Windows Update Error 0x80070659 — Security Catalog Not in Allowed List Fix

What Does This Error Mean?

Windows Update error 0x80070659 means Windows could not validate the security catalog of an update package. Every Windows update is digitally signed with a security certificate that Windows checks before installing. If the catalog file is missing, corrupted, or the certificate cannot be verified, Windows refuses to install the update and shows this error. This is most commonly caused by incorrect system date and time settings or corrupted update components.

Affected Models

Windows 10
Windows 11
Windows 8.1

Common Causes

The system date and time is incorrect, causing update security certificates to appear expired or invalid
The update package security catalog file was corrupted during download
The Windows Cryptographic Services component is damaged or not running
The Windows component store has corrupted entries that prevent certificate validation
An incorrect or outdated root certificate is preventing the update signature from being trusted

How to Fix It

Fix your system date and time first. Right-click the clock in the taskbar and choose 'Adjust date/time.' Turn on 'Set time automatically' and 'Set time zone automatically.' Click 'Sync now.'

Incorrect time is the most common cause of certificate validation failures. Windows Update uses timestamps to verify that security certificates are currently valid.
Ensure the Cryptographic Services service is running. Press Windows key + R, type services.msc and press Enter. Find 'Cryptographic Services,' double-click it, set Startup type to Automatic, and click Start if it is not running.

The Cryptographic Services component handles all certificate verification in Windows, including update package signatures.
Clear the Windows Update cache. Open Command Prompt as Administrator: net stop wuauserv — del /f /s /q C:\Windows\SoftwareDistribution\Download\* — net start wuauserv

Clearing the cache removes the corrupted catalog file and forces a fresh download with valid security data.
Run DISM to repair the component store. In Administrator Command Prompt: DISM /Online /Cleanup-Image /RestoreHealth — restart when complete.

DISM can repair corrupted certificate and catalog data within the Windows component store.
Run System File Checker. In Administrator Command Prompt: sfc /scannow — restart after it completes, then retry Windows Update.

Corrupted cryptographic or update infrastructure files will be restored by SFC.

When to Call a Professional

This error is almost always fixable with the steps below. If certificate or cryptographic service problems persist after repairs, a technician can perform a more thorough system repair.

Frequently Asked Questions

Why does Windows check a security catalog before installing an update?

Windows checks the security catalog to make sure the update is genuinely from Microsoft and has not been tampered with. Each update package includes a catalog file that lists the expected contents and their digital signatures. Before installation, Windows verifies the catalog matches the downloaded files. This prevents malicious software from disguising itself as a Windows update.

My time and date are correct. What else could cause this?

If the time is correct and the error persists, the most likely cause is a corrupted Windows component store or a problem with the Cryptographic Services. Run the DISM repair command and ensure the Cryptographic Services service is running. You can also try the Windows Update Troubleshooter in Settings > Troubleshoot, which specifically checks for certificate and service problems.

Can I trust manually downloaded updates from the Microsoft Catalog?

Yes. The Microsoft Update Catalog at catalog.update.microsoft.com is an official Microsoft website. Downloads from there are the same files as those distributed through Windows Update. If a specific update keeps failing through the update service, downloading the standalone package (.msu file) from the catalog and double-clicking it to install is a reliable workaround.