locked
Non Complaint NAP clients access RRS feed

  • Question

  • Dear All,

    I have implemented IPSec Enforcement in our environment. As a pilot testing i have applied it on 250 PC.

    for non complaint client i have enabled "Allow limited Access".

    I am getting two error on non complaint PC as below -
    1. the windows security health agent failed to update the security state of this computer. windows could not install required security updates. An administrator must install them manually.
    2.the windows security health agent failed to update the security state of this computer. Winsows did not detected an antivirus program that is compatible with windows security centre.

    All system have SCCM client and McAfee antivirus running and they have network access even noncomplaint.
    i am not able to find any cause why they are non complaint and have access even noncomplaint.

    your kind help will be highly appreciated.
    Rakesh Kumar
    Wednesday, December 23, 2009 8:11 AM

Answers

  • Hi,

    What is the client OS?

    This error refers to the WSHA: "the windows security health agent failed to update the security state of this computer"

    This means you have enabled the security updates requirement in the WSHV, and the computers were unable to contact Windows Update or WSUS. These are required for remediation. Also please note that NAP will not reboot the computer if necessary to complete installation of some updates. The user or admin must do this.

    This error also refers to the WSHA: "did not detected an antivirus program that is compatible with windows security centre"

    This means that your clients do not have a compatible anti-virus program installed, and you have enabled the requirement for an antivirus program in the WSHV. In order to be compatible, the program must be registered with Security Center. Please open Security Center and check to see that McAfee is displayed as the installed anti-virus program.

    To determine why the clients are not having the correct access applied, we will need more information. Please begin by providing the names of the network policy and connection request policies that are being matched, and the configuration of these policies. You will find this information in the NPS events in Event Viewer under Custom Views\Server Roles\Network Policy and Access Services.

    Also please determine the types of computer certificates that have been issued to noncompliant computers, and whether or not you have successfully applied IPsec policies to these computers.

    -Greg
    • Marked as answer by Miles Zhang Wednesday, January 6, 2010 2:49 AM
    Friday, December 25, 2009 5:15 AM

All replies

  • Does the SCCM SHA has access to the servers it needs in the limited access network segment?
     

    --------------------------------------------------------------------------------

    Sorry! Microsoft doesn't own any liability & responsibility for any of my posting.

    Thursday, December 24, 2009 5:32 AM
  • Hi Ortal,

    could you clarify more. as per stated above in my request that clients are not getting remediated but they have network access even non-complaint.


    Rakesh Kumar
    Thursday, December 24, 2009 11:32 AM
  • If the clients have full network access even when not compliant than I'm on the wrong path.

    --------------------------------------------------------------------------------

    Sorry! Microsoft doesn't own any liability & responsibility for any of my posting.

    Thursday, December 24, 2009 12:15 PM
  • Hi,

    What is the client OS?

    This error refers to the WSHA: "the windows security health agent failed to update the security state of this computer"

    This means you have enabled the security updates requirement in the WSHV, and the computers were unable to contact Windows Update or WSUS. These are required for remediation. Also please note that NAP will not reboot the computer if necessary to complete installation of some updates. The user or admin must do this.

    This error also refers to the WSHA: "did not detected an antivirus program that is compatible with windows security centre"

    This means that your clients do not have a compatible anti-virus program installed, and you have enabled the requirement for an antivirus program in the WSHV. In order to be compatible, the program must be registered with Security Center. Please open Security Center and check to see that McAfee is displayed as the installed anti-virus program.

    To determine why the clients are not having the correct access applied, we will need more information. Please begin by providing the names of the network policy and connection request policies that are being matched, and the configuration of these policies. You will find this information in the NPS events in Event Viewer under Custom Views\Server Roles\Network Policy and Access Services.

    Also please determine the types of computer certificates that have been issued to noncompliant computers, and whether or not you have successfully applied IPsec policies to these computers.

    -Greg
    • Marked as answer by Miles Zhang Wednesday, January 6, 2010 2:49 AM
    Friday, December 25, 2009 5:15 AM
  • Hi Gerg,

    Client OS is Windows XP SP3.

    <>Also please note that NAP will not reboot the computer if necessary to complete installation of some updates. The user or admin must do this.

    Ans -
    Could you clarify how to know that after patch remediation system required rebbot?

    <>This means that your clients do not have a compatible anti-virus program installed, and you have enabled the requirement for an antivirus program in the WSHV. In order to be compatible, the program must be registered with Security Center. Please open Security Center and check to see that McAfee is displayed as the installed anti-virus program.

    Ans - I have checked the Security centre in control Panel ang got "Not Found". After that i have asked to McAfee ePO Team to uninstall and install it again they have done it after that PC were complaint but on next security centre is showing "not Found" and Pc become non-complaint but have network access.

    <> Please begin by providing the names of the network policy and connection request policies that are being matched, and the configuration of these policies.

    Ans - Network policy -
    NAP IPsec with HRA Noncompliant [ Polisy State: Enabled, Access Permission: grant Access if the connection request matches the policy, Network Connection Method: Health Registry Authority,
    Settings Tab\NAP enfocement: a)Allow Limited Access b)Remediation server group and troubleshootin URL: not configured, Auto remediation: Configured]

    <>Also please determine the types of computer certificates that have been issued to noncompliant computers, and whether or not you have successfully applied IPsec policies to these computers

    Ans - 
    no any certificates were issued to noncomplaint computers. i have checked on noncomplaint and complaint are getting IPSec policies.
     
    let me know if further information required.
    Rakesh Kumar
    Monday, December 28, 2009 10:57 AM
  • Dear All,

    Any idea to resolve above issue.

    your kind help will be highly appreciated.
    Rakesh Kumar
    Monday, January 4, 2010 4:47 AM