Configure NAP Enforcement Clients in Group Policy

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

To configure NAP enforcement clients in Group Policy, configure a NAP client Group Policy object (GPO) and apply this GPO to a NAP client security group with security group filtering.

Membership in the local Domain Admins group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

Create a NAP client GPO

Use the following procedure to create a NAP client GPO to enforce NAP client settings on client computers.

To create the NAP client GPO

  1. On a domain controller or member server with the Group Policy Management feature installed, click Start, click Run, type gpme.msc, and then press ENTER.

  2. In the Browse for a Group Policy Object dialog box, click the Create New Group Policy Object icon, type the name of the GPO (for example, NAP GPO), and then click OK. The Group Policy Management Editor opens.

Enable NAP enforcement clients in the NAP client GPO

Use the following procedure to enable NAP enforcement clients in a GPO.

To enable NAP enforcement clients

  1. In the Group Policy Management Editor, open Computer Configuration\Policies\Windows Settings\Security Settings\Network Access Protection\NAP Client Configuration\Enforcement Clients.

Note

If you are running Windows Server 2008 on your computer, and you want to enable the Wireless Eapol enforcement client, see step 4.

  1. In details pane, right-click the enforcement client you want to enable, and then click Enable.

Note

For the VPN enforcement method, if your client computer is running Windows 7, be sure to enable EAP Quarantine Enforcement Client. If your client computer is running Windows XP or Windows Vista, be sure to enable Remote Access Quarantine Enforcement Client.

The following table lists NAP enforcement client name changes between Windows Server 2008 and Windows Server 2008 R2:


<table>
<colgroup>
<col style="width: 50%" />
<col style="width: 50%" />
</colgroup>
<thead>
<tr class="header">
<th>Windows Server 2008</th>
<th>Windows Server 2008 R2</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>DHCP Quarantine Enforcement Client</p></td>
<td><p>DHCP Quarantine Enforcement Client</p></td>
</tr>
<tr class="even">
<td><p>IPSec Relying Party</p></td>
<td><p>IPSec Relying Party</p></td>
</tr>
<tr class="odd">
<td><p>TS Gateway Quarantine Enforcement Client</p></td>
<td><p>RD Gateway Quarantine Enforcement Client</p></td>
</tr>
<tr class="even">
<td><p>EAP Quarantine Enforcement Client</p></td>
<td><p>EAP Quarantine Enforcement Client</p></td>
</tr>
<tr class="odd">
<td><p>Remote Access Quarantine Enforcement Client</p></td>
<td><p>Remote access enforcement client for Windows XP and Windows Vista</p></td>
</tr>
<tr class="even">
<td><p></p></td>
<td><p>Wireless EAPOL enforcement client for Windows XP</p></td>
</tr>
</tbody>
</table>
  1. In Group Policy Management Editor tree, right-click NAP Client Configuration, and then click Apply.

  2. To enable the Wireless Eapol enforcement client on computers running Windows XP with SP3, open Computer Configuration\Policies\Administrative Templates\Windows Components\Network Access Protection, double-click Allow the Network Access Protection client to support the 802.1x Enforcement Client component, click Enabled, and then click OK.

  3. Close the Group Policy Management Editor.

Enable security filtering on the NAP client GPO

Use the following procedure to enable security filtering on the NAP client GPO.

To enable security filtering

  1. On a domain controller or member server with the Group Policy Management feature installed, click Start, click Run, type gpmc.msc, and then press ENTER.

  2. In Group Policy Management console tree, click the name of the GPO that you created in the first procedure, NAP GPO.

  3. In the details pane, under Security Filtering, click Authenticated Users, click Remove, and then click OK.

  4. Click Add, type the name of a NAP client security group that you have created (for example, Vista NAP Clients), and then click OK.

    For more information, see Configure NAP Client Security Groups.

See Also

Concepts

NAP Client Computers