Hi AdvancedServices,
The only passphrase that can be synchronized with the AD password is the Bootguard passphrase.
After this, either you have SKM (server key mode) or any other key mode with a defined passphrase, but this is not synchronized with AD.
SKM are handled by the server and you should not be prompted for the passphrase because you won't know it.
For the other key modes (CKM, GKM, SCKM), possibly in the first time you enroled you typed the same password as the AD, but that will not change automatically.
I guess that the Update Policy is trying to use/update your private key and is a client key mode, so you need to type it manually. For the passphrase recovery to work, the server needs to have the recovery block associated with the key. If that block is not there it will not be possible to reset the passphrase, if it is there you might be facing some bug in an older version. Perhaps it would be a good idea to contact Support.
Rgs,
dcats