ISA and TMG both support VPN quarantine control, which allows you to inspect client systems before you let them onto your network over a VPN connection.
If you haven’t tried this, you might want to investigate the possibilities.
Check it out at:
http://technet.microsoft.com/en-us/library/cc512644.aspx