Policy modules should not provide a user interface because this will tie up the client thread (CertReq would seem to be deadlocked, for example). Also, by providing a user interface, the policy module must be able to interact with the Microsoft® Windows® desktop and run under the system account. This is only possible if Certificate Server is running as a stand-alone application in the diagnostics mode using the -z option. PolicyVB.dll does provide a user interface but is intended for demonstration purposes only.