Computers upgraded to Windows 7 using OSD might generate a new SMS GUID

Computers upgraded to Windows 7 using OSD might generate a new SMS GUID

  • Comments 2
  • Likes

[Today's post is provided by Chaohao Xu.]

If Windows hotfix KB974571 is installed on a Windows 7 reference image, then it is highly likely that you would see the following log entries in smsts.log when deploying this image to an existing client. Notice that because the client certificates were not found, the end result is that the client uses a new certificate to register itself, losing its own identity in the process.

Installing SMS client
Clearing existing client configuration.
Cleaning existing client certificates from SMS certificate store
Restoring SMS client identity.
The client certificates were not found. New certificates will be generated.
Successfully restored the client identity.

This behavior is not desired when you refresh Windows using an operating system deployment task sequence. When an OSD Task Sequence is used to refresh a PC, the ConfigMgr 2007 client certificate should be migrated from the old Windows OS to the new Windows OS.

The problem is caused by the self-signed certificates automatically generated by the ConfigMgr 2007 client in mixed mode. If the KB977203 ConfigMgr 2007 client patch was not installed on the existing client when the certificates were generated, then the certificates will have an embedded NULL character in the friendly name as described in KB974571.

If the ConfigMgr 2007 client certificate on the original Windows OS has an embedded NULL character in the friendly name as described in KB974571, and if KB974571 is installed as part of the reference image being deployed by the Task Sequence, then when the new Windows OS is installed, KB974571 will block the ConfigMgr 2007 client certificate with the embedded NULL character in the friendly name from being migrated over. This will cause the above issue.

This can be fixed by installing ConfigMgr hotfix KB977203 to fix the client certificate prior to deploying Windows 7 or simply run ccmcertfix utility on client prior to Windows 7 deployment.

The instruction to fix the client certificate for any existing client is as follows:

  1. Install hotfix KB977203 on site server
  2. A utility called CCMCertFix.exe is placed in the directory
    <ConfigMgr_2007_Install_Directory>\Logs\KB977203
  3. Run CCMCertFix.exe on any existing client to fix the certificate, software distribution can be leveraged for distribution to a large number of clients. Another way is to add this as a step to the Windows 7 deployment task sequence.

The correct way to guarantee any new client has a fixed certificate is to make sure the client patch is installed before the newly installed client registers itself. The instruction detail is as follows:

  1. Install hotfix KB977203 on site server
  2. A ConfigMgr 2007 client patch is placed in the directory
    <ConfigMgr_2007_Install_Directory>\Client\i386\hotfix\KB977203
  3. Go to Client Push Installation Properties and specify the PATCH parameter
    PATCH=\\<SMSSiteServer>\SMS_<SiteCode>\Client\i386\hotfix\KB977203\sccm2007ac-sp2-kb977203-x86.msp
     
  4. The above configuration would make sure that any new clients installed using the client push method would include the client patch from KB977203 before the client registers itself.

After the existing client has the certificate issue fixed by hotfix KB977203, the Windows 7 deployment would successfully restore the client identity as shown by the following log entries in smsts.log.

Installing SMS client
Clearing existing client configuration
Cleaning existing client certificates from SMS certificate store
Restoring SMS client identity
Successfully restored SMS certificate store
Successfully restored the client identity

--Chaohao Xu

This posting is provided "AS IS" with no warranties, and confers no rights.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • <p>This is great information, but with one issue. &nbsp;It is my understanding that the prerequisite patch for SCCM&#39;s R3 (which is KB977384) takes precedence over hotfix KB977203. &nbsp;So if R3 is installed on SCCM you cannot install the KB977203 hotfix on your SCCM server (it will throw an error that the update is not needed) and you will not have the ability to push this patch during Client Push Installations. &nbsp;Can you confirm or deny this?</p> <p>Thank you!</p>

  • <p>I am also receving the same error. So is KB977203 required if I have R3 hotfix installed? Even with the R3 hotfix I am seeing during our Windows 7 deployments where the client loses the certificate and a new one is created and causing another entry in the sccm database created for that client. </p> <p>Since I cant install KB977203, can I just push the CCMCertFix.exe to my xp machines to fix this issue?</p> <p>Also should this be added to the sccm client installation parameters in the task sequence during the migration?</p>