none
NAP remediation "freezing" on client PC RRS feed

  • General discussion

  • Hello,
     
    I am running NAP (w/ DHCP enforcement) in a test domain, with one client PC for testing.  I first setup NAP in this domain about a month and a half ago and remediation was working fine, in terms of the Configuration Manager System Health Agent.  I had setup two separate NAP policies in ConfigMgr and when I logged into the client as an end user, it would run the system health check and recognize the updates were missing, so it would say "Updating" and proceed to download the updates and force a PC restart for installation.

    In the last 3 weeks however, the auto-remediation appears to be getting stuck or freezing.  I purposely remove one of the two security updates from the client PC so that I can test remediation again.  When I log in now as an end user, it still recognizes that an update is missing so it will say "Updating," but when it gets to 30% downloading, it just stops, it never completes.  I've let the client PC sit for over an hour and it will still say "Downloading updates 30%."  I check the Processes running in Task Manager, and don't notice anything strange.  I have confirmed the auto-remediation settings in the Network Policy Server (NPS) setup and made sure the Remediation server group settings are correct in terms of including the servers in which NPS, DHCP and Configuration Manager are located on.

    If anyone has had similar experiences with auto-remediation in NAP, I would greatly appreciate any feedback.

    Thank you,

    Charles Thomas
    Tuesday, January 20, 2009 2:29 PM

All replies

  •   You will normally see that 30% status when the patch content cannot be retrieved from the Distribution Point (DP). While the client is restricted can it reach the machine that contains the content?

     Has something changed in the environment, such as the Remediation Server Group NPS setting, or one of the SCCM servers is no longer online or reachable while the client is restricted?

     Generally if something was working, and then stops working, something changed. Be it something someone changed or something is now failiing.

    Michael
    Wednesday, March 18, 2009 3:57 PM
  • Hi Michael,

    Thanks for the feedback.  I was just able to get back into this project again.  I'm still getting the same results during remediation.  My client PC passes the Windows System Health Agent 100%, but is not receiving the software updates marked for NAP evaluation on our Configuration Manager server.  It will get to 30% updating and stop.  After rebooting the client PC, it will then freeze at 0% updating.

    When I do an "ipconfig" at the command prompt on the client, it shows as being in the "restricted" portion of the domain, and I cannot ping either the NPS server (which is also the test domain controller), nor the Configuration Manager server.  For this reason, I thought it might be a problem with the remediation groups I had setup within NPS.  These were:

    Group name: Configuration Manager - IP address entered
    Group name: DNS Services - IP address entered
    Group name: Domain Services - IP address entered
    Group name: Network Services - IP address entered

    I thought I had read on MS TechNet that I didn't need to include the ConfigMgr server in the remediation groups because the client would automatically look there for software updates marked for NAP evaluation via the NAP agent installed on the client?

    If you have any further ideas, I would greatly appreciate it.

    Thanks,

    Charles


    Thursday, March 19, 2009 3:21 PM
  • Michael,

    I've done some tweaking on the NPS server in terms of the remediation groups and the DHCP settings for the default Network Access Protection class.  My client PC can now ping both the NPS/DHCP server while in the "restricted" part of the domain, but remediation with the Configuration Manager system health agent 79745 is still not moving past 0% or 30%.

    In the client's event log, here is the NapAgent error I'm still seeing:

    EventID: 30
    Description: The System Health Agent 79745 has returned an error code FailureCategory ClientCommunication.

    Any suggestions?

    Charles
    Thursday, March 19, 2009 7:54 PM
  • The EventID: 30 error has since gone away, and NAP has worked successfully since then, in terms of remediating the client PC with software updates through MSCCM 2007.

    Charles

    Monday, April 13, 2009 1:40 PM
  • please how to configure nap client in windows SP3
    i s somthing like this

    1. Start --> Run --> Services.msc
    2. Change the Network Access Protection Agent service to start automatically
    3. Start the Network Access Protection Agent service
    4. Start --> Run --> CMD.exe
    5. Type netsh nap client set enforcement ID = ##### Admin = "Enable"
    6. Start --> Run --> GPEdit.msc
    7. Drill down to Computer Configuration | Administrative Templates | Windows Components | Security Center
    8. Enable the Security Center
    9. Start --> Run --> Services.msc
    10. Start the Security Center service

    but i dont udrstand the 5 command
    netsh nap set enforcemment  id ....................
    ?,?,?,?
    IF Some one can help me

    Monday, April 13, 2009 4:57 PM
  • Hi,

    You can do all of this with Group Policy and then you don't need to use the command line. However, if you want to enable an enforcement client with the command line, do the following.

    1. Find the ID of the enforcement client you want using "netsh nap client show state." There is an example below.
    2. Enable the enforcement client. For example, if the ID is 79619, at the command line, type "netsh nap client set enforcement id = 79619 admin = enable"

    netsh nap client show state

    Enforcement client state:
    ----------------------------------------------------
    Id                     = 79617
    Name                   = DHCP Quarantine Enforcement Client
    Description            = Provides DHCP based enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      = 
    Initialized            = No

    Id                     = 79618
    Name                   = Remote Access Quarantine Enforcement Client
    Description            = Provides the quarantine enforcement for RAS Client
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      = 
    Initialized            = No

    Id                     = 79619
    Name                   = IPSec Relying Party
    Description            = Provides IPSec based enforcement for Network Access Protection
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      = 
    Initialized            = No

    Id                     = 79621
    Name                   = TS Gateway Quarantine Enforcement Client
    Description            = Provides TS Gateway enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      = 
    Initialized            = No

    Id                     = 79623
    Name                   = EAP Quarantine Enforcement Client
    Description            = Provides EAP based enforcement for NAP
    Version                = 1.0
    Vendor name            = Microsoft Corporation
    Registration date      = 
    Initialized            = Yes

    Thursday, April 16, 2009 6:39 AM
    Owner
  • ThANKS Greg Lindsay   
    a HAVE a OthER question
    what is UNETSHA?
    it must be installed in the client ?

    thank you in advance
    Monday, April 20, 2009 4:29 PM
  • Hi,

    This is a SHA/SHV that is available from one of our NAP partners. See http://unet.co.kr/nap/21download.html

    This is an optional component.

    -Greg
    Monday, April 20, 2009 4:34 PM
    Owner
  • Hi Charles,

    My NAP clients' Configuration Manager SHA is also not auto-remediating, doesn't move past 0% like yours.   I'm also getting the EventID 30, although the description is slightly different: "The System Health Agent 79745 has returned an error code 2."

    I can't find any information explaining what error code 2 is, but I expect it's the same event as yours. 

    You said this error had "gone away".  Can you remember any changes you made to fix it?  All my SCCM servers are in the Remediation Servers list on the NPS.  Clients receive other packages fine from SCCM, but fail to be auto-remediated.

    Any suggestions welcome!



    • Edited by Calliper Sunday, January 19, 2014 7:34 PM
    Sunday, April 17, 2011 12:15 PM
  • how did you get this fixed? Even i have this issue. 

    Arnav Sharma | Facebook | Twitter Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Thursday, March 28, 2013 8:05 AM
  • How did you fix it? I have same issue. 

    Arnav Sharma | Facebook | Twitter Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Thursday, March 28, 2013 8:05 AM