This section provides troubleshooting information to help you identify and resolve why computers do not have full network access when they should when using Network Access Protection in Configuration Manager 2007.
The Configuration Manager Health State Reference Has Not Completed Active Directory Replication
Network Access Protection relies on Active Directory Domain Services to publish and retrieve health state references.
When installing a new Configuration Manager site, wait until replication for the Configuration Manager site is complete before configuring Configuration Manager Network Access Protection (NAP) policies.
Wait for Active Directory replication to complete.
The System Health Validator Point Cannot Retrieve the Configuration Manager Health State Reference
Network Access Protection uses Active Directory Domain Services to publish and retrieve health state references. If this is not configured and operational, compliant clients might have limited network access.
First, ensure that the Active Directory schema has been extended with the Configuration Manager 2007 schema extensions and that the Configuration Manager site is publishing to Active Directory. For more information, see the following:
- How to Extend the Active
Directory Schema for Configuration Manager
- How to Publish
Configuration Manager Site Information to Active Directory Domain
- How to Verify That Site
Information Is Published to Active Directory Domain
Second, ensure that the Configuration Manager health state reference settings are configured appropriately for your environment. For more information, see the following:
An Error Condition Occurred
By default, a client that experiences an error condition during the Network Access Protection process will be deemed non-compliant. However, error conditions can be reconfigured to give clients a compliant status, which can then result in full network access. For more information, see Network Access Protection Failure Categories and Error Codes.
Locate the error by referencing the Network Access Protection logs, and then correct the error. For more information about the log files, see Log Files for Network Access Protection.
Alternatively, you can reconfigure the failure category on the Network Policy Server so that it maps to a compliant status. For more information, see Configuring Failure Categories for Configuration Manager Network Access Protection.
Another System Health Agent (Not Configuration Manager) Is Responsible for a Non-Compliant Status
When the Network Policy Server is checking the health state of multiple System Health Agents and not just Configuration Manager, a Configuration Manager client that is compliant with the configured software updates can be non-compliant for a different System Health Agent, and as such, have limited network access.
None. Logging on the Network Policy Server will identify which System Health Agent returned a non-compliant health state.
The Network Policy Server Has Network Policies Configured Incorrectly for Configuration Manager
Network Access Protection in Configuration Manager replies on the correct configuration of policies on the Network Policy Server.
Ensure that the policies are configured correctly on the Network Policy Server. For more information, see the following:
The Computer Sends Its Statement Of Health to a System Health Validator Point Outside its Configuration Manager Hierarchy
This scenario will result in the client having an unknown health state, which by default, maps to SHA vendor specific error code received on the Configuration Manager System Health Validator on the Network Policy Server. By default, the option SHA vendor specific error code received is configured for Non-compliant.
If this unwanted behavior, reconfigure SHA vendor specific error code received on the Configuration Manager System Health Validator from Non-compliant to Compliant. For more information, see Configuring Failure Categories for Configuration Manager Network Access Protection.
The Network Access Protection Agent is Re-Enabled
If you enabled Network Access Protection, create some Configuration Manager NAP policies, and then disable Network Access Protection, this does not automatically delete the Configuration Manager NAP policies. Therefore, when you re-enable Network Access Protection on the same site, the old Configuration Manager NAP policies are also re-enabled.
For more information, see About Enabling and Disabling Network Access Protection.
Delete old Configuration Manager NAP policies you do not want. For more information, see How to Delete a Configuration Manager NAP Policy to Stop NAP Evaluation in Network Access Protection.