In this post, I will be discussing the issue related to SCCM client installation on Windows 7 with SCCM 1906 in use. Everything was working fine with Windows 7 Task Sequence through SCCM 1902. Once I upgraded to SCCM 1906, Windows 7 task sequence was failing on setup “Setup Windows and Configuration Manager” while downloading the binaries.
SCCM client was not getting installed even if it tried manually, this wasn’t the issue with Windows 10 builds.
Once I verified the logs (ccmsetup.log), I found following error:
Couldn't verify 'C:\WINDOWS\ccmsetup\ccmsetup.cab' authenticode signature. Return code 0x80096005 ccmsetup 11/29/2019 9:41:30 PM 1516 (0x05EC) Sending state '316'… ccmsetup 11/29/2019 9:41:30 PM 1516 (0x05EC) Updating MDM_ConfigSetting.ClientDeploymentErrorCode with value 2147500037 ccmsetup 11/29/2019 9:41:30 PM 1516 (0x05EC) OS is not Win10RS3+, ENDOK. ccmsetup 11/29/2019 9:41:30 PM 1516 (0x05EC) Failed to get client version for sending state messages. Error 0x8004100e ccmsetup 11/29/2019 9:41:30 PM 1516 (0x05EC)  Params to send '5.0.8853.1000 Deployment Error 0x80004005. Pre-req file name: C:\WINDOWS\ccmsetup\ccmsetup.cab' ccmsetup 11/29/2019 9:41:30 PM 1516 (0x05EC) A Fallback Status Point has not been specified and no client was installed. Message with STATEID='316' will not be sent. ccmsetup 11/29/2019 9:41:30 PM 1516 (0x05EC) Failed to send status 316. Error (87D00215) ccmsetup 11/29/2019 9:41:30 PM 1516 (0x05EC) Failed to extract manifest cab file with error 0x80004005. Try next location. ccmsetup 11/29/2019 9:41:30 PM 1516 (0x05EC) Enumerated all 1 DP locations but none of them is good. Fallback to MP. ccmsetup 11/29/2019 9:41:30 PM 1516 (0x05EC)
This issue is caused due to requirement changes for SCCM version 1906 which requires clients with SHA-2 code signing support as per the link What’s new in version 1906
Version 1906 client requires SHA-2 code signing support
Because of weaknesses in the SHA-1 algorithm and to align to industry
standards, Microsoft now only signs Configuration Manager binaries
using the more secure SHA-2 algorithm. The following Windows OS versions
require an update for SHA-2 code signing support:
There are multiple ways to implement the solution:
Through offline servicing of Windows 7 image by injecting KB4474419 in the image. However, this will update the massive wim on DP’s. I don’t prefer this method
Another way is to download the KB4474419 patch from catalog.update.microsoft.com in msu format and create SCCM package to include it in task sequence while applying image.
Steps to add KB4474419 in Task Sequence
Download KB4474419 patch and create SCCM package with source. Screenshot for your reference:
2. Edit the Task Sequence, and add the step “Run Command Line” right after “Apply Operating System” step. Provide following command line: dism.exe /image:%OSDTargetSystemDrive%\ /ScratchDir:%OSDTargetSystemDrive%\Windows\Temp /Add-Package /PackagePath:.\AMD64-all-windows6.1-kb4474419-v3-x64.msu /quiet Make sure KB4474419 package is selected.
3. As this step is applied before “Setup Windows and Configuration Manager” step, Image will be applied along with msu file.
Once made the changes, Task Sequence did not fail as Windows 7 client met the requirement for SHA-2 and completed the build with SCCM client installation and other application installation.