Enforcement Client Is Not Enabled

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

In a Network Access Protection (NAP) deployment, this problem typically occurs when an enforcement client is enabled in local policy settings but not in Group Policy settings and there are other NAP client settings managed through Group Policy.

Description of system behavior

NAP client computers that have both local policy and Group Policy settings will ignore the local policy settings. If a required enforcement client is enabled in local policy but not Group Policy, then NAP client computers will be evaluated by Network Policy Server (NPS) as non-NAP-capable. If a non-NAP-capable network policy is not configured on the server running NPS, the client will be denied network access. If a non-NAP-capable policy is configured on the server running NPS, the client will typically be granted restricted network access.

Associated operating system events

• NPS event ID 6273: The Network Policy Server denied access to a user.

• NPS event ID 6276: Network Policy Server quarantined a user.

Root cause diagnosis and resolution

The problem is caused by a missing Group Policy setting. To repair this problem, enable the enforcement client in Group Policy. For more information, see NAP client computers are evaluated as non-NAP-capable.