CRYPT_E_INVALID_MSG_TYPE (0X80091004) Quick Fix

I know seeing 0x80091004 pop up during a Windows Update or when installing a signed app can stop you dead. It's cryptic and frustrating. Let's cut through the noise — here's the fix that works 9 out of 10 times.

First Thing: Clear the Windows Update Cache

This is the single biggest culprit. Corrupted update files or a stale cache can trigger the CRYPT_E_INVALID_MSG_TYPE error. Don't bother with third-party cleaners — we do it manually.

1. Open Command Prompt as Administrator. (Win + X, then select "Terminal (Admin)" or "Command Prompt (Admin)" depending on your build.)
2. Stop the Windows Update service by running:

   net stop wuauserv

3. Stop the Background Intelligent Transfer service:

   net stop bits

4. Navigate to the cache folder:

   cd %WINDIR%\SoftwareDistribution

5. Delete everything inside:

   del /f /s /q Download

6. Restart both services:

   net start wuauserv

   and

   net start bits

7. Reboot your machine.

Try your update or install again. If it works, you're done. Skip the rest.

Still Broken? Repair the Certificate Store

If the error persists, the problem is likely a corrupted root certificate. Windows uses a local store to validate signatures — if a cert is missing or damaged, you get 0x80091004.

1. Open an elevated Command Prompt again.
2. Run the System File Checker:

   sfc /scannow

3. After that finishes, run DISM to fix the component store:

   DISM /Online /Cleanup-Image /RestoreHealth

4. Reboot and check for updates again.

These two commands sound basic, but they root out store corruption. I've seen this fix 0x80091004 on everything from Windows 10 20H2 to Windows 11 23H2.

Why This Error Happens

Under the hood, Windows uses Cryptographic API: Next Generation (CNG) to verify digital signatures. The error CRYPT_E_INVALID_MSG_TYPE means the system received a cryptographic message that doesn't match the expected format — typically a PKCS #7 signed message. Real-world triggers:

• A failed Windows Update where the .cab file was downloaded but corrupted mid-stream.
• Installing a driver signed with an expired or cross-signed certificate.
• Manually importing a .cer file that's malformed.

The cache clear fixes the first. The SFC/DISM combo fixes the second and third by repairing the certificate store itself.

Less Common Variations

1. Error During Application Installation

If you see 0x80091004 when installing software like Adobe Reader or a VPN client, right-click the installer and select "Run as administrator." Also try downloading a fresh copy — the original might have been truncated.

2. Error in Event Viewer (Not Just Updates)

If the error shows up in Event Viewer under Windows Logs > Application with source Crypt32, it's a certificate chain issue. Run certutil -syncWithWU in an elevated prompt to force the Microsoft Root Certificate Program update. This pulls down missing root certs.

3. Error on Domain-Joined Machines

Group Policy can push corrupted certificate trust lists. As a domain admin, check Group Policy Management Console > Computer Configuration > Windows Settings > Security Settings > Public Key Policies. Remove any stale entries. Then run gpupdate /force on the affected machine.

Prevention Going Forward

1. Keep Windows Updated — Sounds obvious, but skipping cumulative updates can let cert store rot set in.
2. Don't Manually Delete Certs — I've seen people delete "expired" certs from the store. Windows manages this automatically. Leave it alone unless you know exactly what you're doing.
3. Use a Good Security Suite — Malware can corrupt the crypto stack. Windows Defender is fine, but keep it active.
4. Run SFC and DISM Monthly — Schedule it or just run them when you think of it. Takes two minutes and prevents weird errors.

That's it. No witchcraft — just clearing the junk and fixing the store. You'll be back to work in under 10 minutes.