Computers Have Full Network Access When They Should Not Using Network Access Protection

Computers Have Full Network Access ...

Collapse All

Applies To: System Center Configuration Manager 2007

This section provides troubleshooting information to help you identify and resolve why computers have full network access when they should not using Network Access Protection in Configuration Manager 2007.

Clients do not Support Network Access Protection (NAP)

Configuration Manager clients must be able to support Network Access Protection (NAP). For more information, see About the NAP Client Status in Network Access Protection.

Solution

If possible, upgrade clients to support Network Access Protection. For more information, see How to Prepare the Site for Network Access Protection Clients.

If the site contains some clients that cannot support Network Access Protection, reconfigure network policies on the Network Policy Server so that NAP-ineligible clients have limited network access (although they cannot be remediated). For more information, see Determine Your Policy Strategy for Network Access Protection.

Microsoft Windows NAP Service is not Started, or a Local Configuration Manager Policy Disables the Site Setting to Enable the Network Access Protection Client Agent

Both of these conditions could explain why non-compliant computers have full network access.

Solution

The Windows NAP service is not started by default. Start it and configure it for automatic startup.

If a local policy is preventing the Network Access Protection client agent from being enabled on the client, remove or reconfigure the local Configuration Manager policy.

The Network Policy Server Has Been Configured so that Non-Compliant Computers Have Full Network Access for a Limited Time

This is legitimate policy configuration that results in non-compliant computers having full network access for a limited time. During this time, computers will undergo automatic remediation and, if successful, will then present a compliant status, which gives them full network access.

Solution

If non-compliant computers should never have access to the full network, reconfigure the network policy so that Full network access for a limited time is not selected. For more information, see Configuring Network Policies for Configuration Manager Network Access Protection.

Clients Have Not Downloaded their Machine Policy to Enable the Network Access Protection Client Agent

If you have recently enabled the Network Access Protection client agent, clients will have full network access until they download their machine policy according to schedule (by default, every 60 minutes). You can view or change the interval with the option Policy polling interval in the Computer Client Agent Properties: General Tab.

Solution

Either wait until clients have downloaded their client policy according to schedule, or initiate retrieval of the policy from the client, either manually or with a script.

To initiate retrieval of the client policy, see How to Initiate Policy Retrieval for a Configuration Manager Client.

It Is Before the Effective Date in the Configuration Manager NAP Policy

Configuration Manager clients will not be restricted if they do not have the selected software updates before the date configured in the Configuration Manager NAP policy. For more information, see About the NAP Effective Date in Network Access Protection.

Solution

If non-compliant computers must not have full network access before the effective date, reconfigure the effective date. For more information, see How to Set the Effective Date and Time to Begin NAP Evaluation for Network Access Protection.

Clients Have Not Downloaded the Latest Configuration Manager NAP Policies

If you have recently configured or added Configuration Manager NAP policies, clients will not immediate evaluate them.

Solution

Wait until clients download their policy (which includes the Configuration Manager NAP policies), according to schedule (by default, every 60 minutes).

To expedite the process for selected clients, initiate an ad-hoc retrieval of the policy from a client, see How to Initiate Policy Retrieval for a Configuration Manager Client.

To expedite the process for all clients, stop and restart the service SMS_SYSTEM_HEALTH_VALIDATOR on the Network Policy Server computer. This will force clients that send their statement of health to the Network Policy Server to download the latest Configuration Manager NAP policies and re-evaluate their compliance. However, if policies on the Network Policy Server are configured to restrict non-compliant computers, computers will have restricted network access while they perform this operation.

For an ongoing solution, consider specifying a shorter query interval on the System Health Validator point. For more information, see How to Configure the System Health Validator Active Directory Domain Services Query Interval.

Also, check the Active Directory replication delay from the site server writing the Configuration Manager 2007 health state reference and replicating it to the global catalog server used by the System Health Validator point.

An Error Condition Has Occurred

By default, the Configuration Manager System Health Validator on the Network Policy Server is configured to map all errors to a non-compliant state. Clients are then given network access according to a non-compliant status. However, these errors can be configured to compliant, which could result in a client that doesn't have the required software updates having full network access because it encountered an error.

Solution

Reconfigure the Configuration Manager System Health Validator error condition from compliant to non-compliant. For more information, see Configuring Failure Categories for Configuration Manager Network Access Protection.

The System Health Validator Point Is Not Installed or Not Operational

The Configuration Manager System Health Validator point must be installed and operational for non-compliant clients to be restricted.

Solution

Install the System Health Validator point. For procedural information, see How to Install the System Health Validator Point.

If the System Health Validator point is installed, but not operational, identify and correct the operational problem using the following steps:

Check the status messages that relate to the System Health Validator point.
Verify each Network Access Protection component: How to Verify Network Access Protection Components
Refer to the Network Access Protection log files for errors: Log Files for Network Access Protection

The Network Policy Server Does Not Have Policies Configured For Configuration Manager

The Network Policy Server must have policies that include the Configuration Manager System Health Validator. For more information, see About Enforcing Compliance with Network Access Protection.

Solution

Create or modify policies on the Network Policy Server. For more information, see Configuring the Network Policy Server for Configuration Manager.

The Network Policy Server Has Policies Configured that do not Select the Check Box Enable Auto-Remediation Of Client Computers

Configuration Manager will always remediate if Network Access Protection is enforced. For more information, see Determine Your Policy Strategy for Network Access Protection.

Solution

None. It is not possible to restrict Network Access Protection clients in Configuration Manager 2007 without automatic remediation.

Policies Are Misconfigured

Policies on the Network Policy Server that are configured to give non-compliant computers full network access for a limited time, or are not configured for NAP enforcement, or there is an incorrect ordering of network policies, or some other misconfiguration can all result in computers having full network access when they should not.

The network access granted to compliant or non-compliant computers is dependent on how the policies are configured on the Network Policy Server. For more information, see Determine Your Policy Strategy for Network Access Protection.

Solution

If the policies are misconfigured such that non-compliant computers should not have full network access, reconfigure them. For more information, see Configuring Network Policies for Configuration Manager Network Access Protection.

Clients Are Using a Cached Statement of Health

Clients can present a cached statement of health that might be out of date. For more information about how a statement of health is used with Network Access Protection, see About the Statement of Health (SoH) in Network Access Protection.

To see under which conditions clients will use a cached statement of health, see NAP Evaluation Conditions for Configuration Manager Clients.

Solution

To modify the setting so that clients never use a cached statements of health, see How to Configure NAP Evaluation Settings.

To reconfigure the validity period for a cached statement of health, see How to Specify the Validity Period for the Statement of Health.

For an ad-hoc solution that does not affect other clients, restart the client computer.

Client Is Assigned To a Child Site and the NAP Policy Has Not Yet Replicated Down the Hierarchy

Configuration Manager NAP policies are designed to replicate down the hierarchy, and this can result in a delay between creating or modifying a Configuration Manager NAP policy, and taking effect on a client in a child site.

Solution

Wait for site replication to complete.

Concepts

Troubleshooting Network Access Protection

Other Resources

Overview of Network Access Protection

Did you find this information useful? Please click the following link to send your suggestions and comments about the documentation to the Configuration Manager Doc Feedback alias: SMSdocs@microsoft.com.