Symptoms

Consider the following scenario:

  • You install the System Center Configuration Manager 2007 Service Pack 1 (SP1) client or the System Center Configuration Manager 2007 Service Pack 2 (SP2) client.

  • You install security update 974571 or Windows 7 Service Pack 1 (SP1) on the same computer.

  • A ConfigMgr task sequence runs on this client. This task sequence includes the Capture User State task sequence step and the Restore User State task sequence step.

In this scenario, user state migration fails. At the same time, the following error message is logged in the Ccmexec.log file:

Failed to import the client certificate store (0x80092024) OSDSMPClient

Cause

This error occurs because an embedded NULL character is in the Friendly name property of a certificate. Security update 974571 prevents the action that imports the certificate when its Friendly name property has an embedded NULL character. Therefore, the certificate cannot be imported.

Resolution

Important To resolve this issue, install this hotfix on all System Center Configuration Manager 2007 Service Pack 1 (SP1) site servers and on all System Center Configuration Manager 2007 Service Pack 2 (SP2) site servers. Then, deploy this hotfix to all clients.This hotfix resolves this issue for any new client certificates that are generated. To correct the current certificates, run the CCMCertFix utility that is in this package on all the Configuration Manager SP1 clients and on all the Configuration Manager SP2 clients. Note To extract CCMCertFix utility, follow these steps:

  1. Install this hotfix on the site server.

  2. Locate the CCMCertFix.exe file. By default, this file is located in the following folder:

    ConfigMgr_2007_Installation_Directory\Logs\KB977203

  3. Copy and then run the CCMCertFix.exe file on any existing client.

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix. Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=supportNote The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

To apply this hotfix, System Center Configuration Manager 2007 Service Pack 1 (SP1) or System Center Configuration Manager 2007 Service Pack 2 (SP2) must be installed.

Restart requirement

You do not have to restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace a previously released hotfix.

File information

The English (United States) version of this hotfix installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.

