This section provides troubleshooting information to help you identify and resolve why computers have full network access when they should not using Network Access Protection in Configuration Manager 2007.
Clients do not Support Network Access Protection (NAP)
Configuration Manager clients must be able to support Network Access Protection (NAP). For more information, see About the NAP Client Status in Network Access Protection.
Solution
Microsoft Windows NAP Service is not Started, or a Local Configuration Manager Policy Disables the Site Setting to Enable the Network Access Protection Client Agent
Both of these conditions could explain why non-compliant computers have full network access.
Solution
The Windows NAP service is not started by default. Start it and configure it for automatic startup.
If a local policy is preventing the Network Access Protection client agent from being enabled on the client, remove or reconfigure the local Configuration Manager policy.
The Network Policy Server Has Been Configured so that Non-Compliant Computers Have Full Network Access for a Limited Time
This is legitimate policy configuration that results in non-compliant computers having full network access for a limited time. During this time, computers will undergo automatic remediation and, if successful, will then present a compliant status, which gives them full network access.
Solution
Clients Have Not Downloaded their Machine Policy to Enable the Network Access Protection Client Agent
If you have recently enabled the Network Access Protection client agent, clients will have full network access until they download their machine policy according to schedule (by default, every 60 minutes). You can view or change the interval with the option Policy polling interval in the Computer Client Agent Properties: General Tab.
Solution
It Is Before the Effective Date in the Configuration Manager NAP Policy
Configuration Manager clients will not be restricted if they do not have the selected software updates before the date configured in the Configuration Manager NAP policy. For more information, see About the NAP Effective Date in Network Access Protection.
Solution
Clients Have Not Downloaded the Latest Configuration Manager NAP Policies
If you have recently configured or added Configuration Manager NAP policies, clients will not immediate evaluate them.
Solution
Wait until clients download their policy (which includes the Configuration Manager NAP policies), according to schedule (by default, every 60 minutes).
To expedite the process for selected clients, initiate an ad-hoc retrieval of the policy from a client, see How to Initiate Policy Retrieval for a Configuration Manager Client.
To expedite the process for all clients, stop and restart the service SMS_SYSTEM_HEALTH_VALIDATOR on the Network Policy Server computer. This will force clients that send their statement of health to the Network Policy Server to download the latest Configuration Manager NAP policies and re-evaluate their compliance. However, if policies on the Network Policy Server are configured to restrict non-compliant computers, computers will have restricted network access while they perform this operation.
For an ongoing solution, consider specifying a shorter query interval on the System Health Validator point. For more information, see How to Configure the System Health Validator Active Directory Domain Services Query Interval.
Also, check the Active Directory replication delay from the site server writing the Configuration Manager 2007 health state reference and replicating it to the global catalog server used by the System Health Validator point.
An Error Condition Has Occurred
By default, the Configuration Manager System Health Validator on the Network Policy Server is configured to map all errors to a non-compliant state. Clients are then given network access according to a non-compliant status. However, these errors can be configured to compliant, which could result in a client that doesn't have the required software updates having full network access because it encountered an error.
Solution
The System Health Validator Point Is Not Installed or Not Operational
The Configuration Manager System Health Validator point must be installed and operational for non-compliant clients to be restricted.
Solution
Install the System Health Validator point. For procedural information, see How to Install the System Health Validator Point.
If the System Health Validator point is installed, but not operational, identify and correct the operational problem using the following steps:
The Network Policy Server Does Not Have Policies Configured For Configuration Manager
The Network Policy Server must have policies that include the Configuration Manager System Health Validator. For more information, see About Enforcing Compliance with Network Access Protection.
Solution
The Network Policy Server Has Policies Configured that do not Select the Check Box Enable Auto-Remediation Of Client Computers
Configuration Manager will always remediate if Network Access Protection is enforced. For more information, see Determine Your Policy Strategy for Network Access Protection.
Solution
None. It is not possible to restrict Network Access Protection clients in Configuration Manager 2007 without automatic remediation.
Policies Are Misconfigured
Policies on the Network Policy Server that are configured to give non-compliant computers full network access for a limited time, or are not configured for NAP enforcement, or there is an incorrect ordering of network policies, or some other misconfiguration can all result in computers having full network access when they should not.
The network access granted to compliant or non-compliant computers is dependent on how the policies are configured on the Network Policy Server. For more information, see Determine Your Policy Strategy for Network Access Protection.
Solution
Clients Are Using a Cached Statement of Health
Clients can present a cached statement of health that might be out of date. For more information about how a statement of health is used with Network Access Protection, see About the Statement of Health (SoH) in Network Access Protection.
To see under which conditions clients will use a cached statement of health, see NAP Evaluation Conditions for Configuration Manager Clients.
Solution
Client Is Assigned To a Child Site and the NAP Policy Has Not Yet Replicated Down the Hierarchy
Configuration Manager NAP policies are designed to replicate down the hierarchy, and this can result in a delay between creating or modifying a Configuration Manager NAP policy, and taking effect on a client in a child site.
Solution
Wait for site replication to complete.
Concepts
Troubleshooting Network Access Protection
Other Resources
Overview of Network Access Protection
Did you find this information useful? Please click the following link to send your suggestions and comments about the documentation to the Configuration Manager Doc Feedback alias: