About Enforcing Compliance with Network Access Protection

Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2

Use the following information to understand how software updates in Configuration Manager 2007 can be enforced with Network Access Protection, and identify the coordination required between configuration in Configuration Manager and configuration on the Network Policy Server.

The Interaction between Network Access Protection in Configuration Manager and Network Policy Server

Network Access Protection (NAP) in Configuration Manager 2007 works in conjunction with Microsoft Windows Network Policy Server to enforce compliance of selected software updates on clients that are capable of supporting Network Access Protection (NAP-capable clients), such as Windows Vista.

Configuration Manager by itself does not enforce compliance with Network Access Protection; it provides the means by which Configuration Manager clients can produce a statement of health with a non-compliant status if they do not have the required software updates in the Configuration Manager NAP policies you configure. A Configuration Manager System Health Validator point confirms the health state of the computer as compliant, or non-compliant and passes this information to the Network Policy Server. Policies on the Network Policy Server then determine whether non-compliant computers will be remediated and, additionally, whether they will have restricted network access until they are compliant.

Remediation is the mechanism of making a non-compliant computer compliant to ensure that clients conform to compliance policies. Configuration Manager remediation uses the software update packages you have already created, with the software updates feature.

For more information about coordinating the configuration of Network Access Protection so that compliance with software updates can be enforced, see Determine Administrator Roles and Processes for Network Access Protection.

Enforcing Compliance for Clients That Cannot Support NAP (NAP-Ineligible Clients)

NAP-ineligible clients cannot produce a statement of health and therefore cannot have compliance enforced through Network Access Protection.

However, you can still target those computers with the required software updates using software update deployments with a deadline. If the software update is still required by the deadline, it will be installed automatically.

However, unlike Network Access Protection, the software updates feature cannot restrict access to the network until computers are compliant.

For a comparison of software updates and Network Access Protection, see About the Differences Between Software Updates and Network Access Protection.

See Also


About Compliance for Network Access Protection in Configuration Manager
About the NAP Client Status in Network Access Protection
Determine Your Policy Strategy for Network Access Protection
About Network Access Protection Remediation
About System Health Validator Points in Network Access Protection

For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.