No Enforcement Example

Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista

The following example shows how NAP with no enforcement can be used to remediate the health of a client computer when it is determined to be noncompliant with requirements. In this example, no network restriction occurs because IPsec policies have not been deployed to create IPsec logical networks. The client computer will acquire a health certificate only when it is compliant, but this certificate is not required for full network access.

Noncompliant client restriction and remediation

The following illustration and its corresponding steps provide a detailed description of the processes involved in evaluating and remediating the health of a NAP client computer when you use a no enforcement design. The steps are identical to those used for NAP with IPsec enforcement, except that no network restriction is enforced on noncompliant client computers because no IPsec policies are deployed.

No enforcement noncompliant client remediation

  1. A NAP client computer detects a change in its health state and deletes its health certificate.

  2. The NAP health policy server evaluates the health credentials of the client and notifies it that it is noncompliant with health requirements. The NAP client does not receive a new health certificate.

  3. If required, the client computer requests updates from a remediation server.

  4. The remediation server provides updates, restoring the client computer to compliant status.

  5. The client computer requests a new health certificate from HRA.

  6. HRA forwards the client’s health state to the NAP health policy server for evaluation.

  7. The NAP health policy server responds to HRA to indicate that the client computer is compliant.

  8. HRA requests a health certificate from the NAP CA on behalf of the client computer.

  9. The NAP CA provides a health certificate to HRA.

  10. HRA issues a health certificate to the client computer.

  11. The client computer is restored to compliant status.