Topic last updated—May 2008
Network Access Protection (NAP) in Configuration Manager 2007 is complementary to and not a replacement of the software updates feature inConfiguration Manager 2007. You must have software updates configured with software update packages before you can create Configuration Manager NAP policies.
The following table compares the two features.
Feature | Software Updates | Network Access Protection (NAP) |
---|---|---|
Requires Windows Server 2008. |
No. |
Yes - requires Windows Server 2008 for the NAP Windows infrastructure. |
Requires additional infrastructure services and configuration outside Configuration Manager. |
Yes, Windows Update Service. |
Yes - requires Windows Network Policy Server and NAP enforcement mechanisms such as IPsec, 802.1X, DHCP, VPN. |
Requires the Active Directory schema to be extended with Configuration Manager 2007 schema extensions, and all primary sites publishing to Active Directory Domain Services. |
No. |
Yes - this is required to store the health state references. However, if you have multiple Active Directory forests, you can designate a different Active Directory forest from the site server's forest. |
Requires an additional Configuration Manager system role. |
Yes - the software update point. |
Yes - requires the System Health Validator point that runs on the computer running Windows Network Policy Server. |
Installation of software updates can be enforced through remediation when the computer connects to the network. |
No - computers periodically scan to see whether they require software updates in deployments targeted to them. When they have been configured with a deadline, they will be installed automatically. |
Yes - although this is not under the control of Configuration Manager. Instead, it is under the control of the configuration of policies on the Windows Network Policy Server. |
Computers can be granted restricted network access until the required software updates are installed. |
No. |
Yes - although this is not under the control of Configuration Manager. Instead, it is under the control of the configuration of policies on the Windows Network Policy Server. |
Software updates can be targeted to specific computers for phased deployment. |
Yes, using collections. |
No - NAP policies are automatically targeted to all computers assigned to the site, and Configuration Manager NAP policies flow down the Configuration Manager hierarchy. Collections are not used for targeting. |
Supported by all Configuration Manager clients. |
Yes. |
No - only NAP-capable clients such as Windows Vista, Windows Server 2008, and Windows XP Service Pack 3. |
Client agent is enabled by default. |
Yes - although sites upgraded from SMS 2003 retain existing configuration. |
No. |
Administrative role separation. |
No - a software updates administrator can manage both software updates and NAP policies. |
Yes - Configuration Manager can be configured so that administrators can manage Configuration Manager NAP policies but not software updates. |
See Also
Concepts
About Enforcing Compliance with Network Access ProtectionNetwork Access Protection Security Rights
About Network Access Protection Remediation
About Configuration Manager NAP Policies in Network Access Protection
About Phased and Expedited Network Access Protection Deployments
Other Resources
Overview of Network Access ProtectionPlanning for Network Access Protection
Configuring the Network Policy Server for Configuration Manager