Use the following information to understand how the effective date in Configuration Manager 2007 Network Access Protection (NAP) affects clients that can support NAP, and the considerations to take into account when you are configuring it as a property of a Configuration Manager NAP policy.
Client Behavior When Effective Date Becomes Current
The effective date is when a Configuration Manager 2007 Network Access Protection (NAP) policy becomes active on NAP-capable clients, and it is displayed as a default column in the Policies node.
At that time, the client will assess its compliance status by verifying whether it requires the software update listed in the policy. If it is not compliant, the required software update can be enforced through remediation and the client might have restricted network access until remediation is successful. Remediation and restriction are controlled by policies configured on the Microsoft Windows Network Policy Server.
Considerations for Configuring the Effective Date
Because Network Access Protection in Configuration Manager 2007 is complementary to the Configuration Manager 2007 feature software updates, typically most Configuration Manager clients will have the required software updates installed through the software updates feature. Therefore, setting an effective date after the deadline of a software update deployment is a precautionary measure for the few computers that do not install the software update through standard operating procedures.
However, Network Access Protection, unlike software updates, has the ability to restrict network access (through policy configuration on the Windows Network Policy Server) until the software updates in the Configuration Manager NAP policy are installed.
Setting an aggressive effective date has the following two risks:
- More clients might have restricted network
access until remediation is successful, which in turn increases the
load on remediation servers, such as distribution points hosting
software updates, and software update points.
- The software update packages containing the
required software updates might not have replicated to the
remediation distribution points.
You can configure the effective date in a Configuration Manager NAP policy to be a date in the future, or As soon as possible. Select As soon as possible as your effective date only if either of the following apply:
- The Windows Network Policy Server will not
restrict network access for non-compliant computers.
- The risk of a non-compliant computer having
full network access is greater than the risk of it having
restricted network access and being unable to remediate in the
event that the software update is not yet replicated to the
remediation distribution points.
For more information about how to configure the effective date, see How to Set the Effective Date and Time to Begin NAP Evaluation for Network Access Protection.
TasksHow to Configure a Configuration Manager NAP Policy for a Zero-Day Exploit in Network Access Protection
How to Create a Configuration Manager NAP Policy for Network Access Protection
How to Set the Effective Date and Time to Begin NAP Evaluation for Network Access Protection
How to View Configuration Manager NAP Policies for Network Access Protection
ConceptsAbout the NAP Client Status in Network Access Protection
About Network Access Protection Remediation
About Configuration Manager NAP Policies in Network Access Protection
About Phased and Expedited Network Access Protection Deployments