Export (0) Print
Expand All

Using Configuration Manager 2007 to Extend Software Update Compliance Across Networks

Technical Case Study

Published: June 2008

Microsoft Information Technology (Microsoft IT) uses Microsoft System Center Configuration Manager 2007 and Windows Server® 2008 Network Access Protection (NAP) to enforce software update compliance for client computers in the corporate network. Configuration Manager ensures that computers connecting to the network meet the Microsoft IT software update policy requirements for system health.


Download Technical Case Study, 381 KB, Microsoft Word file

Download TDM Webcast




Products & Technologies

The prevalence of Internet-originated malware threats made safeguarding the Microsoft corporate network a challenge. Microsoft IT wanted a solution that helped protect the network perimeter while granting access only to computers with required software updates.

Microsoft IT enforces compliance with required software updates by using Configuration Manager 2007 with NAP.

  • Configuration Manager 2007 provides an integrated interface to manage software updates and enforce their deployment via NAP.
  • Client computers are regularly checked for required software updates.
  • Computers can be automatically updated with required software updates anytime they are connected to the network.
  • Computers that do not have the required software updates can be quarantined in a restricted network.
  • Microsoft System Center Configuration Manager 2007
  • Windows Server 2008
  • Windows Vista
  • Network Access Protection


For enterprise IT departments, providing users and computers with access to network resources while securing network assets can be a challenge. Authenticated users must have access from inside and outside the network. The security policy must support multiple access methods, such as virtual private networks (VPNs), Wi-Fi, and Ethernet. To complicate these security considerations, the increasing number of Internet-borne malicious software (malware) programs that exploit computer vulnerabilities before a user can install software updates has forced IT departments to find ways to mitigate risks and help protect network assets.

When a worker takes a mobile computer out of the security of a firewall-protected corporate network and connects it directly to the Internet, he or she is potentially exposing that computer to malware. When the computer reconnects to the corporate network, it may spread malware inside the organization. For businesses that rely upon computer networking services, this scenario can threaten the core assets and the daily operations of their network.

For Microsoft IT specifically, giving employees access to its internal network from anywhere is essential to continued business agility. However, because many of the computers that connect to the Microsoft corporate network are mobile and often also connect directly to the Internet without the protective benefit of the corporate network firewall, Microsoft IT needed a robust, comprehensive network security solution that interoperates with the existing heterogeneous environment, in which multi-vendor software, hardware, and mixed-network infrastructures already exist.


Microsoft IT wanted to further restrict corporate network access to only those computers equipped with the latest software updates. To ensure compliance, Microsoft IT developed a series of system health policies. These policies mandated the installation of the latest important software updates, in addition to the use of dedicated security technologies such as firewalls and anti-malware tools. Furthermore, after the system health policies were developed, they needed to be enforced as a prerequisite for access to the network.

To enforce compliance with these policies, Microsoft IT decided to implement NAP, a service proved in Windows Server 2008 (and one that is supported in Windows Vista® and Windows® XP Service Pack 3), to regulate which computers can gain unrestricted access to network resources. NAP provides a framework for identifying the system health policies that devices must meet before accessing corporate network resources. NAP can quarantine non-compliant computers within a customizable, limited-access, restricted network.

Microsoft IT helps protect its network by employing network-access-enforcement technologies such as Internet Protocol Security (IPsec) and VPN for remote access users. By linking the use of these existing technologies with the new policy-enforcement features of NAP, Microsoft IT can effectively block all network connection attempts from non-compliant computers. Because NAP enforcement policies can be differentiated based on the network access technology used, Microsoft IT can specify different levels of quarantine, placing greater restrictions on external users who attempt to connect through VPN than those who attempt to connect through an Ethernet port from behind the corporate network firewall within a Microsoft business facility.

Note: NAP also works with other network access technologies such as 802.1X for wireless connections, Terminal Services Gateway, and Dynamic Host Configuration Protocol (DHCP). Because Microsoft IT already required the use of IPsec for access to its corporate network, it chose to link NAP enforcement to only IPsec and VPN.

