85 votesChris Alton commented
EDIT: I confused NPS with NAP in this statement, sorry about the confusion.
I just had a customer hit this same issue and found that this a known issue. Unfortunately, since NPS is deprecated there will not be a fix coming out for it.
There is a way to fix it on any systems that do have this problem.
The root cause was a Service SID associated with the IAS service didn't allow the Firewall Service to target the IAS service. This prevented the rules from properly taking effect.
All you need to do is run the following command on the affected systems:
sc sidtype IAS unrestricted
Sorry about the long delay getting a reply on this.