We are testing a native mode switch in our test site and since then, none of our clients are receiving updated policies, even the client on the site server / MP itself. All certificates look normal and all of the logs check out fine, except for the MP_Policy.log. There, we are seeing this error: Detected at least one Policy Assignment row in the result set which is pending signing, rejecting all rows. I'm guessing that the policy is never getting signed and thus never updating. Are there any specific settings or logs that I can examine that may point to why this is happening? There are no hash errors in the other policy logs, locationservices looks normal, etc.

Did you follow the verification steps in "How to Verify Native Mode Migration Is Complete" (http://technet.microsoft.com/en-us/library/bb694287.aspx)? Also check mpcontrol.log - plenty of threads in this forum for good/bad log entries for this file.

That's exactly what is puzzling -- the mpcontrol.log is happy and all of the verification checks come out fine. This error in the mp_policy.log is the only consistent error I can trace that may be related. It seems like the clients have no problem checking for policy updates, there just aren't any changes for them to pick up even after we make them. For example, we enable software update component, but it remains disabled on the clients, even the client on the site server itself. I thought it might have been related to the site signing cert not having the private key exportable, so we updated the template and requested a replacement cert with an exportable key, but that didn't help.

No, this certificate doesn't need the private key to be exportable. So you see the status message 5116 that confirms the policies are signed? That doesn't seem to match with the error message about " ...pending signing", unless it's the management point that isn't signing the policies (the policies get signed twice - once by the site server and again by the management point). Since it's a test site, can you try uninstalling and reinstalling the management point & maybe try the Management Point Troubleshooter (http://www.microsoft.com/downloads/en/details.aspx?FamilyID=5A47B972-95D2-46B1-AB14-5D0CBCE54EB8)?

We are getting 5116 success messages, and the MP troubleshooter is all green. I did an uninstall / reinstall of the MP, but nothing has changed. I may try to stand up another server as a new MP to see if that makes a difference. I've also turned on debug logging and policy request logging, but no other errors are showing up. Are there any other places to trace how and why an MP may not sign a policy?

Are there any other places to trace how and why an MP may not sign a policy? Not that I'm aware of. At this point I think we need more general help with management point troubleshooting since the native mode side seems to be checking out. Would you like me to move this thread over to the Setup forum where more eyes can see this & get the benefit of their experience and expertise?

That would be fine, thanks!

I'm seeing this same issue. Anything new?