About Configuration Manager NAP Policies in Network Access Protection
Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
Use the following information to understand what Configuration Manager NAP policies are and their role in Configuration Manager 2007 Network Access Protection (NAP). You will need to create, configure and manage Configuration Manager NAP policies if you want to enforce software updates with Network Access Protection, and will see references to them in the Policies home page, and the Network Access Protection report List of Network Access Protection policies.
Configuration Manager NAP Policies
Configuration Manager NAP policies in Configuration Manager 2007 contain software updates that your company decides are required for compliance by a defined date (the effective date).
When you enable the Configuration Manager 2007 Network Access Protection client agent for a site, Configuration Manager NAP-capable clients assigned to that site will evaluate their compliance by using the Configuration Manager NAP policies that are created on that site or inherited from a parent site.
NAP-capable clients receive Configuration Manager NAP policies with their machine policy, which is downloaded according to the computer client agent polling interval (by default, every hour), or it can be initiated locally from the client (for example, through scripting or Configuration Manager in Control Panel).
If the validation process on the System Health Validator point discovers that the client did not evaluate with up-to-date Configuration Manager NAP policies, the System Health Validator point deems the client non-compliant, even if it is before the effective date in the Configuration Manager NAP policies. This then triggers the client to download its machine policy (which contains the latest Configuration Manager NAP policies) and re-evaluate its compliance to produce a more up-to-date client statement of health.
Applying Configuration Manager NAP policies to new Configuration Manager 2007 clients will have a natural latency until clients are successfully assigned to a site, download policy and evaluate their compliance. Until this process is complete, the client will send a compliant status in its client statement of health to the System Health Validator point.
Managing Configuration NAP Policies
For administrator tasks related to Configuration Manager NAP policies, see How to Configure Configuration Manager NAP Policies for Network Access Protection.
About Reports for Network Access Protection
Policies Home Page
About Compliance for Network Access Protection in Configuration Manager
About the NAP Effective Date in Network Access Protection
About Enforcing Compliance with Network Access Protection
About the NAP Client Status in Network Access Protection
About NAP Evaluation in Network Access Protection
About the Statement of Health (SoH) in Network Access Protection
About System Health Validator Points in Network Access Protection
For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.