You experience problems with packages, virtual applications and OS deployment with your SCCM clients. The SCCM server reports “SMS Policy Provider has failed to sign one or more policy assignments. It will retry this operation automatically.” in the Component Status SMS_POLICY_PROVIDER. This may indicate your SCCM Site Server Signing Certificate has expired.
This article consists of two parts how to indicate and resolve the problem:
A. How to check if the SCCM Site Server Signing Certificate is expired
B. How to create a request file to renew the certificate (only working method to renew!)
A. How to check if the SCCM Site Server Signing Certificate is expired
1. In the Configuration Manager Console, navigate to Site Management
2. Open the Properties of your Site
3. Open Site Mode and note the name of the Certificate
4. Click on Browse…
5. Check the corresponding certificate name and check the Valid From date
If the certificate is expired, you have to renew the certificate by following the steps below.
B. How to create a request file to renew the certificate
Be sure to do this outside work hours, because it impacts the SCCM clients.
1. Create a new file ‘sitesigning.inf’ with the following content:
[NewRequest] FriendlyName = "SCCM Site Signing Server Certificate [your site code]" Subject = "CN=The site code of this site server is [your site code]" MachineKeySet = True [RequestAttributes] CertificateTemplate = ConfigMgrSiteServerSigningCertificate
2. Save the file and open an elevated command prompt.
3.Type the following commands in the folder where you saved the file:
certreq –new sitesigning.inf sitesigning.req
certreq –submit sitesigning.req sitesigning.cer
4. Select the correct CA:
Output of certreq commands:
The certificate is now requested at your Certificate Authority.
5. Issue the certificate in your CA in Pending Requests and remember the Request ID
6. In an elevated cmd on the SCCM server again, type the following command:
certreq –retrieve [requestidnumber] sitesigning.cer
7. Select the correct CA again:
8. Open the local Certificate store by opening an new mmc and add Certificates (Local Computer)
9. Check if the certificate is present in Personal / Certificates (a little key must appear with the certificate! if not, the certificate does not contain the private key)
11. In the Configuration Manager Console, navigate to Site Management
11. Open the Properties of your Site
12. Open Site Mode, click on Browse and select the new certificate
The certificate is now renewed.
You can check the SMS_POLICY_PROVIDER status again under: System Status > Site Status > [Site code] > Component Status
If the certificate is correctly renewed, the message ‘SMS Policy Provider successfully signed all policy assignments with the new Site Server Signing Certificate.’ will appear. Your SCCM clients will then be functional again.