Description
CERT_E_UNTRUSTEDROOT (hex code 0x800B0109, decimal -2146762487) is a Windows error-level error code in the VPN & Remote Access family. Microsoft surfaces this code through the Win32 API, the Common Language Runtime, the kernel, the event log, PowerShell, command-line tools (sfc, dism, gpupdate, sc), and Windows-side applications such as Outlook, Teams, Office, and System Center.
Certificate chain processed but terminated in a root certificate which is not trusted. VPN certificate issue.
This page documents what triggers 0x800B0109, the most common scenarios where it appears, the likely root causes, and a step-by-step troubleshooting workflow you can run against affected endpoints. It is intended for system administrators, MSP technicians, helpdesk engineers, and anyone diagnosing Windows behavior in a managed environment.
In-depth explanation
This is an error-severity code. Windows uses it to signal a failed operation that prevented the caller from completing its work. The underlying cause can range from a permissions or quota issue to a corrupted system component, missing dependency, or unreachable service.
It is part of the RAS / VPN / certificate error space. It surfaces in the Always On VPN logs, the RasMan service log, the Microsoft-Windows-NetworkProfile event log, and certificate validation traces.
The code can be looked up programmatically in PowerShell with [ComponentModel.Win32Exception]::new(-2146762487).Message (for Win32 / NTSTATUS codes that map cleanly), or with net helpmsg <decimal> for the legacy decimal range. For HRESULT-style codes, decode the facility and code with err.exe from the SDK or via the WinDbg !error command.
Common causes
- VPN gateway certificate expired, revoked, or signed by an untrusted root.
- Server hostname does not match the certificate Subject Alternative Name.
- RAS / IKEv2 / SSTP service stopped on the client.
- Firewall or ISP blocking IKE (UDP 500/4500), SSTP (TCP 443), or PPTP/L2TP.
- Always On VPN profile pushed via Intune / SCCM corrupted — re-deploy.
Troubleshooting steps
- Verify the VPN server's TLS / IKE certificate is trusted by the client (root CA installed, not expired, CRL/OCSP reachable).
- Confirm the server hostname matches the certificate Subject Alternative Name exactly.
- Restart the client services:
Restart-Service RasManandRestart-Service RemoteAccess. - Check that IKE (UDP 500/4500), SSTP (TCP 443), or the configured protocol is open end-to-end.
- For Always On VPN, regenerate the device tunnel with
Add-VpnConnectionand re-deploy the Intune profile.
Decode in PowerShell
# Decode 0x800B0109 (-2146762487) in PowerShell
[ComponentModel.Win32Exception]::new(-2146762487).Message
# Or via WinDbg / err.exe (Windows SDK)
# err 0x800B0109
# Or net helpmsg (legacy decimal range only)
# net helpmsg <decimal>Frequently asked questions
What does the Windows error code 0x800B0109 mean?
CERT_E_UNTRUSTEDROOT (decimal -2146762487). Certificate chain processed but terminated in a root certificate which is not trusted. VPN certificate issue.How do I decode 0x800B0109 in PowerShell?
[ComponentModel.Win32Exception]::new(-2146762487).Message in any PowerShell session. For HRESULT-style codes, use err.exe from the Windows SDK or the WinDbg !error command.Where does Windows typically log this error?
%WinDir%\WindowsUpdate.log; AD/Kerberos → Security event log on the DC; BSOD → minidump under C:\Windows\Minidump; MSI → %TEMP%\msi*.log; WMI → Microsoft-Windows-WMI-Activity). Always cross-reference the timestamp and module name with the Application and System event logs.Is this code recoverable?
Should I open a Microsoft support case for this?
Get-WinEvent export ready before opening the case.