Topic last updated—November 2007

When deploying an operating system and Configuration Manager 2007 client into an environment that is using Network Access Protection (NAP), you must take additional configuration steps. Failing to configure an operating system deployment correctly for Network Access Protection can result in newly deployed computers having restricted network access with failed remediation.

Clients running Windows Vista and Windows Server 2008 natively support Network Access Protection, whereas computers running Windows XP do not natively support Network Access Protection and require the installation of an additional Network Access Protection client. For more information about the Network Access Protection Client for Windows XP, see the Network Access Protection Web site (http://go.microsoft.com/fwlink/?LinkId=59125).

Network Access Protection supports a number of enforcement mechanisms, such as IPsec, 802.1X, VPN, and DHCP. Each enforcement mechanism requires its respective Network Access Protection enforcement client to be enabled and the Windows Network Access Protection Service started and configured for automatic startup. For more information about deploying and configuring Network Access Protection in Configuration Manager, see Network Access Protection in Configuration Manager.

Use the steps in the following sections to ensure that the enforcement mechanism and the Windows Network Access Protection Service is enabled and will interact correctly with the Configuration Manager client when deploying an operating system into a NAP-enabled environment.

The Reference Computer Is Configured for Network Access Protection

The following scenario would be appropriate if all your operating system deployments are in a NAP-enabled environment, using the same NAP-enforcement mechanism:

  1. Configure the reference computer with the operating system, service packs, security updates, applications, settings, tools and desktop customization.

  2. If the operating system is Windows XP, install the Network Access Protection Client for Windows XP.

  3. Enable the appropriate Network Access Protection enforcement clients.

  4. Configure the Windows Network Access Protection service to start automatically, and start the service.

  5. Capture the image.

  6. Create a task sequence that references this image.

  7. Advertise the task sequence to computers.

With this configuration, the Network Access Protection enforcement client and Windows Network Access Protection Service starts automatically in the newly deployed computer because they are part of the image. Also, they will already be running when the Configuration Manager client installs, ensuring that the Configuration Manager client can bind to the Windows Network Access Protection Service.

The Reference Computer Is Not Configured for Network Access Protection

The following scenario would be appropriate if only some of your computers are installed into a NAP-enabled environment or if you needed to add the configuration for Network Access Protection to an existing captured image:

  1. Configure the reference computer with the operating system, service packs, security updates, applications, settings, tools and desktop customization.

  2. Capture the image.

  3. Create a task sequence that references this image.

  4. If the operating system is Windows XP, add a custom task sequence step that will run in the newly deployed operating system to install the Network Access Protection Client for Windows XP.

  5. Add a custom task sequence step that will run in the newly deployed operating system to enable the appropriate Network Access Protection enforcement clients.

    Note
    Use the command-line utility, netsh nap client set enforcement <enforcement ID> enable. For more information, see the Windows Network Access Protection documentation. For ongoing configuration, ensure that Group Policy configures the enforcement clients.
  6. Add a custom task sequence step that will run in the newly deployed operating system to configure the Windows Network Access Protection Service to start automatically, and start the service.

    Note
    For ongoing configuration, ensure that Group Policy configures this service.
  7. Add a custom task sequence step to restart the computer.

    Note
    This restart is necessary to ensure that the enforcement clients and the Windows Network Access Protection Service are already running when the Configuration Manager client starts, ensuring that the Configuration Manager client can correctly bind to the Windows Network Access Protection Service.
  8. Advertise the task sequence to computers.

See Also