locked
NAP & SCCM auto remediation problem RRS feed

  • Question

  • We are currently having a problem with auto-remediation with XP SP3 and Vista clients.

    Recently we upgraded our DC's to Server 2008 R2.
    I was testing NAP when our DC's were Server 2003 and was able to get the step by step lab working.
    However, after upgrading to Server 2008 R2, NAP stopped working.
    NAP and DHCP is installed on a seperate Server 2008 SP2 server.

    I have enabled auto remediation on my non-compliant policy on the NAP server.
    On the client, I have NAP Agent, DHCP enforcement, and Security Center enabled.

    When I run napstat, the message tells me that my computer is compliant.
    However the client is not compliant (I manually disabled Windows Firewall on it).
    When I had this working before, it would re-enable Windows Firewall by itself.

    The only error I get in the event viewer is

    Event ID : 30
    The System health agent 79745 has returned an error code FailureCategory Client Component.

    Can someone help me?

    • Edited by wdawg Wednesday, January 27, 2010 7:30 PM
    Tuesday, January 26, 2010 6:02 PM

Answers

  • Hi,

    I can help, and I can attempt to get some others involved if necessary. If you would prefer to do this over email you can send me mail at greglin@online.microsoft.com (remove the "online" from this email address to actually email me, it is added to prevent spam bots).

    A topic I wrote that might help you understand network policies a little better is here: http://technet.microsoft.com/en-us/library/dd125310(WS.10).aspx

    This topic explains how to use different health policies with a network policy. You can have a policy that says the client must pass any policy, pass both policies, or pass a specific policy. It is very flexible, but the thing to keep in mind is that the first policy that is matched will be the one that takes effect. In other words, if you have a policy that says the client must match health policy A and then later you have one that says the client must match both health policy A and health policy B, then no client would ever match the second network policy - because they would all match the first network policy and then policy processing would stop. For this reason, you must always order the network policies so that the most generic ones are last. I hope this makes sense.

    -Greg
    • Marked as answer by Mervyn Zhang Thursday, February 4, 2010 8:50 AM
    Thursday, January 28, 2010 9:20 AM
  • Greg, I tried emailing you at the above email address you posted.
    I never heard a response back, so I forged on with the project.
    I wanted to update my post.. Hopefully this helps somebody else from doing hours of research.

    I was able to get DHCP Enforcement working again on NAP.
    This time we configured our policies to use a RADIUS server to authenticate requests (previously we didn't need it, I still don't see why we need a RADIUS Server).
     
    I uninstalled the SCCM SHV, and re-installed again and again.
    The event viewer said that it couldn't initialize the SHV (along with other errors).
    I followed the administrators checklist http://technet.microsoft.com/en-us/library/bb680600.aspx

    The problem was that the network service account did not have read permissions on the Systems Management OU.
    This may have been something we overlooked when we upgraded our DC's from 2003 - 2008R2.

    We now have a working NAP environment. Windows Updates remediate by NAP/SCCM.

    It's a beautiful thing to see NAP enforcement work automatically.

    Thank you, please mark this thread closed.

    • Marked as answer by Mervyn Zhang Friday, February 5, 2010 10:31 AM
    Friday, February 5, 2010 2:31 AM

All replies

  • Hi,

    The error event 30 doesn't make sense to me considering you haven't changed anything on the client, but I'm not too familiar with that error. One thing that might be a problem is the NAP settings in Group Policy. Can you check that your Group Policy settings are working as expected? Execute a "netsh nap client show group" on the client computer. Also execute a gpresult (gpresult /r on Vista) to make sure clients are getting the correct GPOs applied, and that they are members of the appropriate security groups.

    Thanks,
    -Greg
    Wednesday, January 27, 2010 8:24 AM
  • Thanks for replying Greg.

    I am testing with a computer that is not joined to the domain.

    In the end, I deleted all my policies and started over.
    Instead of using the wizard, I created them manually and I was able to get DHCP enforcement working.
    When the firewall is manually turned off, NAP will remediate the workstation and turn it on.

