User state migration is unsuccessful on an ConfigMgr 2007 SP1 or SP 2 client after you install security update 974571 or Windows 7 SP1

View products that this article applies to.

Symptoms

Consider the following scenario:

You install the System Center Configuration Manager 2007 Service Pack 1 (SP1) client or the System Center Configuration Manager 2007 Service Pack 2 (SP2) client.
You install security update 974571 or Windows 7 Service Pack 1 (SP1) on the same computer.
A ConfigMgr task sequence runs on this client. This task sequence includes the Capture User State task sequence step and the Restore User State task sequence step.

In this scenario, user state migration fails. At the same time, the following error message is logged in the Ccmexec.log file:

Failed to import the client certificate store (0x80092024) OSDSMPClient

↑ Back to the top

Cause

This error occurs because an embedded NULL character is in the Friendly name property of a certificate. Security update 974571 prevents the action that imports the certificate when its Friendly name property has an embedded NULL character. Therefore, the certificate cannot be imported.

↑ Back to the top

Resolution

Important To resolve this issue, install this hotfix on all System Center Configuration Manager 2007 Service Pack 1 (SP1) site servers and on all System Center Configuration Manager 2007 Service Pack 2 (SP2) site servers. Then, deploy this hotfix to all clients.

This hotfix resolves this issue for any new client certificates that are generated. To correct the current certificates, run the CCMCertFix utility that is in this package on all the Configuration Manager SP1 clients and on all the Configuration Manager SP2 clients.

Note To extract CCMCertFix utility, follow these steps:

Install this hotfix on the site server.
Locate the CCMCertFix.exe file. By default, this file is located in the following folder:
ConfigMgr_2007_Installation_Directory\Logs\KB977203
Copy and then run the CCMCertFix.exe file on any existing client.

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

To apply this hotfix, System Center Configuration Manager 2007 Service Pack 1 (SP1) or System Center Configuration Manager 2007 Service Pack 2 (SP2) must be installed.

Restart requirement

You do not have to restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace a previously released hotfix.

File information

The English (United States) version of this hotfix installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.

System Center Configuration Manager 2007 SP1 file information

File name	File version	File size	Date	Time	Platform
Ccmcertfix.exe	4.0.6221.1193	17,768	01-Dec-2008	01:40	x86
Ccmgencert.dll	4.0.6221.1193	130,408	01-Dec-2008	01:40	x86
Ccmsetup-sup.cab	Not applicable	257,833	01-Dec-2008	01:40	Not applicable
Ccmsetup.exe	4.0.6221.1193	609,128	01-Dec-2008	01:40	x86
Ccmsetup.msi	Not applicable	1,662,464	01-Dec-2008	01:40	Not applicable
Mcs.msi	Not applicable	7,312,896	01-Dec-2008	01:40	Not applicable
Mcsisapip.dll	4.0.6221.1193	205,672	01-Dec-2008	01:40	x86
Mp.msi	Not applicable	9,515,520	01-Dec-2008	01:40	Not applicable
Sccm2007ac-sp1-kb977203-x86.msp	Not applicable	3,076,096	01-Dec-2008	01:40	Not applicable
Smpmgr.dll	4.0.6221.1193	85,864	01-Dec-2008	01:40	x86
Ccmgencert.dll	4.0.6221.1193	649,576	01-Dec-2008	01:40	IA-64
Ccmgencert.dll	4.0.6221.1193	285,032	01-Dec-2008	01:40	x64
Mcsisapip.dll	4.0.6221.1193	480,616	01-Dec-2008	01:40	x64

System Center Configuration Manager 2007 SP2 file information

File name	File version	File size	Date	Time	Platform
Ccmcertfix.exe	4.0.6487.2111	17,768	25-Jan-2010	06:27	x86
Ccmgencert.dll	4.0.6487.2111	130,408	25-Jan-2010	06:27	x86
Ccmsetup-sup.cab	Not applicable	253,016	10-Dec-2009	03:40	Not applicable
Ccmsetup.exe	4.0.6487.2111	611,688	25-Jan-2010	06:27	x86
Ccmsetup.msi	Not applicable	1,662,976	25-Jan-2010	06:27	Not applicable

Mcs.msi	Not applicable	7,204,864	25-Jan-2010	06:28	Not applicable
Mcsisapip.dll	4.0.6487.2111	206,696	25-Jan-2010	06:28	x86
Mp.msi	Not applicable	9,180,672	25-Jan-2010	06:28	Not applicable
Sccm2007ac-sp2-kb977203-x86.msp	Not applicable	444,928	25-Jan-2010	06:28	Not applicable
Smpmgr.dll	4.0.6487.2111	86,376	25-Jan-2010	06:28	x86
Ccmgencert.dll	4.0.6487.2111	649,576	25-Jan-2010	06:28	IA-64
Ccmgencert.dll	4.0.6487.2111	285,032	25-Jan-2010	06:29	x64
Mcsisapip.dll	4.0.6487.2111	481,640	25-Jan-2010	06:29	x64

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

More Information

Client installation properties

If you specified a client push installation property when you installed the System Center Configuration Manager 2007 SP1 client or the System Center Configuration Manager 2007 SP2 client, you must specify the property again when you install the hotfix. If you do not specify the property again when you install the hotfix, the property is removed from the configuration. For example, if you modified the original installation by using the server locator point (SMSSLP) or the fallback status point (FSP) property, you must specify that property again when you install the hotfix.

How to use the CCMCertFix.exe utility

The CCMCertFix utility is a command prompt utility that runs without options (switches). However, you must run it by using administrative rights. The CCMCertFix.exe file is installed at the following location:

sms root\logs\KB977203

Note You can redirect errors to a specific log file. For example, assume the file name of the log file is CCMCertFix.log. In this scenario, you can run the following command:

CCMCertFix.exe CCMCertFix.log

Deployment information about CCMCertFix.exe utility

The CCMCertFix utility can be distributed as a Configuration Manager program. For example, assume that you use the following settings to distribute the utility as a Configuration Manager program:

Run: Hidden
Run whether or not a user is logged on
Run with administrative rights

These program settings can be changed to suit the environment and your business needs.

Note You must run the CCMCertFix utility by using administrative rights.

For more information about Security Update 974571, click the following article number to view the article in the Microsoft Knowledge Base:

974571

MS09-056: Vulnerabilities in CryptoAPI could allow spoofing

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:

824684

Description of the standard terminology that is used to describe Microsoft software updates

The hotfix that is described in Microsoft Knowledge Base article 997384 supersedes and includes this hotfix. Therefore, this hotfix cannot be installed after that hotfix is installed. However, the CCMCertFix.exe utility is not included as part of that hotfix. To obtain the CCMCertFix.exe utility after you have installed that hotfix, download the hotfix that is described in this hotfix, and then run the following command to extract the contents of the hotfix:

msiexec.exe /a SCCM2007-SP2-KB977203-ENU.msi /qb targetdir=Path_To_Extract_To

Notes

In this command, the placeholder Path_To_Extract_To represents the location where the contents of the hotfix should be extracted. After the CCMCertFix.exe utility is extracted, you can find the utility in this location.
The name of the .msi file in this command may be different depending on the localized version that is downloaded. Check the name of the .msi file that is downloaded, and change the command line appropriately if this is necessary.

Install KB977203 during a task sequence

For operating system deployments, the KB977203 hotfix must be installed during a ConfigMgr 2007 OSD task sequence in the Setup Windows and ConfigMgr task. Otherwise, the problem will continue to occur while the task sequence is executed. The hotfix cannot be installed by using an "install software" task. Doing that would cause the ConfigMgr 2007 client service to stop, which will cause the task sequence to fail.

Note If the client update that is described in Knolwedge Base article 977384 is being installed during the task sequence, it is not necessary to also install this client update, because this update is included as part of that update.

To install the KB977203 hotfix during a ConfigMgr 2007 OSD task sequence, use the PATCH= option that is described in the following Microsoft Knowledge Base article:

907423 How to include an update in the initial installation of Systems Management Server 2003 Advanced Client

To install the KB977203 hotfix during a ConfigMgr 2007 OSD task sequence, follow these steps:

Apply the hotfix on the site server.
After the hotfix has been applied on the site server, the ConfigMgr 2007 client installation files will be updated to include the KB977203 hotfix in the directory \i386\hotfix\KB977203\ of the ConfigMgr 2007 client installation files. Because the ConfigMgr 2007 client installation files have been updated, make sure that you update the distribution points where the ConfigMgr 2007 client installation package resides.
Right-click the task sequence that you need to change, and then click Edit.
Click Setup windows and ConfigMgr.
In the Installation properties box, type the following:

For ConfigMgr 2007 SP1:
PATCH="C:\_SMSTaskSequence\OSD\<Package_ID>\i386\hotfix\KB977203\SCCM2007AC-SP1-KB977203-x86.msp"
For ConfigMgr 2007 SP2:
PATCH="C:\_SMSTaskSequence\OSD\<Package_ID>\i386\hotfix\KB977203\SCCM2007AC-SP2-KB977203-x86.msp"

Notes
- The <Package_ID> placeholder is the package ID of the ConfigMgr 2007 client installation package in ConfigMgr 2007.
- Make sure that you include the quotation marks as part of the path. However, do not include the brackets that are around the placeholder.
- Make sure that the package ID of the ConfigMgr 2007 client installation package is used and not the package ID of the KB977203 hotfix package.
- The _SMSTaskSequence cache folder will reside on the drive that has the most disk space. If the computer has multiple drives or partitions, the _SMSTaskSequence folder may end up on a drive other than drive C. In this scenario, change the path to point to the drive that contains the _SMSTaskSequence folder. We do not recommend that you use the variable _SMSTSMDataPath in the path because the drive letter in this path can enumerate differently in Windows PE than in the full Windows operating system.
- As an alternative to using the local path that points to the ConfigMgr 2007 client installation files that are located in the local Task Sequence cache, you can specify a UNC path that points to the ConfigMgr 2007 client installation files on the original package source or on a distribution point.
- Verify the name of the .msp file that is located in the \i386\hotfix\KB977203\ directory of the ConfigMgr 2007 client installation files. The name may differ depending on the locale. If the name differs from the name of the .msp file name that is used in the PATCH= command line in this step, adjust the name accordingly.
Click Apply or OK to save the task sequence.

In addition to installing the KB977203 hotfix during the Task Sequence, CCMCertFix.exe also has to be run. When CCMCertFix.exe runs depends on the deployment scenario that is occurring (replace or refresh or new computer). The following steps show how to run CCMCerFix.exe for all deployment scenarios.

Use normal software distribution to create a package and program by using the CCMCertFix.exe utility from KB977203. The program does not have to have any switches and can just run CCMCertFix.exe directly. After you create the package and program, make sure that you put the package on distribution points.
Right-click the affected task sequence, and then select Properties.
Click the Advanced tab.
Click the option to Run another program first, and then select the package and program from step 1.
Click OK.
Right-click the affected task sequence, and then select Edit.
Click the Setup Windows and ConfigMgr task.
With the Setup Windows and ConfigMgr task selected, click the Add menu, and then select General --> Install Software.
Click the newly created install software task, and then select the package and program from step 1.
With the newly created install software task still selected, click the Add menu, and then select General --> Restart Computer.
Click the newly created restart computer task, and then select the option The currently installed default operating system. In addition, clear the option Notify the user before restarting.
Click OK or Apply to save the task sequence.

Note For replace scenarios, you only have to follow steps 1 through 5 for the task sequence that captures the data on the original computer. For the task sequence that restores the data on the new computer, follow all the steps.

↑ Back to the top