Configure Network Policy for Deferred Enforcement

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

Deferred enforcement is one of the three primary phases of a NAP deployment. Deferred enforcement mode introduces NAP notifications to the end user. In many cases, users will see the NAP notifications and attempt to remediate their computers through NAP status and troubleshooting Web pages. By notifying users that their computers are noncompliant and giving users the opportunity to remediate them, deferred enforcement can raise the overall level of system health.

Although there is no network restriction taking place during this stage, users might contact technical support for information about the notifications. For this reason, it is important to prepare technical support personnel before you implement deferred enforcement mode. You can continue to gather data to characterize the health of the network during this stage. If you need to make changes to your NAP deployment, you can extend the enforcement date or you can return to reporting mode while you implement changes.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

Configure network policy for deferred enforcement

To implement deferred enforcement, use a NAP enforcement setting of Allow full network access for a limited time in noncompliant network policy.

To configure network policy for deferred enforcement

  1. Click Start, click Run, type nps.msc, and then press ENTER.

  2. In the Network Policy Server console tree, open Policies\Network Policies.

  3. In the details pane, under Policy Name, double-click the name of the network policy for noncompliant NAP client computers.

  4. In the policy properties window, on the Settings tab, click NAP Enforcement, and then choose Allow full network access for a limited time.

  5. Using the drop-down lists next to Date and Time, choose the date and time when the access of noncompliant computers will be restricted, and then click OK. This date and time will be displayed in NAP notifications on noncompliant client computers. See the following example.

  6. Close the NPS console.

See Also

Concepts

Configure Network Policy for Reporting Mode
Configure Network Policy for Full Enforcement