This section provides troubleshooting information to help you identify and resolve why clients fail to successfully remediate with Network Access Protection (NAP) in Configuration Manager 2007.
The Windows Network Access Protection Agent Service Was Not Started
The Windows Network Access Protection Agent Service must be started before the Configuration Manager client receives the client policy to enable the Network Access Protection client agent. This allows the Configuration Manager Network Access Protection client agent to bind to the Windows Network Access Protection agent.
If the Windows Network Access Protection Agent Service is started after the Network Access Protection client agent is enabled on the Configuration Manager client (or remains not started), the client's statement of health fails to be validated on the Configuration Manager System Health Validator point. In this scenario, if failure categories on the System Health Validator map to a non-compliant health state, clients might have limited network access without being able to remediate.
To identify this scenario, look for the following entries in the client log file, SMSSHA.LOG:
Warning - "CORE: SHA Registered successfully with the NAP Agent, but could not successfully bind"
Error - "CORE: NAP Agent Service might not be running"
If computers are on the restricted network as a result of this scenario, follow these steps so that the client can move from the restricted network to the unlimited network:
- Ensure that the Windows Network Access Protection Agent Service
is started and configured to automatically start on the computer.
Manually change the service setting if necessary.
- Restart the computer. This causes the Configuration Manager
client to download its client policy, and the Network Access
Protection client agent will automatically bind to the Windows
Network Access Protection agent.
If computers are not on the restricted network as a result of this scenario, but the Windows Network Access Protection Agent Service was started after you enabled the Configuration Manager Network Access Protection client agent, follow these steps:
- Ensure that the Windows Network Access Protection Agent Service
is started and configured to automatically start on all NAP-capable
computers running the Configuration Manager client. If necessary,
configure Group Policy to start this service and confirm that
computers have been configured with the setting.
- Either restart Configuration Manager client computers or
disable the Network Access Protection client agent for one policy
cycle (by default, every 60 minutes) and then re-enable the Network
Access Protection client agent.
An Operating System Deployment Installs the Configuration Manager Client before Configuring Network Access Protection in Windows
When you deploy an operating system in a Network Access Protection environment using the operating system deployment feature in Configuration Manager, and you use custom task sequence steps to enable the enforcement clients and start the Network Access Protection in Windows, failing to add a restart step to the task sequence can result in the computer being non-compliant and being unable to successfully remediate.
Manually restart the computer.
To correct the operating system deployment configuration, see Planning for Operating System Deployment in a NAP-Enabled Environment.
Software Updates Have Not Yet Replicated to Local Distribution Point
In this scenario, a client undergoing remediation can time-out when attempting to retrieve software updates from a remote distribution point.
Wait until replication is complete.
Avoid this situation by configuring an effective date that is after the software update packages have replicated to all distribution points. To modify the effective date of existing Configuration Manager NAP policies, see How to Set the Effective Date and Time to Begin NAP Evaluation for Network Access Protection.
Software Updates Are on a Protected Distribution Point
This configuration can result in clients being unable to access software updates if their network location is not identified as being within the boundaries configured for the protected distribution point.
Reconfigure the protected distribution point, or add the software update package to an unprotected distribution point.
Software Updates Are on a Branch Distribution Point
A client can time-out trying to retrieve required software updates if attempting to download them from a branch distribution point and the software update package is configured for the option Make this package available on protected distribution points only when requested by clients inside the protected boundaries.
If the user waits, the content will eventually download and remediation will be automatically retried.
Avoid this situation by configuring software update packages that reference software updates selected for Network Access Protection so that they are not configured for the option Make this package available on protected distribution points only when requested by clients inside the protected boundaries.
Client Cannot Connect to Remediation Servers
Clients using Network Access Protection in Configuration Manager are dependent on being able to communicate with remediation servers. For more information, see About Network Access Protection Remediation.
To ensure that clients can communicate with the servers they need, verify the following:
- Ensure that the client's default management
point is operational.
- If you are using DHCP or VPN NAP enforcement,
ensure that any infrastructure servers, such as DNS servers and
domain controllers, are specified in a Remediation Server Group and
included in the network policy on the Network Policy Server:
- If you are using IPsec Network Access
Protection enforcement, ensure that all remediation servers
(including Configuration Manager management points, software update
points, and distribution points) are configured as boundary
The Network Access Protection Client Agent Was Disabled After the Client Went into Remediation
In this scenario, the client can present a non-compliant health state, but remediation is no longer possible.
Restart the computer to initiate download of the machine policy. This will result in disabling the Network Access Protection client agent and a compliant status.
The Network Access Protection Client Agent Is Re-Enabled
If you re-enable the Network Access Protection agent, this re-enables previously configured Configuration Manager NAP policies. If these policies contain software updates that are no longer hosted on distribution points, remediation is not possible because the content is no longer available.
To resolve this situation, complete one of the following steps:
- Delete the old Configuration Manager NAP
policies, and then restart the computer. For procedural
information, see How to Delete a
Configuration Manager NAP Policy to Stop NAP Evaluation in Network
- Create a new software updates package with
the missing software updates in the Configuration Manager NAP
policies. When the content is available, a user who is a local
administrator should then click Try Again. If the user has
low rights, the user can then restart the computer. For more
information about creating software update packages, see How to Create a
Computer Does Not Have the Configuration Manager Client Installed
In this scenario, the health state of the client cannot be checked by the Configuration Manager System Health Validator. By default, this maps to an error condition that deems it non-compliant. Remediation in Configuration Manager does not include automatically installing the Configuration Manager client, so this client will never be automatically remediated.
If the computer should install the Configuration Manager client, provide a means by which users can manually install the Configuration Manager client when on the restricted network. For more information, see Configuring the Remediation User Experience for Configuration Manager Network Access Protection.
If the computer should not have the Configuration Manager client installed, configure a network policy on the Network Policy Server such that this computer does not have its health state checked by the Configuration Manager System Health Validator. For more information, see Determine Your Policy Strategy for Network Access Protection and Configuring Exemption Policies for Configuration Manager Network Access Protection.
If none of the conditions above apply to the remediation failure, view the Configuration Manager Network Access Protection report List of remediation failures for specified time period to help identify the error. For more information, see How to Run Network Access Protection Reports.