Use the following information to identify key issues to take into account when enabling and disabling Network Access Protection (NAP) on a Configuration Manager 2007 site.

Important
Network Access Protection in Configuration Manager has a number of external dependencies and configuration tasks that must be completed for it to work. It is recommended that these be in place before enabling NAP in Configuration Manager. More information about these dependencies and configuration tasks can be found under the See Also section.

Enabling Network Access Protection in Configuration Manager

Enabling Network Access Protection (NAP) on a Configuration Manager 2007 site requires that you enable the Network Access Protection client agent. This will immediately enable any Configuration Manager NAP policies on the site that are either inherited from a parent site enabled for Network Access Protection or were previously created on the site before disabling Network Access Protection. Configuration Manager NAP policies are the means by which Configuration Manager clients that are NAP-capable will assess their compliance for the software updates you select.

Important
Before enabling Network Access Protection, run the report List of Network Access Protection policies. This will display any Configuration Manager NAP policies that will be automatically enabled when you enable the Network Access Protection client agent. If you are enabling the agent on a child site, make sure that the software updates in the NAP policies are available to clients in your site. If you are re-enabling the client agent on a site that previously created Configuration Manager NAP policies, you might need to delete old Configuration Manager NAP policies as soon as you re-enable the client agent if the software updates are no longer needed and have been deleted from distribution points.

After you have enabled Network Access Protection on a site, Configuration Manager can then report on NAP-capable computers that are assigned to the site. This includes reporting the number of computers that are in remediation for any System Health Agents you are using with your Network Access Protection deployment.

When Network Access Protection is enabled in Configuration Manager, you can create Configuration Manager NAP policies on the central or primary site. Child sites inherit Configuration Manager NAP policies from their parent site.

Note
Although enabling the Network Access Protection client agent on the site immediately enables any Configuration Manager NAP policies (and allows you to create Configuration Manager NAP policies on the central or primary site), clients will not begin NAP evaluation of policies until they next download their client policy with the new client agent setting. Until the client receives the new client policy with the Network Access Protection client agent enabled, it will not assess its compliance with its site Configuration Manager NAP policies and will be given a health state of compliant by the System Health Validator point.

Disabling Network Access Protection in Configuration Manager

If you no longer require Network Access Protection (NAP) with Configuration Manager 2007, follow these procedures:

  1. The policies on the Windows Network Policy Servers must be reconfigured or deleted so that they do not reference the Configuration Manager System Health Validator. This can be achieved by either reconfiguring the health policies or selecting in the network policies a different health policy that does not include the Configuration Manager System Health Validator.

  2. If you are disabling Network Access Protection on all your Configuration Manager hierarchies, delete all Configuration Manager NAP policies on the central or primary site where they were created.

  3. Disable the Network Access Protection client agent. This setting will take effect on clients when they next download their client policy. This happens on the next scheduled interval (which, by default, is set to every 60 minutes but can be changed with the option Policy polling interval in the Computer Client Agent Properties: General Tab). The latest client policy can also be downloaded if requested locally on the Configuration Manager client or with a script. For more information, see How to Initiate Policy Retrieval for a Configuration Manager Client.

    Until the client receives the new client policy with the Network Access Protection client agent disabled, it will continue to assess its compliance with its site Configuration Manager NAP policies.

  4. Remove the site system role System Health Validator point from the computers running Windows Network Policy Server.

After disabling Network Access Protection, the home page will continue to show data until it is aged out and the Policies node under Network Access Protection will remain visible until you refresh the Network Access Protection node or reload the Configuration Manager console.

Important
When Network Access Protection has never been enabled for the site, the home page will not display any data except a message informing you that Network Access Protection is not enabled for the site. If you disable Network Access Protection after it has been enabled, any information relating to Network Access Protection continues to display until it ages out and there will no message informing you that Network Access Protection is now disabled.

See Also