![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 85%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EME%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 16%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV%3C/text%3E%3C/svg%3E)
Hi M.E.ACG,
The signature validation failure you observed is the direct cause of the update failure. The 1st screenshot shows the critical error "This digital signature is not valid" for the signer "Microsoft Corporation," with a signing time stamped in the future (November 20, 2025). This future date, combined with the detailed cryptographic data in the 2ed image showing a valid certificate structure from the Microsoft Code Signing PCA 2011, points to a corrupted or improperly time-stamped signature within the .msp file itself. The system's certificate validation logic is rejecting the file because the authenticated attribute for the signing time is nonsensical, breaking the chain of trust.
To resolve this and install UR1, you must bypass the signature check for this specific file. The most direct method is to use the msiexec command with the parameter to disable signature validation. First, extract the .msp file from the downloaded update package or locate it in the WSUS content directory, typically under C:\WSUS\WsusContent. Then, open an elevated command prompt and execute the installation directly against the installed DPM product code. You will need to identify the exact GUID for your DPM 2019 installation, which can be found in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products. The command will resemble msiexec /p "C:\PathTo\dataprotectionmanager-kb5068307.msp" /qn /norestart DISABLE_PATCH_SIGNATURE_VALIDATION=1. This forces the installation of the patch regardless of the digital signature error.
Prior to this, ensure your system's date and time are correct and synchronised with a reliable source, as a significant time skew can contribute to validation issues. Also, verify that the root certificate "Microsoft Code Signing PCA 2011" is present and trusted in the local computer's certificate store under Cert:\LocalMachine\Root. While a re-release of UR1 with a correctly signed package is a possibility, this manual installation workaround is the immediate solution. Proceeding with this patch should not affect your ability to install future, correctly signed updates.
I hope you've found something useful here. If it helps you get more insight into the issue, it's appreciated to ACCEPT ANSWER then. Should you have more questions, feel free to leave a message. Have a nice day!