Background: I am installing a couple Hotfixes when installing the "Setup windows and ConfigMgr" in OSD. They are http://support.microsoft.com/kb/977203 and http://support.microsoft.com/kb/977384. KB977203 is for the USMT errors and the KB977384 is required for the SCCM 2007 R3 Power Management features. I have installed both Hotfixes to the SCCM site server. I then updated the distribution point for my ConfigMgr installer (DIS00008) to ensure the Hotfix files are on the distribution point. Following the KB articles I have edited my "Setup windows and ConfigMgr" step to have the following arguements: SMSCACHESIZE=8000 PATCH="%_SMSTSMDataPath%\OSD\DIS00008\i386\hotfix\KB977203\SCCM2007AC-SP2-KB977203-x86.msp; %_SMSTSMDataPath%\OSD\DIS00008\i386\hotfix\KB977384\SCCM2007AC-SP2-KB977384-x86-enu.msp" When you install KB977203 by itself, it makes the Config Manager client version "4.00.6487.2111". When you install KB977384 it makes the ConfigMr client version "4.00.6487.2157". This occurs whether KB977203 is installed or not. So the version number is not reliable to determine which patches are installed. Question: How can I determine which machines have both patches KB977203 and KB977384 installed on the same machine? Specifically I am looking for a way to query this in SCCM so that I can make collections to install these patches on the machines that are missing them. P.S. I wasn't sure which forum this should be in so Mods feel free to move if this post should be elsewhere.Find this post helpful? Does this post answer your question? Be sure to mark it appropriately to help others find answers to their searches.

Try this: http://myitforum.com/cs2/blogs/jsandys/archive/2011/01/17/configmgr-client-hotfix-queries.aspx. Also, did you know that 977384 supercedes 977203? So there is no need to install them both.Jason | http://myitforum.com/cs2/blogs/jsandys | http://blogs.catapultsystems.com/jsandys/default.aspx | Twitter @JasonSandys

Try this: http://myitforum.com/cs2/blogs/jsandys/archive/2011/01/17/configmgr-client-hotfix-queries.aspx. Also, did you know that 977384 supercedes 977203? So there is no need to install them both. Jason | http://myitforum.com/cs2/blogs/jsandys | http://blogs.catapultsystems.com/jsandys/default.aspx | Twitter @JasonSandys Jason, this looks to be the answer and I'll likely be marking it so very soon. However, where did you find the information stating that 977384 supercedes 977203? The 977384 article says "Hotfix replacement information: This hotfix does not replace a previously released hotfix." and it doesn't state anything about that it includes the fix that 977203 provides. I am happy to hear I only need one, but I am hoping you can provide some additional information reassuring me that it is included. Is there a way to verify by looking at some other settings? Maybe looking at the certificate it supposedly fixed, but I am not sure how to be sure. Find this post helpful? Does this post answer your question? Be sure to mark it appropriately to help others find answers to their searches.

I confirmed it directly with the product team once I discovered the beahvior and they replied in the affirmative that this is indeed the case even though the KB makes no mention of it: http://myitforum.com/cs2/blogs/jsandys/archive/2010/11/04/kb977384-supersedes-kb977203.aspx. Note that certfix.exe from 977203 may still be needed on systems previously installed to fix the previously created "bad" certificates.Jason | http://myitforum.com/cs2/blogs/jsandys | http://blogs.catapultsystems.com/jsandys/default.aspx | Twitter @JasonSandys

That's great news! So as your post mentions, I will still need to run the certfix.exe to fix the bad certificates. Hopefully my questions are winding down, but here is another... Must I have either 977203 or 977384 installed to run the certfix.exe or at least to make it effictive? (if that makes sense) Is there a query I can use to find just those machines that have not had their certificate fixed? When we deploy new computers using the method in the first post, do we ever need to run the certfix.exe, or is this just to fix those bad machine? My understanding was that since the server is patched it no longer affected newly installed clients...is this correct? Thanks for all the great information thus far! Find this post helpful? Does this post answer your question? Be sure to mark it appropriately to help others find answers to their searches.

1. Fixing a previously generated "bad" cert is the job of certfix and only needs to be done on previously installed clients. Installing 977203 or 977384 at client agent installation time will only prevent a "bad" cert from being generated; they do not fix previously generated "bad" certs. Certs (in mixed mode) are generated at client installation time so unless you install one of these two fixes at client installation time, a bad cert will be generated and will require certfix to be run on it. Note that at this point, the only known implication of a "bad" cert is with the State Capture and Resotre tasks. 2. Not directly in ConfigMgr to my knowledge. There are ways and I could sworn I had one archived somewhere but can't find it. However, running certfix on a system whose ConfigMgr certs are not "bad" is harmless. 3. No, if you install 977203 or 977384 with the client agent, the cert generated is not "bad" so no need to run certfix. You are correct (see #1).Jason | http://myitforum.com/cs2/blogs/jsandys | http://blogs.catapultsystems.com/jsandys/default.aspx | Twitter @JasonSandys

You are absolutely awesome! Helpful +1 on all posts and marking as answer. Thanks so much. Find this post helpful? Does this post answer your question? Be sure to mark it appropriately to help others find answers to their searches.

Had a quick question about the new hotfix to allow installation of Windows Update patches at install time. The patch (KB2509007) is located at http://support.microsoft.com/kb/2509007. Does this one superceed any of the others or is it a seperate patch all together? Thank you.

No supercedance to my knowledge. This is the first patch for Software Updates in ConfigMgr (post Sp2) that I know of.Jason | http://myitforum.com/cs2/blogs/jsandys | Twitter @JasonSandys