Most sites I’ve seen and heard of are using Native Mode. If you ask many administrators what that means, you get some pretty interesting responses. Basically, Native Mode means that the communications channel is encrypted via SSL between the Client device and the Management Point (MP), and other site system servers, except for communicating with Server Locator Point (SLP), and Fallback Status Point (FSP) servers.

Because Native Mode involves SSL encryption, it also requires PKI and certificates. Because PKI in a Windows environment relies heavily on DNS, and pretty much everything in AD relies on DNS, well, that means DNS and WINS need to be configured and working properly as well.

Configuration Manager in Native Mode

Configuration Manager in Native Mode


  1. Client applet (General tab) does not show “Site Mode” as “Native Mode”
  2. Client fails to communicate with Management Point
  3. Client is not Approved (when Automatic approval has been enabled)
  4. Client fails to report inventory

Potential causes

  1. Corrupted, missing or expired client certificate
  2. PKI environment issues
  3. Missing or Unavailable CRL in perimeter network (Internet clients)
  4. Client device does not meet minimum requirements for Native mode
  5. DNS or WINS name resolution issues
  6. Firewall settings (on routers, servers, and clients)
  7. Network Connectivity issues
  8. Trying to use NLB Management Points with AD publishing


  1. Check the Windows System Event Log
  2. Verify Network Connectivity
  3. Verify Name Resolution (DNS, WINS)
  4. If using Windows Server 2008, do not use Version 3 PKI certificate templates
  5. Verify client certificate is installed and valid
  6. Verify PKI environment is working properly
  7. Run the SCCMNativeModeReadiness.exe utility from the CCM folder (right-click and select "Run as Administrator". Append " /?" to view available options as well)
  8. Verify local services are running properly
  9. Verify firewall settings (client, routers, switches, servers)

If the client computer issues are related to domain account issues, such as losing trust or delegation rights, or password synchronization failures, you may also see Windows Event log entries indicating failures to locate or communicate with a domain controller, or failures downloading or applying Group Policy. I don’t mean individual GPO settings or GPO’s, but errors indicating Group Policy is unable to update at all.

"Potential Causes" items 1 through 4 are the most common I’ve seen, but that's only in the context of the environments I've dealt with, so that's anecdotal. Checking on the status of the certificate never hurts, and since Native Mode depends so heavily on PKI it makes sense to rule that out first.

DNS and WINS name resolution issues can be easy to overlook, so be sure to verify that the clients can resolve the Name of each DNS server relevant to the client's connection and authentication scheme. If WINS is used (more often than expected actually), make sure you verify name resolution to the WINS server as well.

When everything else appears fine I ask the user (or field technician) to verify there is “activity” on the network port of the device and they reply “I don’t see any lights blinking”, I usually suggest checking the cable or swapping it out, or trying a different jack or verifying wireless connectivity (if applicable).

Helpful links


Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account