Fix CRYPT_E_BADPDU (0X80093108) ASN1 Error on Windows
This ASN1 decoding error usually means a corrupted certificate or bad system time. Here's how to fix it fast on Windows 10 and 11.
1. Windows Time is Off (The Most Common Cause)
I've seen this error pop up more times than I can count, and 9 times out of 10 it's because your system clock is wrong. Windows uses certificates with timestamps to verify everything from Windows Update to your email client. If your clock is even a few minutes off, the ASN1 decoder in crypt32.dll throws CRYPT_E_BADPDU (0X80093108). It thinks the certificate is expired or not yet valid.
This usually happens after a CMOS battery dies, dual-booting with another OS that sets the clock to UTC, or after a time zone change you forgot to apply.
Fix: Force a Time Sync
- Right-click the clock in the taskbar and pick Adjust date/time.
- Turn off Set time automatically and Set time zone automatically.
- Wait 10 seconds, then turn them both back on.
- Click Sync now under Synchronize your clock.
- If you see an error instead of a successful sync, run this in an admin Command Prompt:
w32tm /unregister w32tm /register net start w32time w32tm /resync - Reboot and test the app that gave you the error.
If the issue is fixed, you're done. If not, move to the next cause.
2. Corrupted Root Certificate or Missing Intermediate CA
Sometimes Windows Update itself gets corrupted, or a security tool like Bitdefender or Malwarebytes removes a trusted root cert it shouldn't have. When the ASN1 parser can't find the parent certificate to build the chain, it returns 0X80093108. I've seen this most often with Microsoft Office 365 logins and Windows Update (error 80093108 specifically).
Fix: Reinstall the Root Certificates
- Download the latest root update package from Microsoft: Microsoft Root Certificate Program.
- Run the .exe and follow the prompts. It automagically replaces bad certs.
- If that doesn't work, open an admin PowerShell and run:
certutil -generateSSTFromWU roots.sst certutil -addstore Root roots.sst - Restart your PC.
This re-downloads all trusted root certs from Windows Update directly, bypassing any local corruption. I've never seen this fail.
3. Corrupted System Files or Windows Update Components
When the first two fixes don't work, the error might be from a deeper problem—corrupted system files or a messed-up SoftwareDistribution folder. This is rarer but happens after a bad update or aggressive registry cleaning tool.
Fix: DISM and SFC, Then Clear the Update Cache
- Open an admin Command Prompt.
- Run DISM first (this fixes the component store):
DISM /Online /Cleanup-Image /RestoreHealth - After that completes, run SFC:
sfc /scannow - Reboot, then stop the Windows Update service:
net stop wuauserv net stop cryptSvc net stop bits net stop msiserver - Rename the SoftwareDistribution and Catroot2 folders:
ren C:\Windows\SoftwareDistribution SoftwareDistribution.old ren C:\Windows\System32\catroot2 Catroot2.old - Start the services again:
net start wuauserv net start cryptSvc net start bits net start msiserver - Try Windows Update or the app that gave you the error.
This clears all cached update files and forces Windows to rebuild them fresh. It's overkill for most people, but if you made it here, you need it.
Quick-Reference Summary Table
| Cause | Fix | Time to Try |
|---|---|---|
| Wrong system time | Sync clock via Settings or w32tm | 2 minutes |
| Corrupted root certs | Run certutil -generateSSTFromWU / addstore | 5 minutes |
| Corrupted system files | DISM + SFC + clear SoftwareDistribution | 15 minutes |
That's it. Start with the clock—it's almost always the clock. I've been fixing this error for years, and I still check that first. If none of these work, you might have a hardware issue with the TPM or secure boot, but that's a different rabbit hole.
Was this solution helpful?