NAP and SCCM2007 interaction

  • Article

My previous post provided information and links to help gain a general understanding of how NAP works and the components involved.  Let's turn to the specifics of NAP working with SCCM2007.

Before beginning to work with NAP and SCCM 2007 it is a good idea to
(1) confirm that the NAP infrastructure works without SCCM2007 in the picture - by using the standard Windows SHV.  If the NAP infrastructructure isn't healthy and working prior to SCCM 2007, it will be more difficult to troubleshoot the problem when SCCM2007 is added to the picture! 
(2) verify the software updates management (SUM) components of SCCM 2007 are functional and able to deliver patches.  If SUM isn't working, NAP won't either!

Once we have confirmed both of the above, there are several required steps to configure and begin using SCCM2007 with NAP
(1)  Install the SCCM 2007 SHV on a Windows Longhorn server.  This is done by flagging the Windows Longhorn server as a new site system and selecting the System Health Validator (SHV) role. 
(2)  Configure NAP policy specific to the SCCM 2007 SHV.  This is done in the NPS server console.
      The documentation for NAP that comes with the beta 1 refresh version of SCCM2007, available at 
      https://www.microsoft.com/smserver/evaluation/2003/smsv4.mspx, does a good job of covering how the NAP
      server policies should be configured to work with the SCCM 2007 SHV.  In general, the following policies
      are required
      NAP ineligable policy - This policy is to detect machines that are not NAP capable and grant access
      to them regardless of their state regarding software update compliance.
SMS Unhealthy policy - This is the policy that is applied when a NAP capable system is detected to
      be unhealthy and requires remediation.
SMS Healthy policy - This is the policy that is applied when a NAP capable system is detected to
      be healthy and allowed full network access
(3)  Install the NAP agent on any SCCM 2007 client machines that will participate in NAP (not required if client machines are running Vista)
(4)  Enable the NAP client agent
(5)  Configure a NAP policy to enforce a particular update on clients.
Note: The steps to configure the chosen network access method (DHCP, IPSec, VPN/RAS) are not included here as these configurations are not specific to SCCM 2007 - they are required for the NAP infrastructure to work with even the default Windows SHV.

The flow of events through the NAP system when using SCCM2007 are interesting.  We will take a look at that in the next entry, including how SCCM2007 handles NAP when a configured policy isn't applicable to the OS.