If you happen to get Event ID 20069 “The specified certificate could not be loaded because the KeySpec must be AT_KEYEXCHANGE” which has happened to me recently and made me spent quite a lot of time to find a reason what was going wrong.

Most of the troubleshooting articles that you will find (although they are not many) will refer to the wrong type of the certificate being used and lead to regenerate it following the certain steps. However, with Microsoft monitoring agent and “AT_KEYEXCHANGE” error might be complete a different thing, which had also been in my case. I had exact same type of certificates working on other server but not on a specific one.

Check the permission over MachineKeys folder (All Users Profile\Application Data\Microsoft\Crypto\RSA). The MachineKeys folder stores certificate pair keys for both the computer and users. Permissions changed from default ones will lead to some services not being able to bind private keys to certificates. Although in mmc.exe certificates console you will observe that certificate is fine and you have a private key, if you try exporting  with private key and running certutil -v to overview a certificate you will notice that private key is not available.

Default permissions on the MachineKeys folder are described in the following MS article and have to be set to

  • Administrators (Full Control) This folder only
  • Everyone (Special) This folder only

Check if the permissions are set correctly, if not set as above and restart the Microsoft monitoring agent. That should fix the problem.