[Today's post is provided by Chaohao Xu.]
If Windows hotfix KB974571 is installed on a Windows 7 reference image, then it is highly likely that you would see the following log entries in smsts.log when deploying this image to an existing client. Notice that because the client certificates were not found, the end result is that the client uses a new certificate to register itself, losing its own identity in the process.
Installing SMS clientClearing existing client configuration.Cleaning existing client certificates from SMS certificate storeRestoring SMS client identity.The client certificates were not found. New certificates will be generated.Successfully restored the client identity.
This behavior is not desired when you refresh Windows using an operating system deployment task sequence. When an OSD Task Sequence is used to refresh a PC, the ConfigMgr 2007 client certificate should be migrated from the old Windows OS to the new Windows OS.
The problem is caused by the self-signed certificates automatically generated by the ConfigMgr 2007 client in mixed mode. If the KB977203 ConfigMgr 2007 client patch was not installed on the existing client when the certificates were generated, then the certificates will have an embedded NULL character in the friendly name as described in KB974571.
If the ConfigMgr 2007 client certificate on the original Windows OS has an embedded NULL character in the friendly name as described in KB974571, and if KB974571 is installed as part of the reference image being deployed by the Task Sequence, then when the new Windows OS is installed, KB974571 will block the ConfigMgr 2007 client certificate with the embedded NULL character in the friendly name from being migrated over. This will cause the above issue.
This can be fixed by installing ConfigMgr hotfix KB977203 to fix the client certificate prior to deploying Windows 7 or simply run ccmcertfix utility on client prior to Windows 7 deployment.
The instruction to fix the client certificate for any existing client is as follows:
The correct way to guarantee any new client has a fixed certificate is to make sure the client patch is installed before the newly installed client registers itself. The instruction detail is as follows:
After the existing client has the certificate issue fixed by hotfix KB977203, the Windows 7 deployment would successfully restore the client identity as shown by the following log entries in smsts.log.
Installing SMS clientClearing existing client configurationCleaning existing client certificates from SMS certificate storeRestoring SMS client identitySuccessfully restored SMS certificate storeSuccessfully restored the client identity
This posting is provided "AS IS" with no warranties, and confers no rights.
This is great information, but with one issue. It is my understanding that the prerequisite patch for SCCM's R3 (which is KB977384) takes precedence over hotfix KB977203. So if R3 is installed on SCCM you cannot install the KB977203 hotfix on your SCCM server (it will throw an error that the update is not needed) and you will not have the ability to push this patch during Client Push Installations. Can you confirm or deny this?
I am also receving the same error. So is KB977203 required if I have R3 hotfix installed? Even with the R3 hotfix I am seeing during our Windows 7 deployments where the client loses the certificate and a new one is created and causing another entry in the sccm database created for that client.
Since I cant install KB977203, can I just push the CCMCertFix.exe to my xp machines to fix this issue?
Also should this be added to the sccm client installation parameters in the task sequence during the migration?