Lately I have seen a very common error made by a lot of people causing their Native Mode upgrade to not work. The symptom they see is

 

·         Clients not receiving policies after upgrade to Native Mode

 

Upon further investigation we find that all the components specially the Management Point / Distribution Point are working fine as expected. So it seemed rather confusing that what could be the issue.

 

Mp_Policy.log

Detected at least one Policy Assignment row in the result set which is pending

signing, rejecting all rows. MP_PolicyManager 1/1/2009 10:59:10 AM 5120 (0x1400)

Detected at least one Policy Assignment row in the result set which is pending

signing, rejecting all rows. MP_PolicyManager 1/1/2009 11:00:34 AM 5120 (0x1400)

 

Policypv.log

Found the certificate that matches the SHA1 hash. SMS_POLICY_PROVIDER 1/1/2009

10:58:21 AM 5616 (0x15F0)

Failed in CryptAcquireCertificatePrivateKey(...):

0x8009200b. SMS_POLICY_PROVIDER 1/1/2009 10:59:11 AM 5616 (0x15F0)

Failed in CryptAcquireCertificatePrivateKey(...):

0x8009200b. SMS_POLICY_PROVIDER 1/1/2009 10:59:11 AM 5616 (0x15F0)

 

For further validating we identified one client and founds it GUID from the Database

select * from system_data

 

Then we tried to see what policies it might be receiving

exec mp_getmachineploicyassignments 'GUID:xxx.xxx.xxx.xxx' of the clients,NULL,'0'

exec mp_getmachineploicyassignments 'GUID:xxx.xxx.xxx.xxx' of the clients,NULL,'1'

SecurityMode is 0 or 1 (Mixed / Native)

 

We could clearly see some of the policies were the column value inprocess='1'

 

Resolution/Possibilities:

 

·         The certificate template does not allow to export the private certificate

·         The certificate is placed under the user’s personal store and not computer’s

·         If  you are running the Windows Server 2008 Certificate Server, it likely might place the certificate in the user’s personal store

 

Jeevan Bisht | Support Escalation Engineer

 

Note : All material presented here is only for reference,As such, Microsoft makes no warranties or guarantee's regarding the applicability of this article, nor does Microsoft support the use of this in any way. This is just one of those 'use at your own risk' type of things that hopefully you'll find helpful.