To make sure that all connecting computers have the latest software updates, Microsoft IT uses System Center Configuration Manager 2007 with NAP. Microsoft IT was already using Configuration Manager, the successor to Microsoft Systems Management Server 2003, to inventory computer hardware and software and to push required software updates and other distributions throughout the network. By using Configuration Manager to validate a user's compliance with the software update policy for NAP and as the distribution source for software updates, the user is blocked from gaining access to network resources until his or her device becomes compliant with health policies.

How It Works

When a computer that the Configuration Manager–NAP solution identifies as non-compliant attempts to access the network, quarantine in NAP denies that computer access to corporate network resources specified by Microsoft IT. Configuration Manager then provides remediation services by managing the installation of the missing software updates as required by policy. After the missing updates are installed, NAP releases the computer from quarantine and restores full network access. The Configuration Manager plug-in within the NAP framework includes the following components:

  • Configuration Manager System Health Agent (SHA)   This component runs on the client computer and serves two purposes: to generate a Statement of Health (SoH) that indicates the status of the client computer relative to the software update system health policy; and to apply missing software updates to a computer that is found to be non-compliant with the system health policy.
  • Configuration Manager System Health Validator (SHV)   This component runs on the Network Policy Server (NPS) to evaluate the client computer's SoH and determine whether it is compliant with the latest system health policy, which changes whenever Microsoft IT releases a new software update and configures its enforcement in NAP.

The enforcement mechanism of NAP with the software update mechanism of Configuration Manager ensures that computers are constantly updated with the latest required software updates. NAP-enabled client computers will be less vulnerable to malware, more stable due to operating system improvements and updates, and less likely overall to suffer technical problems related to unresolved software problems.

Figure 1 illustrates the architecture and the sequence of events run by computers configured to use the Configuration Manager–NAP solution when attempting to connect to the Microsoft corporate network.

Components of the Configuration Manager-NAP solution infrastructure

Figure 1. Components of the Configuration Manager–NAP solution infrastructure

The sequence of events that the Configuration Manager–NAP solution perform in the Microsoft IT pilot is as follows:

  1. The Configuration Manager Site server downloads all the latest software updates from the Internet–based Microsoft Update service.
  2. The Configuration Manager Site server deploys the updates to the Configuration Manager Distribution Point server. It also publishes the list of new Microsoft IT–specified, NAP-required software updates to the Master State Store in Active Directory® Domain Services (AD DS).
  3. The Configuration Manager SHV that is running in the NPS polls AD DS and retrieves the list of the latest NAP-required software updates.
  4. An NAP-enabled client computer requests network access. The request triggers a network state change on the client computer, which prompts that computer to generate and send an SoH for each SHA that is installed to either the Health Registration Authority (HRA) server (used by internal, IPsec clients) or the VPN server (used by remote access clients). One of these servers then passes the SoHs along to the NPS server.

    The NPS server—which performs the same client authentication service for Windows Server 2008 as Internet Authentication Server (IAS) and Remote Authentication Dial-In User Service (RADIUS) servers did for Windows Server 2003—maintains the system health policies referenced by NAP. If the client computer that is requesting network access was granted access within the past five days (the validity period that Microsoft IT set for its SoHs), it cached its previous SoH after the SoH was confirmed as valid. Unless a critical situation develops that forces Microsoft IT to discard all cached SoHs, the NPS server grants the client computer unrestricted network access based on the cached, valid SoH.

    However, if the NPS server determines that one or more of the client SoHs do not match those of the SHVs that it has on record, have expired, or are missing for a required SHV, the NPS server considers the client unhealthy. The NPS server then sends a client out-of-compliance Statement of Health Response (SoHR) back to the originating HRA server or VPN server, which forwards that SoHR to the originating SHA on the client computer. At that time, the computer is quarantined in a restricted network for remediation instead of receiving full access to the network.
  5. If the non-compliance issue was based on the SoHR from the Configuration Manager SHV, the Configuration Manager SHA on the client computer downloads the latest system health policy from the Configuration Manager Management Point server. A local scan of the client computer then runs to identify all of the missing software updates according to the system health policy.

    Note: Managing non-compliance to policies in other SHVs is handled by the corresponding local SHAs after NAP places the computer in quarantine. This document does not cover the specific sequence of events for remediating issues unrelated to Configuration Manager SHV and SHA. For more information about how NAP works with other SHVs and SHAs, see the Network Access Protection page on Microsoft TechNet at http://technet.microsoft.com/en-us/network/bb545879.aspx.

