIFICATE" constant="1"/>
<Timeout>PT15S</Timeout>
<Flags value="286005" CRYPT_RETRIEVE_MULTIPLE_OBJECTS="true" CRYPT_WIRE_ONLY_RETRIEVAL="true" CRYPT_LDAP_SCOPE_BASE_ONLY_RETRIEVAL="true" CRYPT_OFFLINE_CHECK_RETRIEVAL="true" CRYPT_AIA_RETRIEVAL="true" CRYPT_PROXY_CACHE_RETRIEVAL="true"/>
<AdditionalInfo>
<Action name="NetworkRetrievalTimeout">
<Error value="5B4">This operation returned because the timeout period expired. </Error>
</Action>
</AdditionalInfo>
<EventAuxInfo ProcessName="Setup.exe"/>
<CorrelationAuxInfo TaskId="{98B7F5D9-09DF-4158-8662-72272FA6171C}" SeqNumber="9"/>
<Result value="5B4">This operation returned because the timeout period expired.</Result>
</CryptRetrieveObjectByUrlWire>
This issue occurs when this certificate MicRooCerAut2011_2011_03_22.cer is missing particularly when you operate in an environment that's disconnected from the Internet or that has a firewall that blocks content from the following URL: https://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en This behavior is due to recent changes to Microsoft Windows Enforcement of Authenticode Code Signing and Timestamping.
In order to resolve this issue, please try the below steps:
· Download the certificate https://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt locally (Example: C:\Temp)
· You can use the certmgr.exe utility to add the certificate by using command line. For more information, see the Certmgr.exe (Certificate Manager Tool) topic at MSDN.
· Open an admin command prompt and run this command: certmgr.exe /add C:\Temp\MicRooCerAut2011_2011_03_22.cer /s /r localMachine root
· Next try installing the patch KB3135996 or KB3136000
Alternatively, you can download and install KB2813430 and then manage certificates individually: https://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
For more information, see the Configure trusted roots and disallowed certificates & Install a Root Certification Authority on offline machines topics at TechNet.