We use the McAfee enterprise on all of our clients. We do use HBSS but do you think that the issue lies in the NAC Client?
I can think of a scenario that would do this.
In our environment, we have a server task on the ePO and checks for "inactive" clients.
We consider anything that hasn't communicated with the ePO server for 30 days to be "inactive" (I don't know why 30 days).
It looks like your policy is 7 days.
If the server detects an inactive client, it will move it to a special group that we created called "Inactive Agents".
Assuming that your ePO is set up similarly, if the firewall policy applied to the "Inactive Agents" group is set to deny all traffic, then that could be the cause of your problem.
If that were the case, you could modify the firewall policy on the inactive agent group to allow the clients to communicate with the ePO server only.
We have our network setup kind of similiar but the first 7 days they are flagged as "rogue" and then after 14 days they are deleted. Once they are considered "rogue" and everything gets locked down, the only communication that exists is from the client to the ePO server. We can send the props/policies still but nothing else. These clients are all on the domain and recieve patches and everything else but we are still running into this issue even when clients are plugged in. If they are inactive and still connected to the ePO server then something is missing somewhere. Any ideas? Thanks in advance.