I’m Carol Bailey, Senior Technical Writer for System Center Configuration Manager 2007 (formally SMS 2003), and I’m involved with many of the security-related features in Configuration Manager – including Internet-based client management, desired configuration management, ….. and Network Access Protection (NAP).
NAP was always one of the principal new features for Configuration Manager, and I’ve been with the Configuration Manager NAP feature team right from Beta 1, over three years ago now. I’ve seen it through from specs, to test passes, TAP exit criteria, Dogfooding, and to its implementation on the MS IT network. It’s really exciting to know that with the release of Windows Server 2008, it’s now fully supported on customer production networks. Despite Configuration Manager being released in August last year, we couldn’t fully support our NAP feature when the dependent operating system wasn’t yet released.
Because of my involvement with Configuration Manager NAP, I was asked to attend the RSA Conference in San Francisco to help with the expo booths that were running NAP demos. We had demos that showed a noncompliant computer being restricted and remediated for a software update, Windows security settings, and the Forefront services. You can watch a similar demo, with callouts: NAP clickthrough
This demo shows the user experience of NAP, and the administrator interface for the configuration piece, but what’s really going on under the hood? This post gives you the technical low down of how NAP works in Configuration Manager.
But before we look at what’s happening when the noncompliant computer connects to the network, we need to step back to see what’s in place to ensure that noncompliance is reported and remediation is possible (NAP setup). Then we can work through how NAP compliance is evaluated and how NAP remediation works.
As a prerequisite for NAP in Configuration Manager, the administrator has performed the followed actions:
Note: There a number of configuration options available when configuring a site for Network Access Protection, but here we will assume that all defaults are used. There’s more information about the configuration options in the Configuration Manager documentation library: Configuring Network Access Protection.
NAP compliance is evaluated, and remediation is initiated when needed:
Taking the scenario in the demo where the laptop has been off the network for a period of time, missed the deployment of the software update that is now configured for NAP, and the effective date is due:
There are other checks that the Configuration Manager System Health Validator (SCCM SHV) performs in addition to the health state reference and the compliance status. For more information, see About System Health Validator Points in Network Access Protection.
In my next post, I’ll highlight some gotchas, FAQs, best practices, and tips for implementing NAP in Configuration Manager.
The documentation for Configuration Manager NAP can be found in the feature section of the Configuration Manager documentation library: Network Access Protection in Configuration Manager. Related to the information in this post, you might find the following useful:
Overview of Network Access Protection
About the Statement of Health (SoH) in Network Access Protection
About NAP Health State References in Network Access Protection
About Network Access Protection Remediation
How to Verify Client Statements of Health for Network Access Protection
How to Verify Clients are Going into Remediation with Network Access Protection
System Health Validator Point: Validation Process for Network Access Protection
SoH Response to Non-Compliant Configuration Manager Client with Network Access Protection
If you have any questions or feedback about the documentation for Configuration Manager NAP, you can e-mail me (Carol.Bailey@Microsoft.com) or my documentation team (SMSDocs@Microsoft.com).
This posting is provided AS IS with no warranties and confers no rights.