  6. The client computer retrieves required software updates from the Configuration Manager Distribution Point server after comparing the scan results to the current system health policy, and then installs them.
  7. The client computer creates a new SoH for each SHA and sends them again to the NPS server by means of the HRA or VPN server (depending upon connection type) for validation. If the NPS server confirms that the new SoHs are compliant with the system health policies by the corresponding SHVs on the NPS server, the NPS server sends a policy-compliant SoHR to the originating HRA server or VPN server. The originating server in turn grants the client computer full access to the network.


In planning for deployment, Microsoft IT first developed the system health policies for computers and identified all must-have security policies for granting network access. These policies included the installation of all mandated software updates, the use of a software firewall, the installation of anti-malware software, the use of a real-time virus-scanning tool, and the installation of other key software applications as required by a particular group or department.

Microsoft IT considered all of the software updates available from Microsoft Update and determined which ones were critical for the protection of the network and all connected computers. Because Microsoft Update offers a reliable publication schedule of when software updates will be made available, Microsoft IT decided to review the software updates in each release cycle and enable the necessary updates in NAP by adding them to the software update policies.


Microsoft IT assembled the infrastructure needed for deployment of the Configuration Manager–NAP solution. This included identifying the server roles required, the number of servers per role, and whether the servers would span the domains that compose the Microsoft corporate network. Microsoft IT performed the following tasks to accommodate the solution rollout:

  • Set up the standard Windows NAP infrastructure:
    • Identified which type of network access technologies to protect.
    • Deployed NPS servers for defining network access and restriction policies.
    • Deployed quarantine enforcement servers, including VPN servers to authenticate remote access users, and HRA servers to obtain certificates from the existing Microsoft IT certification authority (CA) for compliant IPsec computers.
    • Identified a pool of remediation resource servers for resolving issues of non-compliant computers.
  • Set up the Configuration Manager software update infrastructure and enabled its integration with NAP:
    • Designed a Configuration Manager hierarchy for NAP on the existing Configuration Manager infrastructure.
    • Deployed SHV services for Configuration Manager, Windows, and antivirus on the NPS servers for validating client-computer-generated SoHs for policy compliance.
    • Identified the Active Directory Directory Services forest to be used as the Master State Store to maintain the client computer's health state references.
    • Extended the AD DS schema to include specific extensions for Configuration Manager and to ensure that a System Management container was present.
    • Configured existing Windows Server Update Services (WSUS) servers as Software Update Points in Configuration Manager.
    • Populated defined distribution point servers with NAP-enabled software update contents retrieved from the Microsoft Update service on the Internet.
    • Used the existing Fall Back Status Point to enable client deployment, assignment monitoring, and reporting.
    • Applied a Group Policy setting that targeted the desktop computer domain or organizational unit (OU) to maintain the current client assignment in existing Configuration Manager sites.
    • Enabled the Configuration Manager–NAP component agent at the Configuration Manager Site server level. This enabled clients to participate in NAP.
    • Deployed the Configuration Manager client by means of WSUS.
  • Conducted other tasks needed to complete the solution rollout:
    • Developed a custom Windows NAP reporting schema.
    • Developed a custom Configuration Manager reporting schema.
    • Used Configuration Manager to deploy other SHAs onto participating client computers.
    • Planned and implemented a test and pilot phase for the Configuration Manager–NAP solution.

Note: This technical case study does not cover specific technical deployment issues or processes. For more detailed technical information on the specific architectural requirements and processes for a NAP deployment, see the documentation on the Network Access Protection page on Microsoft TechNet at http://technet.microsoft.com/en-us/network/bb545879.aspx.

In addition to operating the corporate IT infrastructure, Microsoft IT works with the various product development groups by verifying beta versions of Microsoft software products in real-world pre-production and production environments. Microsoft IT uses multiple mechanisms for deployment of software updates, including Microsoft Update, WSUS, and Configuration Manager (which builds on top of WSUS). It was important during the pilot that participating client computers pointed to the correct WSUS server associated with Configuration Manager, and not a WSUS server associated with one of the other software deployment mechanisms. If Microsoft IT configured participating client computers to access any WSUS server on the network, the client computers might not be able to get the required software updates that would enable them to move from the restricted network to full network access. To enforce the association of the Configuration Manager WSUS server to participating client computers, Microsoft IT used Group Policy.

