Issue
We're experiencing troubles with downloading some software updates, specifically ones from Microsoft. Some updates will download without issue while some will error with the following. Talking with a coworker this seems to be particular to .cab files when downloading updates. My coworker has manually downloaded the updates as necessary for what he was trying to download which I believe were cumulative office updates for recent months.
In this particular case, we are manually going to "Software Library | Operating Systems | All Windows Feature Updates" Searching for "Windows 11, version 23H2 x64 2025-03B" then attempting the download of it. We create a deployment package, cleaning up after each failed attempt. We select "Download software updates from the Internet" as we have for other updates that were successfully downloaded such as Windows 10 cumulative updates for the past few months. We have English listed in the language specification page for "Windows Update" and for "Office 365 Client Update". It will then sit at "Processing 0%" till it ultimately fails with the below error information.
Error: Windows 11, version 23H2 x64 2025-03B
Error: Failed to download content id 16881470. Error: Invalid certificate signature.
This is specific to updates from Microsoft as far as we can tell at this time. In this case we are trying to download the "Windows 11 version 23H2 x64 2025-03B" so we could test upgrading Windows 10 workstations to Windows 11. Most other Microsoft Windows Updates download without encountering this error however some updates we have manually had to download from the Microsoft Update Catalog and add them in.
I've checked the "Administration | Security | Certificates" section of SCCM. Currently everything is "Unblocked".
Our SCCM Server Information:
Windows Server 2016
Microsoft Configuration Manager
We also have a distribution point server which is also WSUS for SCCM. It is also running Server 2016.
Logs
I've explored the %appdata%\Temp\PatchDownloader.log and have found the following lines about authentication failure for a .cab file. I believe this is the relevant section from this log file but if there's additional information that would be useful, please let me know and I'll add it. Server name and usernames within the log have been adjusted for privacy.
Excerpt from PatchDownloader.log is attached for reference.
Downloading the .cab file itself from the URL listed in the log and then going to "Properties | Digital Signatures | Details | View Certificate" shows the certificate is valid from 9/12/2024 to 9/11/2025 and Issue to Microsoft Corporation by Microsoft Code Signing PCA 2011. The certificate seems to be fine.
Searching about the issue
I had found some discussions about this while searching.
There was mention in the comments by Alexey of using the SQL Management Studio to query the file in question and changing the IsSigned value from 1 to 0.
I suspect this would be relatively harmless and would simply prevent SCCM from checking the files authentication to allow it to continue. I hesitated to do this however for a couple of reasons.
1. It doesn't seem to solve the root of the issue.
2. If someone comes behind me and doesn't check notes, they may have to go through the same troubleshooting to figure it out.
Additionally, I thought of downloading the content, placing it in the source folder structure on SCCM, and then pointing to that local download of the files so that it can use that for the update source however that would not be resolving the root of the issue.
If other logs files are helpful to resolving this, please let me know and I'll provide any additional information we can. I'm still somewhat new to this portion of SCCM.
We're experiencing troubles with downloading some software updates, specifically ones from Microsoft. Some updates will download without issue while some will error with the following. Talking with a coworker this seems to be particular to .cab files when downloading updates. My coworker has manually downloaded the updates as necessary for what he was trying to download which I believe were cumulative office updates for recent months.
In this particular case, we are manually going to "Software Library | Operating Systems | All Windows Feature Updates" Searching for "Windows 11, version 23H2 x64 2025-03B" then attempting the download of it. We create a deployment package, cleaning up after each failed attempt. We select "Download software updates from the Internet" as we have for other updates that were successfully downloaded such as Windows 10 cumulative updates for the past few months. We have English listed in the language specification page for "Windows Update" and for "Office 365 Client Update". It will then sit at "Processing 0%" till it ultimately fails with the below error information.
Error: Windows 11, version 23H2 x64 2025-03B
Error: Failed to download content id 16881470. Error: Invalid certificate signature.
This is specific to updates from Microsoft as far as we can tell at this time. In this case we are trying to download the "Windows 11 version 23H2 x64 2025-03B" so we could test upgrading Windows 10 workstations to Windows 11. Most other Microsoft Windows Updates download without encountering this error however some updates we have manually had to download from the Microsoft Update Catalog and add them in.
I've checked the "Administration | Security | Certificates" section of SCCM. Currently everything is "Unblocked".
Our SCCM Server Information:
Windows Server 2016
Microsoft Configuration Manager
Version 2309
Console version 5.2309.1113.1000
Site version: 5.0.9122.1000
SQL 2014 installed on the same server as Config Mgr.We also have a distribution point server which is also WSUS for SCCM. It is also running Server 2016.
Logs
I've explored the %appdata%\Temp\PatchDownloader.log and have found the following lines about authentication failure for a .cab file. I believe this is the relevant section from this log file but if there's additional information that would be useful, please let me know and I'll add it. Server name and usernames within the log have been adjusted for privacy.
Excerpt from PatchDownloader.log is attached for reference.
Downloading the .cab file itself from the URL listed in the log and then going to "Properties | Digital Signatures | Details | View Certificate" shows the certificate is valid from 9/12/2024 to 9/11/2025 and Issue to Microsoft Corporation by Microsoft Code Signing PCA 2011. The certificate seems to be fine.
Searching about the issue
I had found some discussions about this while searching.
There was mention in the comments by Alexey of using the SQL Management Studio to query the file in question and changing the IsSigned value from 1 to 0.
I suspect this would be relatively harmless and would simply prevent SCCM from checking the files authentication to allow it to continue. I hesitated to do this however for a couple of reasons.
1. It doesn't seem to solve the root of the issue.
2. If someone comes behind me and doesn't check notes, they may have to go through the same troubleshooting to figure it out.
Additionally, I thought of downloading the content, placing it in the source folder structure on SCCM, and then pointing to that local download of the files so that it can use that for the update source however that would not be resolving the root of the issue.
If other logs files are helpful to resolving this, please let me know and I'll provide any additional information we can. I'm still somewhat new to this portion of SCCM.
