Normally, the root certificate update corrects this issue, but it's possible something else is locked down preventing the check too. Digital Signature verification for Microsoft patches is hard coded and cannot be bypassed.
Things to look at or try:
1. Are you able to see a valid digital signature on the patches being copied to the target machines?
2. Are theses patches blocked? You can verify this by going into the properties of the patches and look for an 'Unblock' button in the General tab.
3. Does the Local System account have full control over the Machine Keys folder, sub-folder and files within it? Is the System account locked down?
Let me know what you see.
cwinning, Thanks for the reply. For anyone else having this issue, setting the Wintrust registry setting for HKCU to 23c00 on the server with Shavlik Protect installed resolved the issue.
The full key is this: "HKCU\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing" the change state from 10000 to 23c00.