We recently encountered an issue with one of our customers that uses SCCM for operating system deployment, software update management, and package deployment. At some point in time every one of their SCCM Clients stopped functioning.

The first symptom we noticed was that the Actions tab in the Configuration Manager Control Panel Applet would only display two actions as seen below. Generally when we see this behavior it usually means that the Client installation was botched for some reason or the Client could not contact a Management Point after installation. This was different because it was occurring for every SCCM Client in the organization.

Given the global nature of the issue, we obviously started to think that there was a problem with the Management Point. We eventually discovered that the MP_Policy.log file was full of this error:

“Detected at least one row in the result set from PolicyAssignment table which does not have a Signature, rejecting all rows.”

As the error says, there must be at least one policy in the dbo.policyassignment table that does not have a signature (denoted as the BodyHash in the SCCM database). To find the culprit we ran the following query against the SQL database:

SELECT * FROM ResPolicyMap WHERE machineid = 0 and PADBID IN (SELECT PADBID FROM PolicyAssignment WHERE BodyHash IS NULL)

This was the result:

Notice that the MachineID is 0, this indicates that the policy assignments in question were assigned to all clients.

To resolve this, we ran an additional query to clear out the bad entries in the ResPolicyMap table:

Delete FROM ResPolicyMap WHERE machineid = 0 and PADBID IN (SELECT PADBID FROM PolicyAssignment WHERE BodyHash IS NULL

After we completed this SCCM Clients started operating normally almost immediately. We did not even have to restart any services on the Management Point.