Client Fails to Successfully Remediate with Network Access Protection

Client Fails to Successfully Remedi...

Collapse All

Applies To: System Center Configuration Manager 2007

This section provides troubleshooting information to help you identify and resolve why clients fail to successfully remediate with Network Access Protection (NAP) in Configuration Manager 2007.

The Windows Network Access Protection Agent Service Was Not Started

The Windows Network Access Protection Agent Service must be started before the Configuration Manager client receives the client policy to enable the Network Access Protection client agent. This allows the Configuration Manager Network Access Protection client agent to bind to the Windows Network Access Protection agent.

If the Windows Network Access Protection Agent Service is started after the Network Access Protection client agent is enabled on the Configuration Manager client (or remains not started), the client's statement of health fails to be validated on the Configuration Manager System Health Validator point. In this scenario, if failure categories on the System Health Validator map to a non-compliant health state, clients might have limited network access without being able to remediate.

To identify this scenario, look for the following entries in the client log file, SMSSHA.LOG:

Warning - "CORE: SHA Registered successfully with the NAP Agent, but could not successfully bind"

Error - "CORE: NAP Agent Service might not be running"

Solution

If computers are on the restricted network as a result of this scenario, follow these steps so that the client can move from the restricted network to the unlimited network:

Ensure that the Windows Network Access Protection Agent Service is started and configured to automatically start on the computer. Manually change the service setting if necessary.
Restart the computer. This causes the Configuration Manager client to download its client policy, and the Network Access Protection client agent will automatically bind to the Windows Network Access Protection agent.

If computers are not on the restricted network as a result of this scenario, but the Windows Network Access Protection Agent Service was started after you enabled the Configuration Manager Network Access Protection client agent, follow these steps:

Ensure that the Windows Network Access Protection Agent Service is started and configured to automatically start on all NAP-capable computers running the Configuration Manager client. If necessary, configure Group Policy to start this service and confirm that computers have been configured with the setting.
Either restart Configuration Manager client computers or disable the Network Access Protection client agent for one policy cycle (by default, every 60 minutes) and then re-enable the Network Access Protection client agent.

An Operating System Deployment Installs the Configuration Manager Client before Configuring Network Access Protection in Windows

When you deploy an operating system in a Network Access Protection environment using the operating system deployment feature in Configuration Manager, and you use custom task sequence steps to enable the enforcement clients and start the Network Access Protection in Windows, failing to add a restart step to the task sequence can result in the computer being non-compliant and being unable to successfully remediate.

Solution

Manually restart the computer.

To correct the operating system deployment configuration, see Planning for Operating System Deployment in a NAP-Enabled Environment.

Software Updates Have Not Yet Replicated to Local Distribution Point

In this scenario, a client undergoing remediation can time-out when attempting to retrieve software updates from a remote distribution point.

Solution

Wait until replication is complete.

Avoid this situation by configuring an effective date that is after the software update packages have replicated to all distribution points. To modify the effective date of existing Configuration Manager NAP policies, see How to Set the Effective Date and Time to Begin NAP Evaluation for Network Access Protection.

Software Updates Are on a Protected Distribution Point

This configuration can result in clients being unable to access software updates if their network location is not identified as being within the boundaries configured for the protected distribution point.

Solution

Reconfigure the protected distribution point, or add the software update package to an unprotected distribution point.

Software Updates Are on a Branch Distribution Point

A client can time-out trying to retrieve required software updates if attempting to download them from a branch distribution point and the software update package is configured for the option Make this package available on protected distribution points only when requested by clients inside the protected boundaries.

Solution

If the user waits, the content will eventually download and remediation will be automatically retried.

Avoid this situation by configuring software update packages that reference software updates selected for Network Access Protection so that they are not configured for the option Make this package available on protected distribution points only when requested by clients inside the protected boundaries.

Client Cannot Connect to Remediation Servers

Clients using Network Access Protection in Configuration Manager are dependent on being able to communicate with remediation servers. For more information, see About Network Access Protection Remediation.

Solution

To ensure that clients can communicate with the servers they need, verify the following:

Ensure that the client's default management point is operational.
If you are using DHCP or VPN NAP enforcement, ensure that any infrastructure servers, such as DNS servers and domain controllers, are specified in a Remediation Server Group and included in the network policy on the Network Policy Server:
- Configuring Remediation Server Groups for Configuration Manager Network Access Protection
- Configuring Network Policies for Configuration Manager Network Access Protection
If you are using IPsec Network Access Protection enforcement, ensure that all remediation servers (including Configuration Manager management points, software update points, and distribution points) are configured as boundary servers.

The Network Access Protection Client Agent Was Disabled After the Client Went into Remediation

In this scenario, the client can present a non-compliant health state, but remediation is no longer possible.

Solution

Restart the computer to initiate download of the machine policy. This will result in disabling the Network Access Protection client agent and a compliant status.

The Network Access Protection Client Agent Is Re-Enabled

If you re-enable the Network Access Protection agent, this re-enables previously configured Configuration Manager NAP policies. If these policies contain software updates that are no longer hosted on distribution points, remediation is not possible because the content is no longer available.

Solution

To resolve this situation, complete one of the following steps:

Delete the old Configuration Manager NAP policies, and then restart the computer. For procedural information, see How to Delete a Configuration Manager NAP Policy to Stop NAP Evaluation in Network Access Protection.
Create a new software updates package with the missing software updates in the Configuration Manager NAP policies. When the content is available, a user who is a local administrator should then click Try Again. If the user has low rights, the user can then restart the computer. For more information about creating software update packages, see How to Create a Deployment Package.

Computer Does Not Have the Configuration Manager Client Installed

In this scenario, the health state of the client cannot be checked by the Configuration Manager System Health Validator. By default, this maps to an error condition that deems it non-compliant. Remediation in Configuration Manager does not include automatically installing the Configuration Manager client, so this client will never be automatically remediated.

Solution

If the computer should install the Configuration Manager client, provide a means by which users can manually install the Configuration Manager client when on the restricted network. For more information, see Configuring the Remediation User Experience for Configuration Manager Network Access Protection.

If the computer should not have the Configuration Manager client installed, configure a network policy on the Network Policy Server such that this computer does not have its health state checked by the Configuration Manager System Health Validator. For more information, see Determine Your Policy Strategy for Network Access Protection and Configuring Exemption Policies for Configuration Manager Network Access Protection.

Unknown Causes

If none of the conditions above apply to the remediation failure, view the Configuration Manager Network Access Protection report List of remediation failures for specified time period to help identify the error. For more information, see How to Run Network Access Protection Reports.

Concepts

Troubleshooting Network Access Protection

Other Resources

Overview of Network Access Protection

Did you find this information useful? Please click the following link to send your suggestions and comments about the documentation to the Configuration Manager Doc Feedback alias: SMSdocs@microsoft.com.