SteelBytes.NeT
Converting bytes to knowledge
  • Home
  • SCCM
  • SCCM Component Status error: “SMS Policy Provider has failed to sign one or more policy assignments”

SCCM Component Status error: “SMS Policy Provider has failed to sign one or more policy assignments”

January 9, 2013 Leave a Comment Written by Paolo




You experience problems with packages, virtual applications and OS deployment with your SCCM clients. The SCCM server reports “SMS Policy Provider has failed to sign one or more policy assignments. It will retry this operation automatically.” in the Component Status SMS_POLICY_PROVIDER. This may indicate your SCCM Site Server Signing Certificate has expired.

This article consists of two parts how to indicate and resolve the problem:

A. How to check if the SCCM Site Server Signing Certificate is expired

B. How to create a request file to renew the certificate (only working method to renew!)

 

A. How to check if the SCCM Site Server Signing Certificate is expired

1. In the Configuration Manager Console, navigate to Site Management
2. Open the Properties of your Site
3. Open Site Mode and note the name of the Certificate

image

4. Click on Browse…

image

5. Check the corresponding certificate name and check the Valid From date 

If the certificate is expired, you have to renew the certificate by following the steps below.

B. How to create a request file to renew the certificate

Be sure to do this outside work hours, because it impacts the SCCM clients.

1. Create a new file ‘sitesigning.inf’ with the following content:

[NewRequest] 
FriendlyName = "SCCM Site Signing Server Certificate [your site code]" 
Subject = "CN=The site code of this site server is [your site code]" 
MachineKeySet = True 
[RequestAttributes] 
CertificateTemplate = ConfigMgrSiteServerSigningCertificate

2. Save the file and open an elevated command prompt.

3.Type the following commands in the folder where you saved the file:

certreq –new sitesigning.inf sitesigning.req
certreq –submit sitesigning.req sitesigning.cer

4. Select the correct CA:

image

Output of certreq commands:

image

The certificate is now requested at your Certificate Authority.

5. Issue the certificate in your CA in Pending Requests and remember the Request ID

image

6. In an elevated cmd on the SCCM server again, type the following command:

certreq –retrieve [requestidnumber] sitesigning.cer

7. Select the correct CA again:

image

8. Open the local Certificate store by opening an new mmc and add Certificates (Local Computer)

image

9. Check if the certificate is present in Personal / Certificates (a little key must appear with the certificate! if not, the certificate does not contain the private key)

image

11. In the Configuration Manager Console, navigate to Site Management

11. Open the Properties of your Site

12. Open Site Mode, click on Browse and select the new certificate

image

The certificate is now renewed.

You can check the SMS_POLICY_PROVIDER status again under: System Status > Site Status > [Site code] > Component Status

If the certificate is correctly renewed, the message ‘SMS Policy Provider successfully signed all policy assignments with the new Site Server Signing Certificate.’ will appear. Your SCCM clients will then be functional again.



SCCM
, , , ,
Similar posts
  • Change management console language Sy... This is an easy one. When starting the management console the language of the local OS will be detected. Then it will search if a language pack is present. When found, the corresponding language will be shown and troubleshooting will instantly become a lot harder (or you can just try to search for non-English errors, [...]
  • How to renew the SCCM Site Server Sig... When your SCCM Site Server Signing Certificate has expired you will experience problems with packages, virtual applications and OS deployment with your SCCM clients. The SCCM server reports “SMS Policy Provider has failed to sign one or more policy assignments. It will retry this operation automatically.” in the Component Status SMS_POLICY_PROVIDER. This article consists of [...]
  • Add or remove local user in SCCM OSD ... Sometimes it is necessary to add a local user to your Windows image (like notebooks which must be used at external locations). You can create an image for SCCM with local users, but then you have another image with a different configuration. I think it’s cool everything can be managed with just one image, so [...]
  • SCCM OSD error: 0x80004005 When I tried to install a server by the SCCM task sequence, I received an 0x80004005 error. This was costing me some hours to resolve. In my case however, the solution was very simple: Cause Your system date and time may be invalid, which is mostly the case with servers fresh out of the box. [...]
  • No task sequence in SCCM OSD or no ad... If you want to reinstall your desktop by using SCCM, the list of task sequences is empty. In your SCCM client, no advertisements show up. Solutions Solution 1 – Merge the conflicting record 1. In your Configuration Manager Console, navigate to Computer Management / Conlicting Records. Check if there are any records present. If so, [...]

Leave a Reply

Your email address will not be published. Required fields are marked *


× six = thirty six