Consider the following scenario:
- You install the System Center Configuration Manager 2007 Service Pack 1 (SP1) client or the System Center Configuration Manager 2007 Service Pack 2 (SP2) client.
- You install security update 974571 or Windows 7 Service Pack 1 (SP1) on the same computer.
- A ConfigMgr task sequence runs on this client. This task sequence includes the Capture User State task sequence step and the Restore User State task sequence step.
In this scenario, user state migration fails. At the same time, the following error message is logged in the Ccmexec.log file:
Failed to import the client certificate store (0x80092024) OSDSMPClient
This error occurs because an embedded NULL character is in the Friendly name
property of a certificate. Security update 974571 prevents the action that imports the certificate when its Friendly name
property has an embedded NULL character. Therefore, the certificate cannot be imported.
To resolve this issue, install this hotfix on all System Center Configuration Manager 2007 Service Pack 1 (SP1) site servers and on all System Center Configuration Manager 2007 Service Pack 2 (SP2) site servers. Then, deploy this hotfix to all clients.
This hotfix resolves this issue for any new client certificates that are generated. To correct the current certificates, run the CCMCertFix utility that is in this package on all the Configuration Manager SP1 clients and on all the Configuration Manager SP2 clients. Note
To extract CCMCertFix utility, follow these steps:
- Install this hotfix on the site server.
- Locate the CCMCertFix.exe file. By default, this file is located in the following folder:
- Copy and then run the CCMCertFix.exe file on any existing client.
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix. Note
If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note
The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
To apply this hotfix, System Center Configuration Manager 2007 Service Pack 1 (SP1) or System Center Configuration Manager 2007 Service Pack 2 (SP2) must be installed.
You do not have to restart the computer after you apply this hotfix.
Hotfix replacement information
This hotfix does not replace a previously released hotfix.
The English (United States) version of this hotfix installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.
System Center Configuration Manager 2007 SP1 file information
Collapse this tableExpand this table
|File name||File version||File size||Date||Time||Platform|
|Ccmsetup-sup.cab||Not applicable||257,833||01-Dec-2008||01:40||Not applicable|
|Ccmsetup.msi||Not applicable||1,662,464||01-Dec-2008||01:40||Not applicable|
|Mcs.msi||Not applicable||7,312,896||01-Dec-2008||01:40||Not applicable|
|Mp.msi||Not applicable||9,515,520||01-Dec-2008||01:40||Not applicable|
|Sccm2007ac-sp1-kb977203-x86.msp||Not applicable||3,076,096||01-Dec-2008||01:40||Not applicable|
System Center Configuration Manager 2007 SP2 file information
Collapse this tableExpand this table
|File name||File version||File size||Date||Time||Platform|
|Ccmsetup-sup.cab||Not applicable||253,016||10-Dec-2009||03:40||Not applicable|
|Ccmsetup.msi||Not applicable||1,662,976||25-Jan-2010||06:27||Not applicable|
|Mcs.msi||Not applicable||7,204,864||25-Jan-2010||06:28||Not applicable|
|Mp.msi||Not applicable||9,180,672||25-Jan-2010||06:28||Not applicable|
|Sccm2007ac-sp2-kb977203-x86.msp||Not applicable||444,928||25-Jan-2010||06:28||Not applicable|
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Client installation properties
If you specified a client push installation property when you installed the System Center Configuration Manager 2007 SP1 client or the System Center Configuration Manager 2007 SP2 client, you must specify the property again when you install the hotfix. If you do not specify the property again when you install the hotfix, the property is removed from the configuration. For example, if you modified the original installation by using the server locator point (SMSSLP) or the fallback status point (FSP) property, you must specify that property again when you install the hotfix.
How to use the CCMCertFix.exe utility
The CCMCertFix utility is a command prompt utility that runs without options (switches). However, you must run it by using administrative rights.
The CCMCertFix.exe file is installed at the following location:
You can redirect errors to a specific log file. For example, assume the file name of the log file is CCMCertFix.log. In this scenario, you can run the following command:
Deployment information about CCMCertFix.exe utility
The CCMCertFix utility can be distributed as a Configuration Manager program. For example, assume that you use the following settings to distribute the utility as a Configuration Manager program:
- Run: Hidden
- Run whether or not a user is logged on
- Run with administrative rights
These program settings can be changed to suit the environment and your business needs.Note
You must run the CCMCertFix utility by using administrative rights.
For more information about Security Update 974571, click the following article number to view the article in the Microsoft Knowledge Base:
MS09-056: Vulnerabilities in CryptoAPI could allow spoofing
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
Description of the standard terminology that is used to describe Microsoft software updates
The hotfix that is described in Microsoft Knowledge Base article 997384 supersedes and includes this hotfix. Therefore, this hotfix cannot be installed after that hotfix is installed. However, the CCMCertFix.exe utility is not included as part of that hotfix. To obtain the CCMCertFix.exe utility after you have installed that hotfix, download the hotfix that is described in this hotfix, and then run the following command to extract the contents of the hotfix:
msiexec.exe /a SCCM2007-SP2-KB977203-ENU.msi /qb targetdir=Path_To_Extract_ToNotes
- In this command, the placeholder Path_To_Extract_To represents the location where the contents of the hotfix should be extracted. After the CCMCertFix.exe utility is extracted, you can find the utility in this location.
