Submit a ticketCall us

Training ClassSign up for Network Performance Monitor (NPM) and Scalability instructor-led classes

Attend our instructor-led classes, provided by SolarWinds® Academy, to discuss the more advanced monitoring mechanisms available in NPM as well as how to tune your equipment to optimize its polling capabilities. NPM classes offered:
NPM Custom Monitoring and Polling
Orion Platform Scalability

Reserve your seat.

Home > Success Center > Network Performance Monitor (NPM) > NPM - Knowledgebase Articles > Unable to deploy QoE Agents - Unable to get provision certificate bytes for agent deployment

Unable to deploy QoE Agents - Unable to get provision certificate bytes for agent deployment

Created by Justin Wyllys, last modified by MindTouch on Jun 23, 2016

Views: 1,183 Votes: 1 Revisions: 6


While attempting to deploy an agent the credentials test works, but the agent deployment fails with the message:


Unable to deploy agent. Unable to get provision certificate bytes for agent deployment.


The following errors are seen in C:\ProgramData\Solarwinds\Logs\AgentManagement\AgentManagement.Service.log


2015-11-18 10:43:44,872 [6] ERROR SolarWinds.AgentManagement.ServiceCore.CertificateManagement.CertificateManager - Error generating provisioning certificate. Agents will not be provisioned.
System.ComponentModel.Win32Exception (0x80004005): certmgmt::createsignedcertandexporttopfxfile failed
at SolarWindsAgentCLR.Core.CertificateManagement.certmgmt.createsignedcertandexporttopfxfile(String msubjectName, String missuername, String missuerstore, String mpfxfqpath, SecureString mss, Boolean dontsavetostore, String maccounttoaddtoprivatekeyacl)
at SolarWinds.AgentManagement.ServiceCore.CertificateManagement.CertificateGenerator.GenerateProvisioningCertificateToFile(X509Certificate2 caCertificate, String pathToSaveCertificate)
at SolarWinds.AgentManagement.ServiceCore.CertificateManagement.CertificateManager.GenerateProvisioningCertificate(IAgentManagementDbContext db)
2015-11-18 10:43:44,872 [6] ERROR SolarWinds.AgentManagement.ServiceCore.Services.AgentProvisioningService - Provisioning certificate for agents does not exist and can't be generated. Agents provisioning may not work.



  • NPM 11.5 and later
  • QoE 1.0 and later


The agent fails to deploy because the Agent Management Service does not have an Agent provisioning certificate, which is used to encrypt data sent from the agent to the server.


The error logged during certificate creation is NTE_BAD_KEYSET (0x80090016). This can have three most common reasons:

  • The Protected Storage Service is not running (most likely).
  • You do not have access to the key container (very likely).
  • Key container does not exist (unlikely).


First, confirm that the permissions are correctly set and that the Protected Storage service is running:

  1. Navigate to C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\ .
  2. Right-click this folder, select properties, and then select the Security tab.
  3. Add EVERYONE and grant Full Control.
  4. Save and restart all Orion services.
  5. Check that the "Protected storage" service is enabled and running (in services.msc). Start it if stopped and set the startup mode to Automatic.
  6. Restart Orion services again.


Then, check to see if the SolarWinds Agent Provisioning certificate was created:

  1. Start > Run > MMC.
  2. File > Add/remove Snap-in > Certs > Local Computer > Personal > Certificates.
  3. Look for a certificate by the name of SolarWinds Agent Provisioning.
  4. If it exists, you were successful.


Finally, try to deploy the agent from the web again (Settings > Manage Agents > Add Agent). If you followed the steps above, you should no longer see the error in the log.

Last modified