SCCM USMT Migration Fails in a Refresh Scenario Involving Windows 7 SP1

System Center Configuration Manager (SCCM) 2007 generates certificates for the SCCM clients to communicate securely with SCCM site servers.  One of the properties of a certificate is the Friendly Name.  The SCCM certificates have contained a NULL character in the Friendly Name, and this hasn’t been a problem in the past.  This changed, however, with the release of security update 974571 from Microsoft:

MS09-056: Vulnerabilities in CryptoAPI could allow spoofing

For security reasons, this security update prevents importing certificates that contain a NULL character in the Friendly Name property.

As part of SCCM Operating System Deployments that use USMT (User State Migration Tool) to migrate state data in refresh or replace scenarios, the SCCM client certificates have to be migrated from the source operating system (OS) to the target OS.  If the source or target OS has security update 974571 installed, then the USMT migration will fail.

Service Pack 1 (SP1) for Windows 7 includes security update 974571.  Due to this, when the source or target OS is Windows 7 with SP1, the USMT migration will fail during USMT operations.  USMT will also fail during capture of state data on the source OS if the source OS is Windows XP or Windows Vista with security update 974571.

To avoid this problem, Microsoft has provided hotfix 977203:

User state migration is unsuccessful on an ConfigMgr 2007 SP1 or SP 2 client after you install security update 974571 or Windows 7 SP1

Hotfix 977203 needs to be installed on all SCCM site servers and on all SCCM clients so they stop generating certificates with a NULL character in the Friendly Name property.  The hotfix also includes a tool, ccmcertfix.exe, that will remove the NULL character in the Friendly Name from the SCCM certificates on systems that already have them.

When you install the hotfix on a site server, the ccmcertfix.exe tool is extracted to the following directory:


However, if the hotfix can’t be installed on a site server or SCCM client because it is not applicable, then you would have to manually extract the hotfix files to obtain the ccmcertfix.exe tool.  One reason for hotfix 977203 not to be applicable is that hotfix 977384 is installed on the site server.  Hotfix 977384 supersedes hotrfix 977203.  Hotfix 977384 includes hotfix 977203.  This is the error that you may get if the hotfix isn’t applicable.

Even if hotfix 977203 isn’t applicable (because hotfix 977203 or 977384 is already installed), the current certificates on SCCM clients still need to be fixed using the ccmcertfix.exe tool.

Extracting the hotfix files

The hotfix .exe file that you download from Microsoft is really a compressed file.  When you execute it, it extracts the actual .exe hotfix file.  You extract the files from this hotfix file by executing it with the /x parameter as in the following example.

SCCM2007-SP1-KB977203-X64-ENU.exe /x

You then specify where you want to extract the file.

This is a partial list if the extracted files.

The article for hotfix 977203 provides details on how to install the hotfix via SCCM software distribution or via a Task Sequence.  It also explains how to run the ccmcertfix.exe tool during refresh and replace OSD scenarios by using your deployment task sequences.



Contact Us

On Key

More Posts

Mastering Azure AD Connect - A Comprehensive Guide by WME
Active Directory

Mastering Azure AD Connect – A Comprehensive Guide

Modern businesses are fast moving toward cloud-based infrastructure. In fact, cloud-based business is not just a trend anymore but a strategic necessity. Microsoft’s Azure Active Directory (Azure AD) has become a frontrunner in this domain. It

Read More »
Security Best Practices in SharePoint
Office 365

Security Best Practices in SharePoint

Microsoft SharePoint is an online collaboration platform that integrates with Microsoft Office. You can use it to store, organize, share, and access information online. SharePoint enables collaboration and content management and ultimately allows your teams to

Read More »
The Ultimate Guide to Microsoft Intune - Article by WME
Active Directory

The Ultimate Guide to Microsoft Intune

The corporate world is evolving fast. And with that, mobile devices are spreading everywhere. As we venture into the year 2024, they have already claimed a substantial 55% share of the total corporate device ecosystem. You

Read More »
Protecting Microsoft 365 from on-Premises Attacks
Cloud Security

How to Protect Microsoft 365 from On-Premises Attacks?

Microsoft 365 is diverse enough to enrich the capabilities of many types of private businesses. It complements users, applications, networks, devices, and whatnot. However, Microsoft 365 cybersecurity is often compromised and there are countless ways that

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.