Use the following information to identify key issues to take into account when enabling and disabling Network Access Protection (NAP) on a Configuration Manager 2007 site.
|Network Access Protection in Configuration Manager has a number of external dependencies and configuration tasks that must be completed for it to work. It is recommended that these be in place before enabling NAP in Configuration Manager. More information about these dependencies and configuration tasks can be found under the See Also section.|
Enabling Network Access Protection in Configuration Manager
Enabling Network Access Protection (NAP) on a Configuration Manager 2007 site requires that you enable the Network Access Protection client agent. This will immediately enable any Configuration Manager NAP policies on the site that are either inherited from a parent site enabled for Network Access Protection or were previously created on the site before disabling Network Access Protection. Configuration Manager NAP policies are the means by which Configuration Manager clients that are NAP-capable will assess their compliance for the software updates you select.
|Before enabling Network Access Protection, run the report List of Network Access Protection policies. This will display any Configuration Manager NAP policies that will be automatically enabled when you enable the Network Access Protection client agent. If you are enabling the agent on a child site, make sure that the software updates in the NAP policies are available to clients in your site. If you are re-enabling the client agent on a site that previously created Configuration Manager NAP policies, you might need to delete old Configuration Manager NAP policies as soon as you re-enable the client agent if the software updates are no longer needed and have been deleted from distribution points.|
After you have enabled Network Access Protection on a site, Configuration Manager can then report on NAP-capable computers that are assigned to the site. This includes reporting the number of computers that are in remediation for any System Health Agents you are using with your Network Access Protection deployment.
When Network Access Protection is enabled in Configuration Manager, you can create Configuration Manager NAP policies on the central or primary site. Child sites inherit Configuration Manager NAP policies from their parent site.
|Although enabling the Network Access Protection client agent on the site immediately enables any Configuration Manager NAP policies (and allows you to create Configuration Manager NAP policies on the central or primary site), clients will not begin NAP evaluation of policies until they next download their client policy with the new client agent setting. Until the client receives the new client policy with the Network Access Protection client agent enabled, it will not assess its compliance with its site Configuration Manager NAP policies and will be given a health state of compliant by the System Health Validator point.|
Disabling Network Access Protection in Configuration Manager
If you no longer require Network Access Protection (NAP) with Configuration Manager 2007, follow these procedures:
- The policies on the Windows Network Policy Servers must be
reconfigured or deleted so that they do not reference the
Configuration Manager System Health Validator. This can be achieved
by either reconfiguring the health policies or selecting in the
network policies a different health policy that does not include
the Configuration Manager System Health Validator.
- If you are disabling Network Access Protection on all your
Configuration Manager hierarchies, delete all Configuration Manager
NAP policies on the central or primary site where they were
- Disable the Network Access Protection client agent. This
setting will take effect on clients when they next download their
client policy. This happens on the next scheduled interval (which,
by default, is set to every 60 minutes but can be changed with the
option Policy polling interval in the Computer Client Agent
Properties: General Tab). The latest client policy can also be
downloaded if requested locally on the Configuration Manager client
or with a script. For more information, see How to Initiate Policy
Retrieval for a Configuration Manager Client.
Until the client receives the new client policy with the Network Access Protection client agent disabled, it will continue to assess its compliance with its site Configuration Manager NAP policies.
- Remove the site system role System Health Validator point from
the computers running Windows Network Policy Server.
After disabling Network Access Protection, the home page will continue to show data until it is aged out and the Policies node under Network Access Protection will remain visible until you refresh the Network Access Protection node or reload the Configuration Manager console.
|When Network Access Protection has never been enabled for the site, the home page will not display any data except a message informing you that Network Access Protection is not enabled for the site. If you disable Network Access Protection after it has been enabled, any information relating to Network Access Protection continues to display until it ages out and there will no message informing you that Network Access Protection is now disabled.|
TasksHow to Delete a Configuration Manager NAP Policy to Stop NAP Evaluation in Network Access Protection
How to Enable the Network Access Protection Client Agent
How to Run Network Access Protection Reports
How to View Configuration Manager NAP Policies for Network Access Protection
How to Disable the Network Access Protection Client Agent
ConceptsAbout Latency in the Configuration Manager Console
About Network Access Protection in Configuration Manager Hierarchies
About Network Access Protection Remediation
About Configuration Manager NAP Policies in Network Access Protection
Prerequisites for Network Access Protection
About System Health Validator Points in Network Access Protection
Other ResourcesPlanning for Network Access Protection
Configuring the Network Policy Server for Configuration Manager