System Center Configuration Manager 2007 SP1 file information

File name

File version

File size

Date

Time

Platform

Ccmcertfix.exe

4.0.6221.1193

17,768

01-Dec-2008

01:40

x86

Ccmgencert.dll

4.0.6221.1193

130,408

01-Dec-2008

01:40

x86

Ccmsetup-sup.cab

Not applicable

257,833

01-Dec-2008

01:40

Not applicable

Ccmsetup.exe

4.0.6221.1193

609,128

01-Dec-2008

01:40

x86

Ccmsetup.msi

Not applicable

1,662,464

01-Dec-2008

01:40

Not applicable

Mcs.msi

Not applicable

7,312,896

01-Dec-2008

01:40

Not applicable

Mcsisapip.dll

4.0.6221.1193

205,672

01-Dec-2008

01:40

x86

Mp.msi

Not applicable

9,515,520

01-Dec-2008

01:40

Not applicable

Sccm2007ac-sp1-kb977203-x86.msp

Not applicable

3,076,096

01-Dec-2008

01:40

Not applicable

Smpmgr.dll

4.0.6221.1193

85,864

01-Dec-2008

01:40

x86

Ccmgencert.dll

4.0.6221.1193

649,576

01-Dec-2008

01:40

IA-64

Ccmgencert.dll

4.0.6221.1193

285,032

01-Dec-2008

01:40

x64

Mcsisapip.dll

4.0.6221.1193

480,616

01-Dec-2008

01:40

x64

System Center Configuration Manager 2007 SP2 file information

File name

File version

File size

Date

Time

Platform

Ccmcertfix.exe

4.0.6487.2111

17,768

25-Jan-2010

06:27

x86

Ccmgencert.dll

4.0.6487.2111

130,408

25-Jan-2010

06:27

x86

Ccmsetup-sup.cab

Not applicable

253,016

10-Dec-2009

03:40

Not applicable

Ccmsetup.exe

4.0.6487.2111

611,688

25-Jan-2010

06:27

x86

Ccmsetup.msi

Not applicable

1,662,976

25-Jan-2010

06:27

Not applicable

Mcs.msi

Not applicable

7,204,864

25-Jan-2010

06:28

Not applicable

Mcsisapip.dll

4.0.6487.2111

206,696

25-Jan-2010

06:28

x86

Mp.msi

Not applicable

9,180,672

25-Jan-2010

06:28

Not applicable

Sccm2007ac-sp2-kb977203-x86.msp

Not applicable

444,928

25-Jan-2010

06:28

Not applicable

Smpmgr.dll

4.0.6487.2111

86,376

25-Jan-2010

06:28

x86

Ccmgencert.dll

4.0.6487.2111

649,576

25-Jan-2010

06:28

IA-64

Ccmgencert.dll

4.0.6487.2111

285,032

25-Jan-2010

06:29

x64

Mcsisapip.dll

4.0.6487.2111

481,640

25-Jan-2010

06:29

x64

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information

Client installation properties

If you specified a client push installation property when you installed the System Center Configuration Manager 2007 SP1 client or the System Center Configuration Manager 2007 SP2 client, you must specify the property again when you install the hotfix. If you do not specify the property again when you install the hotfix, the property is removed from the configuration. For example, if you modified the original installation by using the server locator point (SMSSLP) or the fallback status point (FSP) property, you must specify that property again when you install the hotfix.

How to use the CCMCertFix.exe utility

The CCMCertFix utility is a command prompt utility that runs without options (switches). However, you must run it by using administrative rights. The CCMCertFix.exe file is installed at the following location:

sms root\logs\KB977203Note You can redirect errors to a specific log file. For example, assume the file name of the log file is CCMCertFix.log. In this scenario, you can run the following command:

CCMCertFix.exe CCMCertFix.log

Deployment information about CCMCertFix.exe utility

The CCMCertFix utility can be distributed as a Configuration Manager program. For example, assume that you use the following settings to distribute the utility as a Configuration Manager program:

  • Run: Hidden

  • Run whether or not a user is logged on

  • Run with administrative rights

These program settings can be changed to suit the environment and your business needs.Note You must run the CCMCertFix utility by using administrative rights.For more information about Security Update 974571, click the following article number to view the article in the Microsoft Knowledge Base:

974571 MS09-056: Vulnerabilities in CryptoAPI could allow spoofingFor more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updatesThe hotfix that is described in Microsoft Knowledge Base article 997384 supersedes and includes this hotfix. Therefore, this hotfix cannot be installed after that hotfix is installed. However, the CCMCertFix.exe utility is not included as part of that hotfix. To obtain the CCMCertFix.exe utility after you have installed that hotfix, download the hotfix that is described in this hotfix, and then run the following command to extract the contents of the hotfix:

msiexec.exe /a SCCM2007-SP2-KB977203-ENU.msi /qb targetdir=Path_To_Extract_ToNotes

  • In this command, the placeholder Path_To_Extract_To represents the location where the contents of the hotfix should be extracted. After the CCMCertFix.exe utility is extracted, you can find the utility in this location.

  • The name of the .msi file in this command may be different depending on the localized version that is downloaded. Check the name of the .msi file that is downloaded, and change the command line appropriately if this is necessary.

Install KB977203 during a task sequence

For operating system deployments, the KB977203 hotfix must be installed during a ConfigMgr 2007 OSD task sequence in the Setup Windows and ConfigMgr task. Otherwise, the problem will continue to occur while the task sequence is executed. The hotfix cannot be installed by using an "install software" task. Doing that would cause the ConfigMgr 2007 client service to stop, which will cause the task sequence to fail. Note If the client update that is described in Knolwedge Base article 977384 is being installed during the task sequence, it is not necessary to also install this client update, because this update is included as part of that update.To install the KB977203 hotfix during a ConfigMgr 2007 OSD task sequence, use the PATCH= option that is described in the following Microsoft Knowledge Base article:

