Converting bytes to knowledge

SCCM Component Status error: “SMS Policy Provider has failed to sign one or more policy assignments”





You experience problems with packages, virtual applications and OS deployment with your SCCM clients. The SCCM server reports “SMS Policy Provider has failed to sign one or more policy assignments. It will retry this operation automatically.” in the Component Status SMS_POLICY_PROVIDER. This may indicate your SCCM Site Server Signing Certificate has expired.

This article consists of two parts how to indicate and resolve the problem:

A. How to check if the SCCM Site Server Signing Certificate is expired

B. How to create a request file to renew the certificate (only working method to renew!)

 

A. How to check if the SCCM Site Server Signing Certificate is expired

1. In the Configuration Manager Console, navigate to Site Management
2. Open the Properties of your Site
3. Open Site Mode and note the name of the Certificate

image

4. Click on Browse…

image

5. Check the corresponding certificate name and check the Valid From date 

If the certificate is expired, you have to renew the certificate by following the steps below.

B. How to create a request file to renew the certificate

Be sure to do this outside work hours, because it impacts the SCCM clients.

1. Create a new file ‘sitesigning.inf’ with the following content:

[NewRequest] 
FriendlyName = "SCCM Site Signing Server Certificate [your site code]" 
Subject = "CN=The site code of this site server is [your site code]" 
MachineKeySet = True 
[RequestAttributes] 
CertificateTemplate = ConfigMgrSiteServerSigningCertificate

2. Save the file and open an elevated command prompt.

3.Type the following commands in the folder where you saved the file:

certreq –new sitesigning.inf sitesigning.req
certreq –submit sitesigning.req sitesigning.cer

4. Select the correct CA:

image

Output of certreq commands:

image

The certificate is now requested at your Certificate Authority.

5. Issue the certificate in your CA in Pending Requests and remember the Request ID

image

6. In an elevated cmd on the SCCM server again, type the following command:

certreq –retrieve [requestidnumber] sitesigning.cer

7. Select the correct CA again:

image

8. Open the local Certificate store by opening an new mmc and add Certificates (Local Computer)

image

9. Check if the certificate is present in Personal / Certificates (a little key must appear with the certificate! if not, the certificate does not contain the private key)

image

11. In the Configuration Manager Console, navigate to Site Management

11. Open the Properties of your Site

12. Open Site Mode, click on Browse and select the new certificate

image

The certificate is now renewed.

You can check the SMS_POLICY_PROVIDER status again under: System Status > Site Status > [Site code] > Component Status

If the certificate is correctly renewed, the message ‘SMS Policy Provider successfully signed all policy assignments with the new Site Server Signing Certificate.’ will appear. Your SCCM clients will then be functional again.



Similar posts

No Comments Yet

Leave a Reply

Your email address will not be published. Required fields are marked *


four + = six

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

 

Subscribe here

Get those newest bytes by signing up here!
Name
Email *