    However, I am now having problems with auto-remediation with my SHV Configuration Manager.
    The client shows compliant, but I manually un-installed KB978207.
    KB978207 will re-install, but Configuration Manager is pushing it out. NAP is not remediating it.

    Thanks for your help, is there anybody with Configuration Manager/NAP on these boards?
    Wednesday, January 27, 2010 7:30 PM
  • Hi,

    Yes, several people have installed this feature.

    With the CMSHA I believe there is a scanning interval. I belive you can force a re-scan though. There is more information here: http://technet.microsoft.com/en-us/library/bb693502.aspx

    Let me know if this helps.

    -Greg
    Wednesday, January 27, 2010 11:38 PM
  • Greg,

         Thanks for the reply.. Yes, I have reviewed that section before. We set a policy to have Configuration Manager install a zero-day installation.
    http://technet.microsoft.com/en-us/library/bb694188.aspx

    I will consult with my senior network admin to see if we can add MOM on to our NPS/SCCM server.

    I believe my problem is the configuration of the network policy set for Configuration Manager.

    I have some questions :

    a) should I have seperate network policies for Configuration Manger (besides my DHCP enforcement)?
    b) my co-worker believes we should add the health policies for Configuration Manager with my DHCP enforcement network policies.. Can you add more than 1 health policy to a network policy?

    If I took a screenshot of my network policies, would you be able to help me further?

    Greg, thank you for all your help.

    If anybody else has any ideas or tips to get NPS/SCCM to work together, it would be awesome if you could chime in.


    Thanks!

    Thursday, January 28, 2010 3:29 AM
  • Hi,

    I can help, and I can attempt to get some others involved if necessary. If you would prefer to do this over email you can send me mail at greglin@online.microsoft.com (remove the "online" from this email address to actually email me, it is added to prevent spam bots).

    A topic I wrote that might help you understand network policies a little better is here: http://technet.microsoft.com/en-us/library/dd125310(WS.10).aspx

    This topic explains how to use different health policies with a network policy. You can have a policy that says the client must pass any policy, pass both policies, or pass a specific policy. It is very flexible, but the thing to keep in mind is that the first policy that is matched will be the one that takes effect. In other words, if you have a policy that says the client must match health policy A and then later you have one that says the client must match both health policy A and health policy B, then no client would ever match the second network policy - because they would all match the first network policy and then policy processing would stop. For this reason, you must always order the network policies so that the most generic ones are last. I hope this makes sense.

    -Greg
    • Marked as answer by Mervyn Zhang Thursday, February 4, 2010 8:50 AM
    Thursday, January 28, 2010 9:20 AM
  • Sorry for the late response Greg. I ran in to a snag with my NPS server.

    We changed a few settings and DHCP enforcement has stopped working.
    I'm back to square 1 with it and thinking of uninstalling/reinstalling NPS.

    I'll post back when I have it working.

    Monday, February 1, 2010 7:31 PM
  • Greg, I tried emailing you at the above email address you posted.
    I never heard a response back, so I forged on with the project.
    I wanted to update my post.. Hopefully this helps somebody else from doing hours of research.

    I was able to get DHCP Enforcement working again on NAP.
    This time we configured our policies to use a RADIUS server to authenticate requests (previously we didn't need it, I still don't see why we need a RADIUS Server).
     
    I uninstalled the SCCM SHV, and re-installed again and again.
    The event viewer said that it couldn't initialize the SHV (along with other errors).
    I followed the administrators checklist http://technet.microsoft.com/en-us/library/bb680600.aspx

    The problem was that the network service account did not have read permissions on the Systems Management OU.
    This may have been something we overlooked when we upgraded our DC's from 2003 - 2008R2.

    We now have a working NAP environment. Windows Updates remediate by NAP/SCCM.

    It's a beautiful thing to see NAP enforcement work automatically.

    Thank you, please mark this thread closed.

    • Marked as answer by Mervyn Zhang Friday, February 5, 2010 10:31 AM
    Friday, February 5, 2010 2:31 AM