Hello! SCCM: Native Mode Scenario: Windows XP upgrade to Windows Vista USMT: edited all 3 xml filesto migrate only desktop files If I am upgrading XP to Vista without USMT everything works fine, client certificate is autoenrolled from AD and there is no problem with deployment If I am upgrading XP to Vista with USMT, migration is succesfull, deployment is succesfull, but PC gets unmanaged, because SCCM client reports that client certificate doesn't have private key. If I delete certificate and run "gpupdate" it works fine again. So anyone have any ideas how USMT can affect client certificate, and maybe any workarounds?

Hi ,I am running into same problem here. When I am doing a replace scenario or a refresh scenario with SCCM Native mode the USMT overwrites the certificate information but with XP there is no problem.Can you please suggest what happened to your problem. Have you solved it?Bhasker R

Hi, I recently encountered a case with this issue, and after doing some resreach with the team that supports USMT, I found that there is a known issue with the machine certificates being only partially migrated, and I found a way around this, by specifying a a custom xml file for excluding the machine certificates from being migrated in the scanstate process during an OS Deployment. After some extensive testing of this in my LAB, I found that the best way to do this is to put the file in the root of the USMT Pacakge, and update the DP, then add that custom xml to the Capture step in the Task Sequence, the details on how to create the custom xml and other links are below, however, I was having trouble getting this to work until I did the following: To use a custom.xml for excluding something in a ConfigMgr 2007 Task Sequence Capture Step, do the following: 1. Makes sure your custom.xml file is copied to the USMT Package source folder (in the root is easiest) and update the Distribtution Points on which it is located. 2. Add the following Task Sequence Variable Step to the Task Sequence right before the Capture User Settings step: OSDMigrateAdditionalCaptureOptions With a value of the following: /i:"%SYSTEMDRIVE%\_SMSTaskSequence\Packages\ABC00008\Custom.xml" Where ABC00008 is your actual USMT package ID, and custom.xml is your custom xml file for exluding or including scanstate actions. I think putting the custom xml in the root of the USMT package and not having to specify the amd64 or x86 in the path works better, so you can do this once, for either platform architecture, regardless of whether the System Drive is C:\ or not... then the only thing really hard coded is the package ID, and the other stuff will be generic enough it should work... I also ran into a conflict with a URLID of my custom.xml was the same as one of the default XML, my template I copied from the technet article was set to miguser on the URLID, so look out for this, the samples on TechNet have the same URLID as the built in files we are using, so if you are just wanting to add to the default stuff, this needs to be unique. I just changed it to be customExclude as follows in the beginning of the xml folder as follows: <?xml version="1.0" encoding="UTF-8"?> <migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/customExclude"> Here is the customExclude.xml I was using to prevent the ConfigMgr Client's Native Mode Certificate from migrating during an OSD refresh scenario: <?xml version="1.0" encoding="UTF-8"?> <migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/customExclude"> <component type="Documents" context="System"> <displayName>SkipMachineCerts</displayName> <role role="Data"> <rules> <include> <objectSet> <pattern type="Registry">HKLM\SOFTWARE\Microsoft\SystemCertificates\My\Certificates\*[*]</pattern> </objectSet> </include> <unconditionalExclude> <objectSet> <pattern type="Registry">HKLM\SOFTWARE\Microsoft\SystemCertificates\My\Certificates\*[*]</pattern> </objectSet> </unconditionalExclude> </rules> </role> </component> </migration> I named my file customExclude.xml just make sure to use the same file name in the package that you specifiy on the command line for your variable in the Task Sequence. I hope this helps others with this same issue. More information: This blog post has some details on using unconditionalExclude http://blogs.technet.com/b/askds/archive/2010/03/03/usmt-4-0-and-custom-exclusion-troubleshooting.aspx This TechNet Article has samples of how to exclude various things in a custom.xml: http://technet.microsoft.com/en-us/library/dd560762(WS.10).aspx I want to say thanks to Ned Pyle for helping me get to the bottom of this issue, he was a big help on finding out about this certificate problem, and pointed me to the resources that helped me solve this issue.Cliff Hughes (MSFT)