Use the following information to understand how Configuration Manager 2007 determines compliance with software updates for Network Access Protection (NAP). This information will help you prepare your implementation of Network Access Protection and troubleshoot situations when the compliance results are not as expected.

Compliance as a Multi-Staged Process

Determining compliance for Configuration Manager Network Access Protection (NAP) is multi-staged process:

  • The NAP-capable Configuration Manager client evaluates whether it has all the required software updates by their effective date. The client passes this compliant or non-compliant information to the System Health Validator point in its statement of health. If the evaluation fails, the client sends failure information in the statement of health.

  • The System Health Validator point then validates the client's statement of health, using a series of compliance criteria. The validation process uses the Configuration Manager health state reference published to Active Directory Domain Services, and the System Health Validator point configured settings.

  • In some situations, the validation criteria are not suffient for the System Health Validator point to determine whether the client is compliant or non-compliant. This can happen if the client is unknown or an error occurs. The configuration of the System Health Validator on the Network Policy Server then determines if the client is compliant or non-compliant. The default configuration is non-compliant.

Why a Client That Has Required Software Updates Might Be Non-Compliant

Using up to three stages of compliance checking provides Configuration Manager with a sophisticated but efficient method of detecting whether a client is compliant with software updates. However, it can introduce some complexity for administrators who want to understand why a client was reported as non-compliant. For example, although clients that require software updates are always given a health state of non-compliant by a System Health Validator point, clients that do have all the required software updates might be reported as non-compliant by the System Health Validator.

Situations in which a client has all the required software updates, but is deemed non-compliant include the following:

  • If the client site is not known to the System Health Validator point, the client will be given an unknown status rather than compliant or non-compliant. This error condition happens when the System Health Validator point cannot find a health state reference for the site name and code in the client's statement of health. This could occur because a new Configuration Manager site was installed and Active Directory replication is not complete. It can also occur when a client is outside its Configuration Manager hierarchy. The error condition "unknown" maps to the failure category of SHA vendor specific error code received on the System Health Validator on Windows Network Policy Server, which by default is configured as non-compliant. However, this failure category can be configured for either compliant or non-compliant.

  • If any errors occur during validation, a compliant status from the client can change to one of the two server failure categories. By default, both server failure categories are configured as non-compliant on the System Health Validator on Windows Network Policy Server, but both of these can be configured as either compliant or non-compliant.

  • If any of the following validation checks fail, a client that is compliant with its Configuration Manager NAP policies will be deemed non-compliant:

    • The statement of health from the client is older than the System Health Validator point setting for the option Date created must be after. In this scenario, it is likely that new and important Configuration Manager NAP policies were configured, and it is imperative that the client assesses its compliance with the latest Configuration Manager NAP policies.

    • The statement of health from the client is not within the System Health Validator point setting for the option Validity period. In this scenario, the client is using a cached statement of health. If the client reassesses its compliance again, it might no longer be compliant (for example, if software updates have been uninstalled).

    • The client did not evaluate its compliance using up-to-date Configuration Manager NAP policies. In this scenario, the policy time stamp in the client's statement of health is older than the time stamp in the health state reference, which indicates that there have been changes made to the Configuration Manager NAP policies since the client last downloaded its Configuration Manager NAP policies.

Remediation Steps for a Client That Has Required Software Updates

When the client is compliant with its Configuration Manager NAP policies, but non-compliant with the System Health Validator criteria, successful remediation consists of the following steps in sequence:

  • If the client hasn't evaluated against the latest Configuration Manager NAP policies, the client is instructed to download its machine policy, which includes the Configuration Manager NAP policies.

  • The client re-evaluates its compliance and sends a new statement of health to the System Health Validator point.

  • If the status is still compliant and all the validation checks pass, the client will be given a health state of compliant.

See Also