About Network Access Protection Remediation
Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
Use the following information to understand how remediation works in Configuration Manager 2007 Network Access Protection, and how it affects Configuration Manager clients.
The Remediation Process
Remediation in Network Access Protection (NAP) is the means by which clients with a non-compliant health state are brought to a compliant state. Remediation in Configuration Manager 2007 occurs when the network policies on the Microsoft Windows Network Policy Server (NPS) enforce Network Access Protection (NAP) for non-compliant clients. It involves one of the following actions:
The client produces a current statement of health.
The client downloads the latest Configuration Manager NAP policies, re-evaluates compliance, and produces a current statement of health.
The client installs software updates required for compliance, re-evaluates compliance, and produces a current statement of health
Configuration Manager 2007 functionality other than remediation is not supported on the restricted network.
Configuration Manager 2007 remediation can occur when the client has limited network access or full network access for a limited time. When remediation is successful, the client then has full network access if its health state remains compliant.
If the Network Policy Server allows full network access (reporting mode), Configuration Manager 2007 will not remediate on the unrestricted network. This facility is supported through standard Configuration Manager 2007 software updates.
Additionally, if the Network Policy Server is enforcing health policies, Configuration Manager 2007 will always remediate non-compliant computers even if the option on the Network Policy Server Enable auto-remediation of client computers is not enabled.
Configuration Manager 2007 remediation servers are the servers that have resources required by clients to become compliant and are the following:
The client's management point when the client needs to download the latest Configuration Manager NAP policies.
The client's software update point.
Distribution points that host the software update packages containing required software updates when the client is non-compliant. The software updates required for compliance are installed with a high priority.
Additionally, servers that provide service location for Configuration Manager site assignment and management points must also be available and are therefore considered remediation servers. For example, for a client to access site information that is published to Active Directory Domain Services, it must be able to access a global catalog server. Clients that require site information but cannot access it from Active Directory Domain Services also require a server locator point, a server locator point might also be used to locate management points. For more information about whether clients must have access to a server locator point, see Determine If You Need a Server Locator Point for Configuration Manager Clients. For more information about service location in Configuration Manager, see Configuration Manager and Service Location (Site Information and Management Points).
Remediation servers must be configured in a Remediation Server Group on the Network Policy Server if you are using DHCP enforcement. They usually include infrastructure servers such as DNS, WINS, and domain controllers. However, do not add servers that are configured as management points, software update points, and distribution points to Remediation Server Groups because they will be dynamically supplied by a client undergoing remediation.
Remediation Restarts and Retries
If a software update installed through remediation requires a computer restart, the restart is queued until all the software updates required for compliance have been installed. Another restart scenario is when a particular software update requires a restart before installing the software updates required for remediation (service packs often have this requirement).
In these restart scenarios, if remediation occurs on the restricted network, the user is informed that the restart will automatically take place and will see a countdown so that she can save any work. When remediation occurs when the client has full network for a limited time, the user is informed that a restart is needed with a prompt to restart or cancel. If the user cancels, remediation is not complete and the compliance status will remain as non-compliant until the software update installation has completed.
If the client encounters remediation failures, it will retry in the background in case transient conditions are responsible for the failure. If the client cannot connect to the remediation servers it needs, or if it fails to successfully download content, it will retry after 1 minute, then after 2 minutes, after 4 minutes, and continues to retry exponentially until it has tried 8 times over a period of 256 minutes. These retry attempts occur automatically in the background, and they are not configurable properties for Configuration Manager 2007 Network Access Protection.
About Compliance for Network Access Protection in Configuration Manager
About Enforcing Compliance with Network Access Protection
Decide If You Need Additional Distribution Points for Network Access Protection Remediation
About the Statement of Health (SoH) in Network Access Protection
About System Health Validator Points in Network Access Protection
For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.