locked
Auto-Remediation RRS feed

  • Question

  • When we check "Enable auto-remediation of client computers" in a network policy on a NPS, we are able to auto-remediate what?  Only the disabled firewall or also other parameters?
    Thursday, June 21, 2007 11:32 PM

Answers

  • Things that can be auto-remediated by the Windows System Health Agent (WSHA), which integrates directly with the Windows Security Center:
    1. Firewall ON
    2. Windows Defender ON (Vista only, no XP support for Defender)
    3. Automatic Updating ON
    4. Automatic Updating patch level up-to-date
    We cannot currently auto-remediate any anti-virus applications unless they integrate with NAP on the client computer. If the vendor integrates with NAP, this is where NAP functionality can be enriched to let you now set policies on the server for that particular vendor's software. Pretty cool...

    The list of partners who are already working with us is here:
    http://www.microsoft.com/windowsserver2003/partners/nappartners.mspx


    NAP the WORLD in 2007,

    Jeff Sigman
    NAP Release Manager
    Jeff.Sigman@online.microsoft.com *
    http://blogs.technet.com/nap
    *Remove the "online" to actually email me.
    ** This posting is provided "AS IS" with no warranties, and confers no rights.
    Friday, June 22, 2007 4:07 PM

All replies

  • Hi,

     

    When you enable auto-remediation, the client computer will attempt to update all software and settings that are required by the installed system health validator(s), not just the Windows Firewall.

     

    For example, if there are three items that are out of compliance when the computer connects to the network, all three will be remediated. If it is not possible to auto-update one of the three items, then the remaining two items will be remediated, and the computer will remain in a noncompliant state until the third is updated.

     

    -Greg

    Friday, June 22, 2007 3:08 AM
  • Thanks Greg

     

    I want to be more precise.

    with my question I meant : which item auto-remediation is able to update "automatically", that is without the need to use or provide other tools, procedures or servers for remediation...   For example : to remediate the disabled firewall, we need only to check that flag in the policy, no other informations are needed by NAP.   But to remediate the absence of an antivirus software, I beleieve we don't need only that flag, but also to indicate maybe a server from which download the software or new antivirus signatures.

    So...beyond the firewall, for which other items is sufficient check that flag for auto-remediation?  Also Automatic Updates? Also security patches?

     

    Thanks...

    Friday, June 22, 2007 8:29 AM
  • Hi,

     

    Auto-remediation will not install software for you unless the SHA is specifically designed to do this. In the case of the Windows SHA, for example, a setting of "notify but don't download" or "notify but don't install" automatic updates is considered ON and will be compliant with a requirement that automatic updates are ON. Therefore, if you also have a requirement that the most recent updates are installed, this will not be automatically remediated. In the current version of the Windows SHA, it would be up to the user to actually install the updates to stay in compliance. This is the same for security patches. Note: if you turn automatic updates OFF, then autoremediation will turn it ON and set to the recommended setting which is *automatic* download and install. If a reboot of the computer is required after an update, this would not happen without user intervention.

     

    This is similar for AV or anti-malaware applications. As you mentioned, the Windows SHV does not install an antivirus or anti-malware application automatically. It is also dependent on settings in the AV application to keep it in compliance with a requirement that it have recent signatures. However, I believe there will be SHA/SHV pairs written by 3rd parties - specifically designed for their software - that should allow for more detailed manipulation of settings. If you install one of these custom SHA/SHV pairs, then autoremediation may be able to change settings in the application to initiate a download of a newer version, execute some other update, and perhaps even reboot the computer for you if needed.

     

    I hope this helps. If you would like to email me with more questions, remove the "online" from my email address below.

     

    -Greg

    greglin@online.microsoft.com

     

    Friday, June 22, 2007 3:57 PM
  • Things that can be auto-remediated by the Windows System Health Agent (WSHA), which integrates directly with the Windows Security Center:
    1. Firewall ON
    2. Windows Defender ON (Vista only, no XP support for Defender)
    3. Automatic Updating ON
    4. Automatic Updating patch level up-to-date
    We cannot currently auto-remediate any anti-virus applications unless they integrate with NAP on the client computer. If the vendor integrates with NAP, this is where NAP functionality can be enriched to let you now set policies on the server for that particular vendor's software. Pretty cool...

    The list of partners who are already working with us is here:
    http://www.microsoft.com/windowsserver2003/partners/nappartners.mspx


    NAP the WORLD in 2007,

    Jeff Sigman
    NAP Release Manager
    Jeff.Sigman@online.microsoft.com *
    http://blogs.technet.com/nap
    *Remove the "online" to actually email me.
    ** This posting is provided "AS IS" with no warranties, and confers no rights.
    Friday, June 22, 2007 4:07 PM
  • Hi Greg,

     We are deploying NAP and using "forefront" as the anti-virus solution. Is it possible to enable auto remediation (automatically install or update) for Anti-virus protection?

     If so, could you please provide instruction of how to do it?

     

    best regards.


    Saturday, August 3, 2013 2:41 PM