When installing the deployed patches on the client machines through SCCM, the installation fails with error code 0x800b0109 and with the error message "A certificate chain processed but terminated in a root certificate which is not trusted by the trust provider"
This error will occur if the certificate signed with patches is missing in the client certificate store.
To resolve this issue,
The signing certificate has to be imported to the "Trusted Publishers and Trusted Root Certification Authorities" store on the client machines, to make them trust the third party updates.
"Allow signed content from intranet Microsoft update service location" option in 'Group Policy Management' must be enabled.
To deploy the signed certificate to all the client machines using GPO, you can follow this document.
In case if this problem continues, kindly Contact Support
Keywords: Third-party Patch Management, Publish Patches, Patch Failure.