0X800B0004

Fix 0x800B0004: Subject Not Trusted Error on Windows

Cybersecurity & Malware Intermediate 👁 0 views 📅 May 27, 2026

This error means Windows doesn't trust a digital signature. Fix it by updating root certificates or installing the missing certificate authority.

It stinks when you're trying to install something—maybe a driver, an app, or a Windows update—and get hit with that 0x800B0004 error. The message says the subject isn't trusted for the action. Let's get you past it.

The Quick Fix: Update Root Certificates

Nine times out of ten, this happens because Windows is missing a root certificate that's needed to verify the signature. The easiest way to fix it is to update the root certificate list.

  1. Open Settings (press Windows + I).
  2. Go to Update & Security > Windows Update.
  3. Click Check for updates. Do this even if you think you're up to date.
  4. If you see any optional updates listed, click View optional updates.
  5. Look for an entry that says something like Update for Root Certificates or Root Update Package. Check that box.
  6. Click Download and install. After it finishes, you should see a confirmation message that the update installed okay.
  7. Restart your computer. This is important—don't skip the restart.

After rebooting, try doing whatever gave you the 0x800B0004 error again. In most cases, it'll work now.

If That Didn't Work: Manually Install the Certificate

Sometimes the update doesn't include the specific certificate you need. This is common with third-party drivers or older software. Here's the manual route:

  1. Right-click the file that's causing the error (like an .exe or .msi installer).
  2. Select Properties from the context menu.
  3. Go to the Digital Signatures tab.
  4. You'll see a list of signers. Select the top one (the root authority) and click Details.
  5. In the Digital Signature Details window, click View Certificate.
  6. In the Certificate window, go to the Certification Path tab. You'll see a chain of certificates. The top one is the root certificate—it might have a red X or say "not trusted."
  7. Select that root certificate at the top, then click View Certificate again.
  8. Go to the Details tab and click Copy to File. This starts the Certificate Export Wizard.
  9. Choose Base-64 encoded X.509 (.CER) format and save it to your desktop.
  10. Now open the Certificate Manager by pressing Windows + R, typing certmgr.msc, and hitting Enter.
  11. In the left pane, expand Trusted Root Certification Authorities.
  12. Right-click Certificates (under that folder) and choose All Tasks > Import.
  13. Browse to the .cer file you saved on your desktop.
  14. Place it in Trusted Root Certification Authorities—the wizard will ask.
  15. Click Finish. You should get a confirmation that the import succeeded.

After importing, close everything and retry the operation that gave you the error. You should see it succeed this time.

Why This Error Happens

Windows uses certificates to check if software is safe. When you see 0x800B0004, it means the digital signature on the file is valid (not tampered with) but Windows doesn't trust the signer. That usually means the root certificate that issued the signer's certificate isn't in your Trusted Root store.

This can happen after a fresh Windows install, after removing old certificates, or when you're installing software from a company that uses a newer certificate authority. Windows Update normally pushes these out, but sometimes it misses one, or you've turned off automatic updates.

Less Common Variations

There are a few other scenarios where you'll see this exact error code:

1. Time and Date Are Wrong

Certificates have an expiration date. If your system clock is off by more than a few hours, Windows might think a certificate is expired or not yet valid. Check the time and date in your system tray. If it's wrong, right-click it, select Adjust date/time, and turn on Set time automatically. Also check the time zone—being off by a zone can break things.

2. Group Policy Blocks Trust

If you're on a corporate or domain-joined machine, your IT team might have disabled certain root certificates via Group Policy. In that case, you won't be able to install them manually. Contact your IT admin. They can add the certificate to the Trusted Root Certification Authorities policy under Computer Configuration > Windows Settings > Security Settings > Public Key Policies.

3. Corrupted Certificate Store

Rarely, the certificate store itself gets corrupted. This can happen after a malware cleanup or a failed update. To fix it, open Command Prompt as Administrator and run:

certutil -store -user root

If this gives errors, you can try rebuilding the store by running:

certutil -repairstore root *

After this, reboot and try again. But honestly, I'd only try this if the other methods failed—it's a sledgehammer approach.

Preventing This Going Forward

Keep Windows Update on. That's the single best thing you can do. Microsoft pushes root certificate updates through Windows Update, so staying current keeps your trust store healthy.

Also, don't delete certificates unless you know what you're doing. I've seen people clean out their certificate store thinking it speeds up the computer—it doesn't. It just breaks stuff.

If you need to install software from a less common developer, download it directly from the developer's site, not from third-party mirror sites. Those mirrors sometimes strip or alter digital signatures, which can cause this error.

Finally, if you're a developer signing your own code, make sure your code signing certificate is issued by a trusted root authority (like DigiCert, Sectigo, or GlobalSign), not a self-signed certificate. Self-signed certs will always throw this error on other people's machines unless they install your root manually.

Was this solution helpful?

0x800B0004 TRUST_E_SUBJECT_NOT_TRUSTED certificate error Windows 10 digital signature not trusted fix subject not trusted Windows certificate update root certificate update code signing error driver signature error Windows update certificate fix