I've opened a case with JTAC for assistance on this, but I was wondering if anyone else was having this issue.
I have configured a Host Checker policy to perform patch assessment and remediation using Shavlik. This was working for a bit, but I've recently encountered an Adobe Flash patch and a MS patch that Pulse detect are not installed on the system, but when I try to install them manually, report as already being installed. This of course then would lend the user to being stuck in the remediation vlan without a way of being able to resolve the situation on their own.
Has anyone else encountered such behavior before with this auto-remediation feature?
So I believe I resolved the issue.
I started digging through Windows Event Log entries again and noticed a correlation - each time Host Checker ran, an error was registered from source "DistributedCOM" with an eventID of 10016. The error was:
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
I started Googling these CLSID and APPIDs, and found a link to this article:
...where it indicated that the APPID GUID is associated with the NAP (Network Access Protection) service. Once I started this service, my remediation issue was resolved. I set this service to auto and it appears to be golden. I didn't see this service requirement in the documentation anywhere for Pulse - perhaps I missed?
I may have spoken too soon - results are intermittent; first login fails host check (from machine auth -> user auth @ credential provider) and then succeeds at the desktop. Weird.