We are testing DHCP NAP in the lab. We set WSHV just to check if the Windows Firewall is turned on. Also we create a DHCP Policy to configure non-compliance client to get a specified DNS name(015) and DNS server option. The parameters of policy are as below: Conditions:User Class Operator:Equals Value:Default Network Access Protection Class Everything is ok so client will get the dns name and dns server option which we specified in the policy if the windows firewall is turned off. But as long as we add an ip range to the policy,non-compliance client could get neither IP nor DHCP Options from DHCP server. Client will configure itself to use APIPA. We got the EVENT:50015 Nack is received on interface %interface_indexnumber% from client event log. What's the case?

Hi Nodium, Based on my research, we cannot use DHCP Enforcement to assign IP address from a dedicated subnet for noncompliant clients. Instead, we might try 802.1x Enforcement, with 802.1x Enforcement, we can isolate clients onto different vLANs depending on health state. Choose an Enforcement Method http://technet.microsoft.com/en-us/library/dd125350(v=ws.10).aspx Combining NAP enforcement methods http://blogs.technet.com/b/nap/archive/2008/07/31/combining-nap-enforcement-methods.aspx Hope this helps. Jeremy Wu TechNet Community Support