Stages of a NAP Deployment
Updated: February 29, 2012
Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista
When you deploy NAP, you can use the following three different modes of operation to gradually enforce health requirements on the network.
Reporting mode is the most critical phase of a NAP deployment. During this stage, you can capture and analyze daily statistics that indicate the health state of the network. Data obtained from this stage allows you to estimate the impact to your user base when enforcement is enabled and to adjust policy settings or correct network infrastructure, as appropriate. For example, during the reporting mode stage of deployment, you might discover that antivirus software is not applied as consistently on your network as you thought.
Data also allows you to verify that NAP is working correctly, and make infrastructure changes if necessary. During this phase, no NAP notifications are presented to users and the network access of noncompliant client computers is not restricted. You can use the reporting mode stage to begin training technical support personnel.
If your goals for deploying NAP are only to track overall client health and monitor elements of the security infrastructure that are leveraged by NAP SHAs and SHVs, you might decide to leave your NAP deployment in reporting mode indefinitely.
Deferred enforcement mode introduces NAP notifications to the end user. In many cases, users will see the NAP notifications and attempt to remediate the health of their computers through NAP status and troubleshooting Web pages. By giving users an indication that their computers are noncompliant and the opportunity to remediate them, deferred enforcement can raise the overall level of system health.
Although there is no network restriction taking place during this stage, users might contact technical support for information about the notifications. For this reason, it is important to prepare technical support personnel before you implement deferred enforcement mode. You can continue to gather data to characterize the health of the network during this stage. If you need to make changes to your NAP deployment, you can extend the enforcement date or you can return to reporting mode while you implement changes.
Full enforcement mode provides the greatest benefit — keeping noncompliant computers off the network— but it also introduces the greatest impact to users and their ability to communicate. By this stage of the deployment, reporting data should be fully understood so that the business impact of restricting noncompliant computers can be anticipated and appropriate resources are in place. It is critical that you monitor daily NAP statistics and trends during this stage.
You can use the same phased approach to add new health requirements to an existing NAP deployment. By creating health policies and network policies that define each possible health state for client computers, you can stage the deployment of individual SHAs and SHVs. This is important due to different release timelines and issues that can be experienced with different SHAs and SHVs, and any associated infrastructure changes. For a summary of health policy and network policy configuration, see Health Policies and Network Policies.
|To deploy a new health requirement in reporting mode, create a health policy that uses the associated SHV. You do not need to create a network policy that uses this health policy.|