locked
FCS Windows 7 NAP Integration Kit RRS feed

  • Question

  • Hi
    I'm setting up a new forefront environment. With 2008 R2 (NPS)  and Windows 7.
    The FCS client work's like a charm but the Nap integration kit always reports the client as healthy.
    I does not matter what I do with the client It still reports Healthy.
    I can see in the client event log a eventId 11 it's the only thing I can find that looks odd.
    Only thing I can do to get it to report unhealthy is to uninstall the Nap integration kit on the client.
    Is Windows 7 supported for the Nap integration kit or is’ it coming a new version.
    I have read in another thread that the SHV has a bug with 2008 SP2 and R2 and that you need to change a registry setting.
    when I do that nothing changes on the client but I can't access the configure settings for the Forefront client Policy.

     

     

    Wednesday, September 23, 2009 5:35 AM

Answers

  • Strangely I have a case like this I'm working with a customer right now.  jcarlen if you don't mind open a ticket with CSS and ping me with the ticket # once you get it my email is kfalde @ you know the company name...

    Case will be non-dec so don't worry about that let the tech routers know this is for a hotfix you need to acquire from CSS. (there is a hotfix for part of the problem as mentioned previously however we still haven't figured out why the SHA on the client is always reporting as clean even when disabling service/rolling back definitions etc)

    The other customer I have is testing on Vista so I don't believe this is a win7 specific issue but still working on resolving.

    Thanks
    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    • Proposed as answer by Nick Gu - MSFT Tuesday, September 29, 2009 9:30 AM
    • Marked as answer by Nick Gu - MSFT Monday, October 5, 2009 2:21 AM
    Friday, September 25, 2009 2:12 PM

All replies

  • Hi,

     

    Thank you for your post.

     

    Before going any further, I’d like to know why do you think the NAP is abnormal?

     

    As far as I know, If you have Windows Server 2008 you can use NAP to protect your network and now you can integrate with FCS. You can use FCS to protect your PC and NAP can this functionality. Forefront Client Security provides customers the ability to see whether Forefront Client Security is running and up to date. Administrators are able to configure NAP on Windows Server 2008 servers so that Forefront Client Security–managed machines attempting to connect to the network are checked to  ensure that the security agent is up to date and actively protecting clients. If the client machine does not have the Forefront Client Security agent or is not up to date, the user is not allowed to connect to the network and is notified within Windows Security Center. If the user installs the security agent for Forefront  Client Security with updated signatures, he or she can then connect to the network.

     

    More information:

    http://blogs.technet.com/clientsecurity/archive/2008/06/18/nap-and-fcs.aspx

     

    Regards,


    Nick Gu - MSFT
    Thursday, September 24, 2009 9:16 AM
  • Oki I don´t know what question you answerd
    Never asked about NAP functions.
    My question was WHY DON`T FCS NAP INTEGRATION KIT WORK WITH WINDOWS 7 are there any known issues. Or is the problem related to running the NPS on Server 2008 R2.

    Thursday, September 24, 2009 2:49 PM
  • I'm going to try to clear this up.

    jcarlen wants to use NAP and wants FCS to be reuqired, as well wants FCS to be up to date as a requrnment.  However, if he makes FCS fail he wants to see NAP doing it's job and deny the client access.  However, like he said (or she, sorry, don't know either way), FCS always reports that it's OK.  Once he uninstalls NAP then FCS reports that it's not OK (if that's the case).

    As far as I can tell, NAP is not functioning properly.

    I as well would want to see NAP deny an improper client to make sure it is, in fact, doing it's job.
    Thursday, September 24, 2009 10:32 PM
  • Strangely I have a case like this I'm working with a customer right now.  jcarlen if you don't mind open a ticket with CSS and ping me with the ticket # once you get it my email is kfalde @ you know the company name...

    Case will be non-dec so don't worry about that let the tech routers know this is for a hotfix you need to acquire from CSS. (there is a hotfix for part of the problem as mentioned previously however we still haven't figured out why the SHA on the client is always reporting as clean even when disabling service/rolling back definitions etc)

    The other customer I have is testing on Vista so I don't believe this is a win7 specific issue but still working on resolving.

    Thanks
    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    • Proposed as answer by Nick Gu - MSFT Tuesday, September 29, 2009 9:30 AM
    • Marked as answer by Nick Gu - MSFT Monday, October 5, 2009 2:21 AM
    Friday, September 25, 2009 2:12 PM