[Today's post is provided by Chaohao Xu .]
If Windows hotfix KB974571 is installed on a Windows 7 reference image, then it is highly likely that you would see the following log entries in smsts.log when deploying this image to an existing client. Notice that because the client certificates were not found, the end result is that the client uses a new certificate to register itself, losing its own identity in the process.
Installing SMS client
Clearing existing client configuration.
Cleaning existing client certificates from SMS certificate store
Restoring SMS client identity.
The client certificates were not found. New certificates will be generated.
Successfully restored the client identity.
This behavior is not desired when you refresh Windows using an operating system deployment task sequence. When an OSD Task Sequence is used to refresh a PC, the ConfigMgr 2007 client certificate should be migrated from the old Windows OS to the new Windows OS.
The problem is caused by the self-signed certificates automatically generated by the ConfigMgr 2007 client in mixed mode. If the KB977203 ConfigMgr 2007 client patch was not installed on the existing client when the certificates were generated, then the certificates will have an embedded NULL character in the friendly name as described in KB974571 .
If the ConfigMgr 2007 client certificate on the original Windows OS has an embedded NULL character in the friendly name as described in KB974571 , and if KB974571 is installed as part of the reference image being deployed by the Task Sequence, then when the new Windows OS is installed, KB974571 will block the ConfigMgr 2007 client certificate with the embedded NULL character in the friendly name from being migrated over. This will cause the above issue.
This can be fixed by installing ConfigMgr hotfix KB977203 to fix the client certificate prior to deploying Windows 7 or simply run ccmcertfix utility on client prior to Windows 7 deployment.
The instruction to fix the client certificate for any existing client is as follows:
- Install hotfix KB977203 on site server
-
A utility called
CCMCertFix.exe
is placed in the directory
<ConfigMgr_2007_Install_Directory>LogsKB977203
- Run CCMCertFix.exe on any existing client to fix the certificate, software distribution can be leveraged for distribution to a large number of clients. Another way is to add this as a step to the Windows 7 deployment task sequence.
The correct way to guarantee any new client has a fixed certificate is to make sure the client patch is installed before the newly installed client registers itself. The instruction detail is as follows:
- Install hotfix KB977203 on site server
-
A ConfigMgr 2007 client patch is placed in the directory
<ConfigMgr_2007_Install_Directory>Clienti386hotfixKB977203
-
Go to Client Push Installation Properties and specify the PATCH parameter
PATCH=\<SMSSiteServer>SMS_<SiteCode>Clienti386hotfixKB977203sccm2007ac-sp2-kb977203-x86.msp
- The above configuration would make sure that any new clients installed using the client push method would include the client patch from KB977203 before the client registers itself.
After the existing client has the certificate issue fixed by hotfix KB977203 , the Windows 7 deployment would successfully restore the client identity as shown by the following log entries in smsts.log.
Installing SMS client
Clearing existing client configuration
Cleaning existing client certificates from SMS certificate store
Restoring SMS client identity
Successfully restored SMS certificate store
Successfully restored the client identity
-- Chaohao Xu
This posting is provided "AS IS" with no warranties, and confers no rights.