Configuring the Remediation User Experience for Configuration Manager Network Access Protection
Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
Although remediation with Network Access Protection (NAP) in Configuration Manager 2007 is designed to happen automatically, you should plan the user experience so that you provide troubleshooting information specific to your users if remediation fails. This could include basic information about why there is a delay in accessing the network and a Help Desk number to call. Or it could include links to help diagnose and resolve the issue outside Configuration Manager. Providing user help is particularly important if your Network Policy Server restricts non-compliant computers and remediation fails.
Remediation can fail for a number of reasons, including the following:
The computer does not have the Configuration Manager client installed.
The client cannot contact its management point (for example, there is a network problem).
Content is not available (for example, the softare update package has been deleted or there are network problems between the client and distribution points).
Each network policy that enforces compliance on the restricted network can specify a troubleshooting URL, which directs users to a local Web site that is accessible on the restricted network. If it contains links to resources, these must also be accessible from that restricted network. You must provide the local Web site and build your own customized page using basic HTML. If remediation fails, the Network Access Protection client notification will display a More Information button to access the Web site.
As an example, your Web page might include some branding information to reassure users the interruption to network access is a necessary part of your company's normal procedure with a Help Desk number to call. Then you could include a separate section on diagnosis, such as automatic or manual checking for the presence of the Configuration Manager client with a link to install it if necessary. The diagnostics section could generate a file to either send to the Help Desk or to be saved locally that contains configuration information about the computer to help identify the computer and its configuration status.
Make sure you have this page available, and confirm the links before deploying Network Access Protection.
To specify the Troubleshooting URL, follow this procedure:
On the Network Policy Server, edit the network policy for non-compliant computers.
Click the Settings tab, and then click NAP Enforcement under the section Network Access Protection.
Click Configure in the section Remediation Server Groups and Troubleshooting URL.
In the Troubleshooting URL section, type in the link to a Web page accessible from the restricted network you want users to see when they are in remediation.
Click OK to closethe Remediation Servers and Troubleshooting URL dialog box, and then click OK to close the network policy properties.
You can also use Group Policy settings to configure branding for the Network Access Protection client that appears on the computer notification area. Specify your choice of title, description and image for the User Interface Settings, under the following Group Policy location: Computer Configuration \ Windows Settings \ Security Settings \ Network Access Protection. Locally, you can specify the same settings with the Windows Vista MMC snap-in named NAP Client Configuration.
For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.