SCEP updates fail on Windows 7 and 2008R2 clients where they are not patched

Ok, so, before the flood of hate comes my way

  1. Yes, its 2020, you should not be running Server 2008 R2 or Windows 7…… but the (unfortunate) reality is that many places still are
  2. Even if you are running them, they should be fully patched! “Patches break applications”…. mostly bullshit…. it does happen… but happens much much much less than what some admins claim.

Anyway, for those of you out there that have Windows 7 or 2008R2 SCCM clients that are, for whatever reason, unpatched, you may have also noticed that SCEP updates stopped working on them around October 21st 2019.

That’s because of this – https://www.microsoft.com/en-us/wdsi/defenderupdates

specifically the lines

Note: Starting on Monday October 21, 2019, the Security intelligence update packages will be SHA2 signed.
Please make sure you have the necessary update installed to support SHA2 signing, see 2019 SHA-2 Code Signing Support requirement for Windows and WSUS.

IF you try and install SCEP updates you will get an entry in the system event log similar to this:

Microsoft Antimalware has encountered an error trying to update signatures.
New Signature Version: 1.307.1945.0
Previous Signature Version:
Update Source: User
Update Stage: Install
Source Path:
Signature Type: AntiSpyware
Update Type: Full
User: Domain\User
Current Engine Version: 1.1.16600.7
Previous Engine Version:
Error code: 0x800b0109
Error description: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

 

As this link – https://support.microsoft.com/en-us/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus  specifies, you must install

  1. KB4474419
  2. KB4490628

once these updates are installed (and reboot of course), SCEP updates will then install.