Submit a ticketCall us

Webinar: Web Help Desk for HR, Facilities and Accounting Departments
This webinar will focus on use cases for HR, Facilities and Accounting.

Having a unified ticketing and asset management system for all the departments in your company can provide end-users with a seamless experience and make things easier for your IT team. Yet, with different business tasks and objectives, many departments don’t fully understand the capabilities of Web Help Desk and how the software can be customized for effective use in their departments.
Register Now.

Home > Success Center > Network Performance Monitor (NPM) > Unable to deploy QoE Agents - Unable to get provision certificate bytes for agent deployment

Unable to deploy QoE Agents - Unable to get provision certificate bytes for agent deployment

Created by Justin Wyllys, last modified by MindTouch on Jun 23, 2016

Views: 62 Votes: 1 Revisions: 6


While attempting to deploy an agent the credentials test works, but the agent deployment fails with the message:


Unable to deploy agent. Unable to get provision certificate bytes for agent deployment.


The following errors are seen in C:\ProgramData\Solarwinds\Logs\AgentManagement\AgentManagement.Service.log


2015-11-18 10:43:44,872 [6] ERROR SolarWinds.AgentManagement.ServiceCore.CertificateManagement.CertificateManager - Error generating provisioning certificate. Agents will not be provisioned.
System.ComponentModel.Win32Exception (0x80004005): certmgmt::createsignedcertandexporttopfxfile failed
at SolarWindsAgentCLR.Core.CertificateManagement.certmgmt.createsignedcertandexporttopfxfile(String msubjectName, String missuername, String missuerstore, String mpfxfqpath, SecureString mss, Boolean dontsavetostore, String maccounttoaddtoprivatekeyacl)
at SolarWinds.AgentManagement.ServiceCore.CertificateManagement.CertificateGenerator.GenerateProvisioningCertificateToFile(X509Certificate2 caCertificate, String pathToSaveCertificate)
at SolarWinds.AgentManagement.ServiceCore.CertificateManagement.CertificateManager.GenerateProvisioningCertificate(IAgentManagementDbContext db)
2015-11-18 10:43:44,872 [6] ERROR SolarWinds.AgentManagement.ServiceCore.Services.AgentProvisioningService - Provisioning certificate for agents does not exist and can't be generated. Agents provisioning may not work.



  • NPM 11.5 and later
  • QoE 1.0 and later


The agent fails to deploy because the Agent Management Service does not have an Agent provisioning certificate, which is used to encrypt data sent from the agent to the server.


The error logged during certificate creation is NTE_BAD_KEYSET (0x80090016). This can have three most common reasons:

  • The Protected Storage Service is not running (most likely).
  • You do not have access to the key container (very likely).
  • Key container does not exist (unlikely).


First, confirm that the permissions are correctly set and that the Protected Storage service is running:

  1. Navigate to C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\ .
  2. Right-click this folder, select properties, and then select the Security tab.
  3. Add EVERYONE and grant Full Control.
  4. Save and restart all Orion services.
  5. Check that the "Protected storage" service is enabled and running (in services.msc). Start it if stopped and set the startup mode to Automatic.
  6. Restart Orion services again.


Then, check to see if the SolarWinds Agent Provisioning certificate was created:

  1. Start > Run > MMC.
  2. File > Add/remove Snap-in > Certs > Local Computer > Personal > Certificates.
  3. Look for a certificate by the name of SolarWinds Agent Provisioning.
  4. If it exists, you were successful.


Finally, try to deploy the agent from the web again (Settings > Manage Agents > Add Agent). If you followed the steps above, you should no longer see the error in the log.

Last modified
23:50, 22 Jun 2016