PowerShell activities on SCCM CDS workflow "Deploy SCCM Application" intermittently fail with error "Authentication Failure with the local MID Server service credential"Issue PowerShell activities ("Is Device in Collection", "Add to Device Collection", etc) on SCCM CDS workflow "Deploy SCCM Application" intermittently fail with error "Authentication Failure with the local MID Server service credential". This happens after additional SMS Provider is installed in the environment. (The SMS Provider is a Windows Management Instrumentation (WMI) provider that assigns read and write access to the Configuration Manager database at a site) This issue also causes issues to SCCM Spoke flows, and the Actions may fail with Access is denied error. To check SMS Provider: As in below screenshot, there's only one SMS Provider. If there are two or more providers in your environment, then this KB applies. Cause The issue should be reproducible by running below powershell commands repeatedly on MID Server host, which will fail with authentication error intermittently: $cred = get-credential;$computer = "[SCCMServerFQDN]";$session = New-PSSession -ComputerName $computer -Credential $cred;Invoke-Command -Session $session -ScriptBlock {Import-Module -Name "$(split-path $Env:SMS_ADMIN_UI_PATH)\ConfigurationManager.psd1";}remove-pssession $session The issue is caused by the additional SMS provider added.When we are running remote powershell command, we use a defined credential object to connect to the SCCM server, then from the SCCM server it's trying to load module and authenticate the stored credential to another SMS server. This new SMS server is considered as a second node, and this is going into a second-hop situation, which is documented in below Microsoft Article:https://devblogs.microsoft.com/scripting/enable-powershell-second-hop-functionality-with-credssp/ResolutionIn order to make it work, please review below Microsoft Doc, which provides a few options to workaround the second hop situation: https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/ps-remoting-second-hop?view=powershell-7.1 To use the option: "PSSessionConfiguration using RunAs" On the SCCM server, run below powershell command to register new session configuration: Register-PSSessionConfiguration -Name sccm -RunAsCredential lab02\administrator -MaximumReceivedDataSizePerCommandMB 1000 -MaximumReceivedObjectSizeMB 1000 Note:> replace the username with the actual credential.> this configuration should remain effective after server/service restart Once above is done:Then on your ServiceNow instance, navigate to MID Server > Script Files > SCCM.psm1 > modify below linefrom:$session = New-PSSession -ComputerName $sccmServerName -ConfigurationName Microsoft.PowerShell32 -Credential $credential;to:$session = New-PSSession -ComputerName $sccmServerName -ConfigurationName sccm -Credential $credential; Also for another script file: Credentials.psm1 (the one with parent as PowerShell, you may also need to turn off Business Rule: "Prevent Duplicate,Spaces & Colon in name" temporarily)locate function testCredentialSCCM, and modify below linefrom:$session = CreatePSSessionWithComputerName -Host $computer -ConfigurationName Microsoft.PowerShell32 -Credential $cred;to:$session = New-PSSession -ComputerName $computer -ConfigurationName sccm -Credential $cred; Also modify script file: SCCMMain.psm1change below line:$session = New-PSSession -ComputerName $sccmServerName -ConfigurationName Microsoft.PowerShell32 -Credential $credential;to:$session = New-PSSession -ComputerName $sccmServerName -ConfigurationName sccm -Credential $credential; To use the option: "CredSSP" run Enable-WSManCredSSP command on MID server host, and Enable-WSMaCredSSP on target SCCM, in order to enable CredSSP.Please refer to the Microsoft article below which has very detailed solution and a flow chart which makes it easier to understand where and how to apply these commands: https://devblogs.microsoft.com/scripting/enable-powershell-second-hop-functionality-with-credssp/ Then on your ServiceNow instance, navigate to MID Server > Script Files > SCCM.psm1 > modify below linefrom:$session = New-PSSession -ComputerName $sccmServerName -ConfigurationName Microsoft.PowerShell32 -Credential $credential;to:$session = New-PSSession -ComputerName $sccmServerName -ConfigurationName Microsoft.PowerShell32 -Credential $credential -Authentication CredSSP; Also for another script file: Credentials.psm1 (the one with parent as PowerShell), locate function testCredentialSCCM, and modify below line from: $session = CreatePSSessionWithComputerName -Host $computer -ConfigurationName Microsoft.PowerShell32 -Credential $cred; to: $session = New-PSSession -ComputerName $computer -ConfigurationName Microsoft.PowerShell32 -Credential $cred -Authentication CredSSP; If SCCM Spoke (SCCM Flow Actions) is used, also modify script file: SCCMMain.psm1 change below line: $session = New-PSSession -ComputerName $sccmServerName -ConfigurationName Microsoft.PowerShell32 -Credential $credential; to: $session = New-PSSession -ComputerName $sccmServerName -ConfigurationName Microsoft.PowerShell32 -Credential $credential -Authentication CredSSP;