bandaidI “discovered” this last night in my lab and had it confirmed to me this morning by the product group: The hotfix described in KB977203 (User state migration fails on a SCCM 2007 SP1 client or on a SCCM 2007 SP2 client after you install security update 974571) is superseded by the hotfix described in KB977384 (Description of the prerequisite hotfix for System Center Configuration Manager 2007 R3). The KB977203 hotfix won’t even install (and in fact fails with “ERROR: Attempting to install downlevel patch for feature CcmFramework. Rejecting patch and aborting install.” in the log file) if KB977384 is already installed on a client.

Note that the CCMCertFix tool described in KB977203 is still valid though and still needs to be run on existing clients to correct the issue described in that article.

A quick trick for implementing CCMCertFix is to create a separate package and program to run it. Then, set any refresh task sequences to run the CCMCertFix package before the task sequence using the Advanced tab of the task sequence’s properties dialog box (just like traditional package/program chaining in Software Distribution). Because the only place I’ve seen this certificate issue rear its ugly head is in OSD refresh scenarios, you don’t really need to fix the certificate everywhere, you just need to fix it before a task sequence with USMT in it runs.