- The name of the .msi file in this command may be different depending on the localized version that is downloaded. Check the name of the .msi file that is downloaded, and change the command line appropriately if this is necessary.
Install KB977203 during a task sequence
For operating system deployments, the KB977203 hotfix must be installed during a ConfigMgr 2007 OSD task sequence in the Setup Windows and ConfigMgr
task. Otherwise, the problem will continue to occur while the task sequence is executed. The hotfix cannot be installed by using an "install software" task. Doing that would cause the ConfigMgr 2007 client service to stop, which will cause the task sequence to fail. Note
If the client update that is described in Knolwedge Base article 977384 is being installed during the task sequence, it is not necessary to also install this client update, because this update is included as part of that update.
To install the KB977203 hotfix during a ConfigMgr 2007 OSD task sequence, use the PATCH=
option that is described in the following Microsoft Knowledge Base article:
How to include an update in the initial installation of Systems Management Server 2003 Advanced Client
To install the KB977203 hotfix during a ConfigMgr 2007 OSD task sequence, follow these steps:
- Apply the hotfix on the site server.
- After the hotfix has been applied on the site server, the ConfigMgr 2007 client installation files will be updated to include the KB977203 hotfix in the directory \i386\hotfix\KB977203\ of the ConfigMgr 2007 client installation files. Because the ConfigMgr 2007 client installation files have been updated, make sure that you update the distribution points where the ConfigMgr 2007 client installation package resides.
- Right-click the task sequence that you need to change, and then click Edit.
- Click Setup windows and ConfigMgr.
- In the Installation properties box, type the following:
For ConfigMgr 2007 SP1:
PATCH="C:\_SMSTaskSequence\OSD\<Package_ID>\i386\hotfix\KB977203\SCCM2007AC-SP1-KB977203-x86.msp"For ConfigMgr 2007 SP2:
- The <Package_ID> placeholder is the package ID of the ConfigMgr 2007 client installation package in ConfigMgr 2007.
- Make sure that you include the quotation marks as part of the path. However, do not include the brackets that are around the placeholder.
- Make sure that the package ID of the ConfigMgr 2007 client installation package is used and not the package ID of the KB977203 hotfix package.
- The _SMSTaskSequence cache folder will reside on the drive that has the most disk space. If the computer has multiple drives or partitions, the _SMSTaskSequence folder may end up on a drive other than drive C. In this scenario, change the path to point to the drive that contains the _SMSTaskSequence folder. We do not recommend that you use the variable _SMSTSMDataPath in the path because the drive letter in this path can enumerate differently in Windows PE than in the full Windows operating system.
- As an alternative to using the local path that points to the ConfigMgr 2007 client installation files that are located in the local Task Sequence cache, you can specify a UNC path that points to the ConfigMgr 2007 client installation files on the original package source or on a distribution point.
- Verify the name of the .msp file that is located in the \i386\hotfix\KB977203\ directory of the ConfigMgr 2007 client installation files. The name may differ depending on the locale. If the name differs from the name of the .msp file name that is used in the PATCH= command line in this step, adjust the name accordingly.
- Click Apply or OK to save the task sequence.
In addition to installing the KB977203 hotfix during the Task Sequence, CCMCertFix.exe also has to be run. When CCMCertFix.exe runs depends on the deployment scenario that is occurring (replace
or new computer
). The following steps show how to run CCMCerFix.exe for all deployment scenarios.
- Use normal software distribution to create a package and program by using the CCMCertFix.exe utility from KB977203. The program does not have to have any switches and can just run CCMCertFix.exe directly. After you create the package and program, make sure that you put the package on distribution points.
- Right-click the affected task sequence, and then select Properties.
- Click the Advanced tab.
- Click the option to Run another program first, and then select the package and program from step 1.
- Click OK.
- Right-click the affected task sequence, and then select Edit.
- Click the Setup Windows and ConfigMgr task.
- With the Setup Windows and ConfigMgr task selected, click the Add menu, and then select General --> Install Software.
- Click the newly created install software task, and then select the package and program from step 1.
- With the newly created install software task still selected, click the Add menu, and then select General --> Restart Computer.
- Click the newly created restart computer task, and then select the option The currently installed default operating system. In addition, clear the option Notify the user before restarting.
- Click OK or Apply to save the task sequence.
scenarios, you only have to follow steps 1 through 5 for the task sequence that captures the data on the original computer. For the task sequence that restores the data on the new computer, follow all the steps.