Configuration Manager NAP policies in Configuration Manager 2007 contain software updates that your company decides are required for compliance by a defined date (the effective date).

When you enable the Configuration Manager 2007 Network Access Protection client agent for a site, Configuration Manager NAP-capable clients assigned to that site will evaluate their compliance by using the Configuration Manager NAP policies that are created on that site or inherited from a parent site.

NAP-capable clients receive Configuration Manager NAP policies with their machine policy, which is downloaded according to the computer client agent polling interval (by default, every hour), or it can be initiated locally from the client (for example, through scripting or Configuration Manager in Control Panel).

If the validation process on the System Health Validator point discovers that the client did not evaluate with up-to-date Configuration Manager NAP policies, the System Health Validator point deems the client non-compliant, even if it is before the effective date in the Configuration Manager NAP policies. This then triggers the client to download its machine policy (which contains the latest Configuration Manager NAP policies) and re-evaluate its compliance to produce a more up-to-date client statement of health.

Applying Configuration Manager NAP policies to new Configuration Manager 2007 clients will have a natural latency until clients are successfully assigned to a site, download policy and evaluate their compliance. Until this process is complete, the client will send a compliant status in its client statement of health to the System Health Validator point.

For administrator tasks related to Configuration Manager NAP policies, see How to Configure Configuration Manager NAP Policies for Network Access Protection.

Tasks

Concepts