.net Framework installer error 0x800B0109

When installing .net Framework 4.8 on a clean install of Windows 7, you receive the error

0x800B0109 "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider"

The .net Framework 0x800B0109 error prevents the installation from continuing.

The Cause

An outdated Root Certificates store is the cause of the .net Framework 0x800B0109 issue. If the machine has been offline for a very long period, or is a fresh install. A current ‘Microsoft Root Certificate Authority’ root certificate will not be present as the machine will usually update the store once per-week. After a fresh install, it can take a number of minutes to hours to update the store. Your computer must also have an active internet connection with access to Windows Update to do this.

The Fix

The following script uses Windows Update to download and update the Microsoft Root Certificates. The script will work on an out of the box Windows 7 system running PowerShell 2.0 and above.

Save the following script to a bat/cmd file and run the file using an elevated command prompt

set dst=%SystemRoot%\Temp\roots

mkdir "%dst%"

powershell.exe -Command "(New-Object System.Net.WebClient).DownloadFile('http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab', '%dst%\authrootstl.cab')"
powershell.exe -Command "(New-Object System.Net.WebClient).DownloadFile('http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab', '%dst%\disallowedcertstl.cab')"

expand.exe "%dst%\authrootstl.cab" "%dst%\authroot.stl"
expand.exe "%dst%\disallowedcertstl.cab" "%dst%\disallowedcert.stl"

certutil.exe -addstore -f root "%dst%\authroot.stl"
certutil.exe -addstore -f disallowed "%dst%\disallowedcert.stl"

rmdir /S /Q "%dst%"

The script performs the following actions:

  1. Create a working folder in the System Temp folder
  2. Downloads the updates certificate and certificate revocation list (cab files)
  3. Inflates the cab files
  4. Installs the certificates and CRL
  5. Deletes the working folder

If the system that you are using is off-line, the script can be easily modified to work from a USB drive or network share.