0X80091001

Cryptic 0x80091001 Error? Here's the Fix

Cybersecurity & Malware Intermediate 👁 0 views 📅 May 26, 2026

You'll see this when Windows can't validate a digital signature. Usually a corrupted root cert or a busted update. Skip the wild goose chase — here's what actually works.

Cause 1: Corrupted Root Certificate Store

The culprit here is almost always a messed-up root certificate. When Windows tries to verify a digital signature — like during an update or installing a driver — it hits this error if the root certification authority (CA) isn't trusted. I've seen this on Windows 10 22H2 and Windows 11 23H2 after a failed update rollback.

How to spot it

You run certmgr.msc (Certificate Manager) and see a bunch of red X marks in the Trusted Root Certification Authorities folder. That's your smoking gun.

Fix it fast

Don't bother manually reimporting certs — that takes forever and you'll miss half of them. Use the Microsoft Update Catalog:

  1. Go to Microsoft Update Catalog.
  2. Search for "Root Update" — you want the latest KB for your OS version (e.g., KB5014754 for Windows 10 22H2).
  3. Download the MSU file and install it manually.

Then run this in an elevated Command Prompt:

certutil -generateSSTFromWU roots.sst
certutil -addstore Root roots.sst

This pulls down the current root certificates from Windows Update and installs them. Reboot after.

Cause 2: System File Corruption

If the root certs look fine, your system files are probably busted. I've seen this after a power loss during a Windows Update install — the cryptographic service gets hosed.

Two-step repair

Run DISM first. SFC is a waste of time on its own here — it can't fix component store corruption.

dism /online /cleanup-image /restorehealth

Let it finish — might take 10-15 minutes. Then run SFC:

sfc /scannow

Reboot after both complete. If DISM spits out error 0x800f081f, you need to point it to a Windows install source. On a running system, mount your Windows ISO or USB, then run:

dism /online /cleanup-image /restorehealth /source:wim:X:\sources\install.wim:1 /limitaccess

Replace X with your drive letter.

Cause 3: Expired or Wrong Time/Date

I know — this sounds too simple. But I've lost count of how many times a wrong system clock cause this exact error. Certificate validation is time-sensitive. If your clock is off by more than a few minutes, Windows thinks the cert is expired.

Check and fix

Open Date & Time settings. Turn off "Set time automatically" and restart the Windows Time service:

net stop w32time
net start w32time
w32tm /resync

Then turn "Set time automatically" back on. If you're in a domain environment, run w32tm /query /status to verify you're sync'd to the domain controller.

Quick-Reference Summary

Cause Fix Time
Corrupted root certificate store Install Root Update KB from Catalog, then run certutil -generateSSTFromWU + certutil -addstore 10-15 min
System file corruption Run dism /online /cleanup-image /restorehealth then sfc /scannow 15-20 min
Incorrect system time Restart w32time service and resync time 2 min

If you've tried all three and still get the error, check if a third-party antivirus is intercepting SSL connections. McAfee and Norton have caused this for years. Disable their SSL scanning temporarily — if it fixes it, whitelist the Windows Update process or switch to Defender.

Was this solution helpful?

0x80091001 CRYPT_E_MSG_ERROR Windows Update error 0x80091001 digital signature error certificate trust error KB error 0x80091001 DISM error 0x80091001 SFC error 0x80091001 Windows 10 update failed cryptographic error 0x80091001 root certificate issue fix 0x80091001 Windows update troubleshooter certificate store corruption update catalog error