In this post, I will be discussing the issue related to SCCM client installation on Windows 7 with SCCM 1906 in use.
Everything was working fine with Windows 7 Task Sequence through SCCM 1902. Once I upgraded to SCCM 1906, Windows 7 task sequence was failing on setup “Setup Windows and Configuration Manager” while downloading the binaries.
SCCM client was not getting installed even if it tried manually, this wasn’t the issue with Windows 10 builds.
Once I verified the logs (ccmsetup.log), I found following error:
Couldn't verify 'C:\WINDOWS\ccmsetup\ccmsetup.cab' authenticode signature. Return code 0x80096005 ccmsetup 11/29/2019 9:41:30 PM 1516 (0x05EC)
Sending state '316'… ccmsetup 11/29/2019 9:41:30 PM 1516 (0x05EC)
Updating MDM_ConfigSetting.ClientDeploymentErrorCode with value 2147500037 ccmsetup 11/29/2019 9:41:30 PM 1516 (0x05EC)
OS is not Win10RS3+, ENDOK. ccmsetup 11/29/2019 9:41:30 PM 1516 (0x05EC)
Failed to get client version for sending state messages. Error 0x8004100e ccmsetup 11/29/2019 9:41:30 PM 1516 (0x05EC)
 Params to send '5.0.8853.1000 Deployment Error 0x80004005. Pre-req file name: C:\WINDOWS\ccmsetup\ccmsetup.cab' ccmsetup 11/29/2019 9:41:30 PM 1516 (0x05EC)
A Fallback Status Point has not been specified and no client was installed. Message with STATEID='316' will not be sent. ccmsetup 11/29/2019 9:41:30 PM 1516 (0x05EC)
Failed to send status 316. Error (87D00215) ccmsetup 11/29/2019 9:41:30 PM 1516 (0x05EC)
Failed to extract manifest cab file with error 0x80004005. Try next location. ccmsetup 11/29/2019 9:41:30 PM 1516 (0x05EC)
Enumerated all 1 DP locations but none of them is good. Fallback to MP. ccmsetup 11/29/2019 9:41:30 PM 1516 (0x05EC)
This issue is caused due to requirement changes for SCCM version 1906 which requires clients with SHA-2 code signing support as per the link What’s new in version 1906
Version 1906 client requires SHA-2 code signing support
Because of weaknesses in the SHA-1 algorithm and to align to industry standards, Microsoft now only signs Configuration Manager binaries using the more secure SHA-2 algorithm. The following Windows OS versions require an update for SHA-2 code signing support:
- Windows 7 SP1
- Windows Server 2008 R2 SP1
- Windows Server 2008 SP2
To offer SHA-2 support, microsoft released Stand Alone security updates KB4474419 and KB4490628 released to introduce SHA-2 code sign support on March 12, 2019.
There are multiple ways to implement the solution:
- Through offline servicing of Windows 7 image by injecting KB4474419 in the image. However, this will update the massive wim on DP’s. I don’t prefer this method
- Another way is to download the KB4474419 patch from catalog.update.microsoft.com in msu format and create SCCM package to include it in task sequence while applying image.
Steps to add KB4474419 in Task Sequence
- Download KB4474419 patch and create SCCM package with source. Screenshot for your reference:
2. Edit the Task Sequence, and add the step “Run Command Line” right after “Apply Operating System” step. Provide following command line:
dism.exe /image:%OSDTargetSystemDrive%\ /ScratchDir:%OSDTargetSystemDrive%\Windows\Temp /Add-Package /PackagePath:.\AMD64-all-windows6.1-kb4474419-v3-x64.msu /quiet
Make sure KB4474419 package is selected.
3. As this step is applied before “Setup Windows and Configuration Manager” step, Image will be applied along with msu file.
Once made the changes, Task Sequence did not fail as Windows 7 client met the requirement for SHA-2 and completed the build with SCCM client installation and other application installation.