System Center Configuration Manager (SCCM) 2007 generates certificates for the SCCM clients to communicate securely with SCCM site servers. One of the properties of a certificate is the Friendly Name. The SCCM certificates have contained a NULL character in the Friendly Name, and this hasn’t been a problem in the past. This changed, however, with the release of security update 974571 from Microsoft:
MS09-056: Vulnerabilities in CryptoAPI could allow spoofing
For security reasons, this security update prevents importing certificates that contain a NULL character in the Friendly Name property.
As part of SCCM Operating System Deployments that use USMT (User State Migration Tool) to migrate state data in refresh or replace scenarios, the SCCM client certificates have to be migrated from the source operating system (OS) to the target OS. If the source or target OS has security update 974571 installed, then the USMT migration will fail.
Service Pack 1 (SP1) for Windows 7 includes security update 974571. Due to this, when the source or target OS is Windows 7 with SP1, the USMT migration will fail during USMT operations. USMT will also fail during capture of state data on the source OS if the source OS is Windows XP or Windows Vista with security update 974571.
To avoid this problem, Microsoft has provided hotfix 977203:
Hotfix 977203 needs to be installed on all SCCM site servers and on all SCCM clients so they stop generating certificates with a NULL character in the Friendly Name property. The hotfix also includes a tool, ccmcertfix.exe, that will remove the NULL character in the Friendly Name from the SCCM certificates on systems that already have them.
When you install the hotfix on a site server, the ccmcertfix.exe tool is extracted to the following directory:
ConfigMgr_2007_Installation_Directory\Logs\KB977203
However, if the hotfix can’t be installed on a site server or SCCM client because it is not applicable, then you would have to manually extract the hotfix files to obtain the ccmcertfix.exe tool. One reason for hotfix 977203 not to be applicable is that hotfix 977384 is installed on the site server. Hotfix 977384 supersedes hotrfix 977203. Hotfix 977384 includes hotfix 977203. This is the error that you may get if the hotfix isn’t applicable.
Even if hotfix 977203 isn’t applicable (because hotfix 977203 or 977384 is already installed), the current certificates on SCCM clients still need to be fixed using the ccmcertfix.exe tool.
Extracting the hotfix files
The hotfix .exe file that you download from Microsoft is really a compressed file. When you execute it, it extracts the actual .exe hotfix file. You extract the files from this hotfix file by executing it with the /x parameter as in the following example.
SCCM2007-SP1-KB977203-X64-ENU.exe /x
You then specify where you want to extract the file.
This is a partial list if the extracted files.
The article for hotfix 977203 provides details on how to install the hotfix via SCCM software distribution or via a Task Sequence. It also explains how to run the ccmcertfix.exe tool during refresh and replace OSD scenarios by using your deployment task sequences.
