You can use Network Access Protection with DHCP to enforce health policies, which can help protect a network against the spread of viruses, worms, and malicious software (malware).

NAP enforces health policies for the following network access technologies: DHCP address configuration, network connections based on VPN, and communication based on Internet Protocol security (IPsec). NAP also provides a suite of APIs that allow companies other than Microsoft to integrate their software into the NAP platform. By using the NAP APIs, software vendors can provide end-to-end solutions that validate health and remediate unhealthy clients.

DHCP Enforcement comprises a DHCP NAP ES component and a DHCP NAP EC component. Using DHCP Enforcement, DHCP servers can enforce health policy requirements any time a computer attempts to lease or renew an IP address configuration on the network. DHCP Enforcement is the easiest enforcement to deploy because all DHCP client computers must lease IP addresses. Because DHCP Enforcement relies on entries in the IP routing table, it is the weakest form of limited network access in Network Access Protection. The DHCP Server service on a computer running Windows Server 2008 provides automatic IP address configuration to intranet clients.

Between a NAP client and a DHCP server, the NAP client acting as a DHCP client uses DHCP messages to obtain a valid IPv4 address configuration and to indicate its current system health state. The NAP server uses DHCP messages to allocate either an IPv4 address configuration for the restricted network and indicate remediation instructions (if the DHCP client is noncompliant), or an IPv4 address configuration for unlimited access (if the DHCP client is compliant).