Symptom

1. In the console, when monitoring a deployment
   OR
2. On a client, in Software Center
   OR
3. An error in the Configuration Checker

The deployed software returns the error: 800b0101. The error translates to "A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file."

Solution

This error is the result of the Code Signing Certificate used to sign the Software Update being expired.

1. Obtain the Expiration date of the Code Signing Certificate currently installed to the WSUS Server.
   1. In the Configuration Manager Console, navigate to the Software Library workspace.
   2. Navigate to Software Updates > Lenovo Patch > Published Third-Party Updates.
   3. Open Settings from the ribbon bar.
   4. Choose the WSUS Server tab.
   5. In the WSUS signing certificate > Current certificate section, take note of the effective dates. We will use the ending date in step 4.6
   6. Click OK.
2. Obtain a new Code Signing Certificate in the .pfx format.
3. Import the new Code Signing Certificate into Lenovo Patch.
   1. In the Configuration Manager Console, navigate to the Software Library workspace.
   2. Navigate to Software Updates > Lenovo Patch > Published Third-Party Updates.
   3. Open Settings from the ribbon bar.
   4. Choose the WSUS Server tab.
   5. Click the Import button.
   6. Browse to the new Code Signing Certificate in the .pfx format and click OK.
   7. Enter the password on the .pfx file when prompted.
   8. Click OK.
4. Still in the Software Updates > Lenovo Patch > Published Third-Party Updates view, click the button to create a new filter.
   1. Give the Filter a name
   2. Set the Matching to All
   3. Add rule: Column: Metadata Only, Operator: is, Data: No
   4. Add rule: Column: Expired, Operator: is, Data: No
   5. Add rule: Column: Is Superseded, Operator: is, Data: No
   6. Add rule: Column: Published Date, Operator: is before, Data: Use the date from Step 1.5
5. Select all updates the filter we created above.
   1. Select/highlight one update line. (Don't use the 'Include' checkbox)
   2. Press <CTRL> + <A> to select all the updates shown by the filter.
   3. Press the <SPACEBAR> to place a check in all the 'include' checkboxes.
6. Click the Re-sign button in the ribbon bar.
7. Click the Synchronize Software Updates button on the ribbon bar to synchronize WSUS with Configuration Manager.
8. Remove all content that changed from any Deployment Packages and download fresh content from WSUS
9. For the Deployment Packages that changed, update the Distribution Points.
10. Don’t forget to deploy the new Code Signing Certificate to the estate using Group Policy or Configuration Manager.

Additional Information

To mitigate this issue in the future, look into implementing and utilizing a timestamp server to timestamp updates during the publishing process. Refer to the Lenovo Patch: Timestamping Updates Knowledge Base Article.