When you implement Network Access Protection (NAP) in a Configuration Manager multi-site hierarchy, enable it in a top-down manner. Create Configuration Manager NAP policies on the central site or primary site where you synchronize Configuration Manager software updates with Microsoft. Configuration Manager NAP policies automatically flow down the hierarchy.

Important
You cannot create NAP policies on a site that inherits software updates from a parent site. When you configure software updates synchronization with Microsoft, make sure that you configure this synchronization on the site from which you want to create Configuration Manager NAP policies.

You can create Configuration Manager NAP policies on a child site if that site synchronizes software updates from Microsoft. However, if you later change the synchronization configuration such that a parent site synchronizes with Microsoft, this results in the following scenarios:

• If the same Configuration Manager NAP policies are created on the parent site with the same software updates but with different effective dates, the Configuration Manager NAP policies at the child site (and inherited by further child sites) will be overwritten with the new Configuration Manager NAP policies created at the parent site, and the child site cannot modify or delete them.
  
  
• If the parent site doesn't create the same Configuration Manager NAP policies that were created on the child site, the original Configuration Manager NAP policies remain at the child site (and are inherited by further child sites). These Configuration Manager NAP policies can still be modified and deleted at the child site, but new Configuration Manager NAP policies cannot be created at the child site.
  
  

If a child site is not enabled for Network Access Protection, you will not be able to view the NAP policies with the Policies node, but running the following report will list them: List of Network Access Protection policies.

If your Configuration Manager hierarchy consists of more than two levels of primary sites, disabling Network Access Protection on a child primary site does not block the inheritance of Configuration Manager NAP policies from the parent site to the grandchild site.

You will not be able to modify or delete NAP policies that are inherited from a parent site, and you cannot create NAP policies if the site is inheriting policies from a parent site. However, you can disable Network Access Protection on a child site that has inherited NAP policies.

When a Configuration Manager NAP-capable client with the Network Access Protection client agent enabled roams to a different Configuration Manager site, it still assesses its compliance status based on the Configuration Manager NAP policies defined in its own site.

The System Health Validator point to which the client passes its client statement of health is dependent not on the Configuration Manager site, but on the underlying Network Access Protection enforcement mechanism. This means that a change of network location might result in the client using a different System Health Validator point when it roams into a different site (for example, if you are using DHCP as your Network Access Protection enforcement).

A roaming NAP-capable client from a Configuration Manager site that isn't enabled for Network Access Protection and is directed to use a site's System Health Validator point will be deemed compliant by the System Health Validator point. In this scenario, the System Health Validator point will increment its SHV Validator Performance counter, Configuration Manager NAP Client Agent Disabled.

System Health Validator points within a Configuration Manager site share the same configuration options, which are used to determine a client's health state. These configuration options are the following:

• How often the health state reference is retrieved.
  
  
• If the client statement of health needs to be created after a specified date and time.
  
  
• The validity period for the statement of health.
  
  

Differences in these configurations between sites in the same Configuration Manager hierarchy can result in a different health state for a client that is compliant with its Configuration Manager NAP policies.

Important

A Configuration Manager client with the Network Access Protection client agent enabled could roam into a different Configuration Manager hierarchy and have its client statement of health validated by a System Health Validator point from outside its Configuration Manager hierarchy. In this scenario, the validation process will fail the site check unless the NAP health state references for both hierarchies publish to the same location. If the System Health Validator point cannot verify the client's site, this will result in a client health state of unknown, which by default is configured on the Network Policy Server as non-compliant. If the Network Policy Server has network policies configured for limited access for Network Access Protection, these clients cannot be remediated and risk being unable to access the full network. To address this scenario, an exemption policy on the Network Policy Server could give Configuration Manager clients that roam outside their Configuration Manager hierarchy full network access.

Tasks

Concepts