NAP can restrict or deny network access to the computers that are not in compliance with the defined health requirements.
When a NAP-capable client computer contacts a NAP enforcement point, it submits its current health state.
For example, a health requirement server might track the latest version of an antivirus signature file.
The restricted network is a logical subset of the intranet and contains resources that allow a noncompliant NAP client to correct its system health.
A noncompliant NAP client on the restricted network can access remediation servers and install the necessary components and updates.
After remediation is complete, the NAP client can perform a new health evaluation in conjunction with a new request for network access or communication.