907423 How to include an update in the initial installation of Systems Management Server 2003 Advanced ClientTo install the KB977203 hotfix during a ConfigMgr 2007 OSD task sequence, follow these steps:

  1. Apply the hotfix on the site server.

  2. After the hotfix has been applied on the site server, the ConfigMgr 2007 client installation files will be updated to include the KB977203 hotfix in the directory \i386\hotfix\KB977203\ of the ConfigMgr 2007 client installation files. Because the ConfigMgr 2007 client installation files have been updated, make sure that you update the distribution points where the ConfigMgr 2007 client installation package resides.

  3. Right-click the task sequence that you need to change, and then click Edit.

  4. Click Setup windows and ConfigMgr.

  5. In the Installation properties box, type the following:For ConfigMgr 2007 SP1:

    PATCH="C:\_SMSTaskSequence\OSD\<Package_ID>\i386\hotfix\KB977203\SCCM2007AC-SP1-KB977203-x86.msp"For ConfigMgr 2007 SP2:

    PATCH="C:\_SMSTaskSequence\OSD\<Package_ID>\i386\hotfix\KB977203\SCCM2007AC-SP2-KB977203-x86.msp"Notes

    • The <Package_ID> placeholder is the package ID of the ConfigMgr 2007 client installation package in ConfigMgr 2007.

    • Make sure that you include the quotation marks as part of the path. However, do not include the brackets that are around the placeholder.

    • Make sure that the package ID of the ConfigMgr 2007 client installation package is used and not the package ID of the KB977203 hotfix package.

    • The _SMSTaskSequence cache folder will reside on the drive that has the most disk space. If the computer has multiple drives or partitions, the _SMSTaskSequence folder may end up on a drive other than drive C. In this scenario, change the path to point to the drive that contains the _SMSTaskSequence folder. We do not recommend that you use the variable _SMSTSMDataPath in the path because the drive letter in this path can enumerate differently in Windows PE than in the full Windows operating system.

    • As an alternative to using the local path that points to the ConfigMgr 2007 client installation files that are located in the local Task Sequence cache, you can specify a UNC path that points to the ConfigMgr 2007 client installation files on the original package source or on a distribution point.

    • Verify the name of the .msp file that is located in the \i386\hotfix\KB977203\ directory of the ConfigMgr 2007 client installation files. The name may differ depending on the locale. If the name differs from the name of the .msp file name that is used in the PATCH= command line in this step, adjust the name accordingly.

  6. Click Apply or OK to save the task sequence.

In addition to installing the KB977203 hotfix during the Task Sequence, CCMCertFix.exe also has to be run. When CCMCertFix.exe runs depends on the deployment scenario that is occurring (replace or refresh or new computer). The following steps show how to run CCMCerFix.exe for all deployment scenarios.

  1. Use normal software distribution to create a package and program by using the CCMCertFix.exe utility from KB977203. The program does not have to have any switches and can just run CCMCertFix.exe directly. After you create the package and program, make sure that you put the package on distribution points.

  2. Right-click the affected task sequence, and then select Properties.

  3. Click the Advanced tab.

  4. Click the option to Run another program first, and then select the package and program from step 1.

  5. Click OK.

  6. Right-click the affected task sequence, and then select Edit.

  7. Click the Setup Windows and ConfigMgr task.

  8. With the Setup Windows and ConfigMgr task selected, click the Add menu, and then select General --> Install Software.

  9. Click the newly created install software task, and then select the package and program from step 1.

  10. With the newly created install software task still selected, click the Add menu, and then select General --> Restart Computer.

  11. Click the newly created restart computer task, and then select the option The currently installed default operating system. In addition, clear the option Notify the user before restarting.

  12. Click OK or Apply to save the task sequence.

Note For replace scenarios, you only have to follow steps 1 through 5 for the task sequence that captures the data on the original computer. For the task sequence that restores the data on the new computer, follow all the steps.

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.