Export (0) Print
Expand All

Planning for Operating System Deployment in a NAP-Enabled Environment

Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2

When deploying an operating system and Configuration Manager 2007 client into an environment that is using Network Access Protection (NAP), you must take additional configuration steps. Failing to configure an operating system deployment correctly for Network Access Protection can result in newly deployed computers having restricted network access with failed remediation.

Clients running Windows Vista and Windows Server 2008 natively support Network Access Protection, whereas computers running Windows XP do not natively support Network Access Protection and require the installation of an additional Network Access Protection client. For more information about the Network Access Protection Client for Windows XP, see the Network Access Protection Web site (http://go.microsoft.com/fwlink/?LinkId=59125).

Network Access Protection supports a number of enforcement mechanisms, such as IPsec, 802.1X, VPN, and DHCP. Each enforcement mechanism requires its respective Network Access Protection enforcement client to be enabled and the Windows Network Access Protection Service started and configured for automatic startup. For more information about deploying and configuring Network Access Protection in Configuration Manager, see Network Access Protection in Configuration Manager.

Use the steps in the following sections to ensure that the enforcement mechanism and the Windows Network Access Protection Service is enabled and will interact correctly with the Configuration Manager client when deploying an operating system into a NAP-enabled environment.

The Reference Computer Is Configured for Network Access Protection

The following scenario would be appropriate if all your operating system deployments are in a NAP-enabled environment, using the same NAP-enforcement mechanism:

  1. Configure the reference computer with the operating system, service packs, security updates, applications, settings, tools and desktop customization.

  2. If the operating system is Windows XP, install the Network Access Protection Client for Windows XP.

  3. Enable the appropriate Network Access Protection enforcement clients.

  4. Configure the Windows Network Access Protection service to start automatically, and start the service.

  5. Capture the image.

  6. Create a task sequence that references this image.

  7. Advertise the task sequence to computers.

With this configuration, the Network Access Protection enforcement client and Windows Network Access Protection Service starts automatically in the newly deployed computer because they are part of the image. Also, they will already be running when the Configuration Manager client installs, ensuring that the Configuration Manager client can bind to the Windows Network Access Protection Service.

The Reference Computer Is Not Configured for Network Access Protection

The following scenario would be appropriate if only some of your computers are installed into a NAP-enabled environment or if you needed to add the configuration for Network Access Protection to an existing captured image:

  1. Configure the reference computer with the operating system, service packs, security updates, applications, settings, tools and desktop customization.

  2. Capture the image.

  3. Create a task sequence that references this image.

  4. If the operating system is Windows XP, add a custom task sequence step that will run in the newly deployed operating system to install the Network Access Protection Client for Windows XP.

  5. Add a custom task sequence step that will run in the newly deployed operating system to enable the appropriate Network Access Protection enforcement clients.

    noteNote
    Use the command-line utility, netsh nap client set enforcement <enforcement ID> enable. For more information, see the Windows Network Access Protection documentation. For ongoing configuration, ensure that Group Policy configures the enforcement clients.

  6. Add a custom task sequence step that will run in the newly deployed operating system to configure the Windows Network Access Protection Service to start automatically, and start the service.

    noteNote
    For ongoing configuration, ensure that Group Policy configures this service.

  7. Add a custom task sequence step to restart the computer.

    noteNote
    This restart is necessary to ensure that the enforcement clients and the Windows Network Access Protection Service are already running when the Configuration Manager client starts, ensuring that the Configuration Manager client can correctly bind to the Windows Network Access Protection Service.

  8. Advertise the task sequence to computers.

See Also

For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft