Using System Center Configuration Manager 2007 SP2 (ConfigMgr 2007) and USMT 4.0 in a ConfigMgr 2007 Native Mode environment to refresh an Operating System puts the resulting deployed ConfigMgr 2007 client in a non-functional state as it is unable to retrieve policies. You will only see the two default actions in Control Panel and although every other aspect of the Operating System Deployment (OSD) should work, the ConfigMgr 2007 client will be unable to receive policy.
USMT 4.0 migrates user certificates, however machine certificates are only partially migrated and will not function as expected.
Use a custom XML in the USMT to exclude these certificates in the ConfigMgr 2007 Task Sequence Capture step:
1. Makes sure your customExclude.xml file is copied to the USMT Package source folder (in the root is easiest) and update the Distribution Points on which it is located.
2. Add the following Task Sequence Variable Step to the Task Sequence right before the Capture User Settings step:
With a value of the following:
Where ABC00008 is your actual USMT package ID, and customExclude.xml is your custom xml file for excluding or including scanstate actions.
By placing the customExclude.xml in the root of the USMT package source folder, you do not need to specify the amd64 or x86 in the path, so you can do this once for either platform architecture. By specifying the %SYSTEMDRIVE% variable, the path should work regardless of the System Drive letter. The only thing that has to be specific is the package ID which will be different in each environment.
It is also important to change the URLID to ensure it is different from the other default USMT migration xml files.
In the example provided below, this was changed to customExclude in the beginning of the xml folder as follows:
<?xml version="1.0" encoding="UTF-8"?> <migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/customExclude">
The following is a working example customExclude.xml that can be used to prevent machine certificates from being migrated during the Capture User Data (scanstate) step, one of which is the ConfigMgr Client's Native Mode Certificate, during an Operating System Deployment Refresh:
<?xml version="1.0" encoding="UTF-8"?> <migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/customExclude"> <component type="Documents" context="System"> <displayName>SkipMachineCerts</displayName> <role role="Data"> <rules> <include> <objectSet> <pattern type="Registry">HKLM\SOFTWARE\Microsoft\SystemCertificates\My\Certificates\*[*]</pattern> </objectSet> </include> <unconditionalExclude> <objectSet> <pattern type="Registry">HKLM\SOFTWARE\Microsoft\SystemCertificates\My\Certificates\*[*]</pattern> </objectSet> </unconditionalExclude> </rules> </role> </component> </migration>
This example used the file name of customExclude.xml, any filename should work, just make sure to use the same file name that copy to the USMT 4.0 package and that you specify on the command line for your variable in the Task Sequence Step.
NOTE: You will notice that there is an identical include before the unconditionalExclude, this is required. Per the TechNet article below, if you specify an <exclude> rule, always specify a corresponding <include> rule. Otherwise if you do not specify an <include> rule, the specific files or settings will not be included. They will already be excluded from the migration. Thus, an unaccompanied <exclude> rule is unnecessary.
This blog post has some details on using unconditionalExclude:
This TechNet Article has samples of how to exclude various things in a custom.xml:
The information above was published today in the following Microsoft Knowledge Base article written by Clifton Hughes:
KB2539643 - Configuration Manager 2007 Native Mode Operating System Refresh leaves the client unable to receive policies
J.C. Hornbeck | System Center Knowledge Engineer
The App-V Team blog: http://blogs.technet.com/appv/ The WSUS Support Team blog: http://blogs.technet.com/sus/ The SCMDM Support Team blog: http://blogs.technet.com/mdm/ The ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/ The SCOM 2007 Support Team blog: http://blogs.technet.com/operationsmgr/ The SCVMM Team blog: http://blogs.technet.com/scvmm/ The MED-V Team blog: http://blogs.technet.com/medv/ The DPM Team blog: http://blogs.technet.com/dpm/ The OOB Support Team blog: http://blogs.technet.com/oob/ The Opalis Team blog: http://blogs.technet.com/opalis The Service Manager Team blog: http: http://blogs.technet.com/b/servicemanager The AVIcode Team blog: http: http://blogs.technet.com/b/avicode The System Center Essentials Team blog: http: http://blogs.technet.com/b/systemcenteressentials The Server App-V Team blog: http: http://blogs.technet.com/b/serverappv