Running the Pilot

Microsoft IT verified its design of the initial Configuration Manager–NAP solution design in a pre-production environment to ensure that the pilot deployment of quarantine policy enforcement would not adversely affect computers in the enterprise production environment. After verification, Microsoft IT began the phased pilot rollout by initially configuring the existing Configuration Manager client agent on selected users' NAP-enabled computers to begin supporting the NAP pilot running in reporting mode.

Note: There are three enforcement modes available with NAP, all of which work with Configuration Manager: reporting, deferred enforcement, and full enforcement. In reporting mode, non-compliant computers are not put into quarantine. All non-compliance issues are recorded for reporting purposes only. In deferred enforcement mode, computers are notified when they are identified as being out of compliance, but restriction of network access due to non-compliance does not start until after the deadline date for mandatory installation of the update has passed. Full enforcement mode places the non-compliant computers immediately into quarantine until they are compliant. NAP enables different enforcement modes to be specified according to network connection type and per collection group.

Due to dependencies on early beta versions of both Windows Server 2008 and Configuration Manager 2007, the pilot was limited in scope and has been ongoing for more than two years. As key server components became available with newer releases of beta software, Microsoft IT regularly updated the Configuration Manager–NAP pilot on both the client and server sides. Another reason for the long pilot period was the necessity of thoroughly discovering and handling exceptions to NAP policies. For example, some engineering verification environments, and specific Microsoft IT verification staff needed to be excluded from NAP enforcement. Microsoft identified exceptions to policy compliance and made a determination on how to resolve the issue in each case. Microsoft IT carefully implemented the NAP enforcement mechanisms to make sure that exceptions were properly identified without causing a work stoppage issue for those users included in the needed policy exceptions.

As server-side software dependences stabilized, Microsoft IT began deploying NAP in reporting mode to all domain-joined, NAP-capable computers throughout the company. In addition, a subset of pilot participants recently transitioned from NAP reporting mode to NAP full enforcement mode. Microsoft IT chose to switch over an entire domain for this stricter pilot, affecting nearly 20,000 NAP-capable computers. Now that the development of the Windows Server 2008 and Configuration Manager 2007 is complete, the full enforcement pilot will soon begin expanding one by one to other corporate managed domains, and computers in those domains will be required to comply with all system health policies before network access is granted.

During the pilot, the only network limitations applied to non-compliant internal computers that were using IPsec and that were placed in the restricted network was to block connections between computers running Windows Vista, such as access to local file shares and Remote Desktop connections. Non-compliant computers attempting to connect through VPN were placed in a more restricted network that only allowed them to access the software update remediation servers, where they had to address and resolve the compliance issues before full network access was granted.

Note: Microsoft IT specifically configured the levels of restriction in the NAP pilot quarantine function. The options included: non-enforcement; basic network limitations, such as limiting computer connections between end users; restricting resource levels and access to file servers; blocking access to critical, line-of-business applications and Microsoft Exchange Server; and complete network isolation.

After completing the pilot, Microsoft IT plans to expand the use of the Configuration Manager –NAP solution in full enforcement mode so that non-compliant computers in the corporate-managed domains that are not known exceptions will be denied access to the Microsoft corporate network until they successfully remediate their respective blocking issues.

Other Compliance Policy Checks Used by Microsoft IT

Microsoft IT explored other SHA/SHV plug-ins for NAP as part of the overall solution for system health policy enforcement, including SHA/SHVs for Windows and for the Microsoft IT antivirus solution. In addition to software update health policies, Microsoft IT performs such compliance checks as:

  • Verifying the installation of the Configuration Manager client (SHA).
  • Verifying the presence and running state of the Security Center service.
  • Verifying the presence and running state of Windows Firewall.
  • Verifying the installation of the antivirus application.
  • Verifying the status of the antivirus real-time monitor.
  • Verifying that the antivirus signature file is up-to-date.
  • Verifying the consistency of the Windows Management Instrumentation (WMI) repository.

Customized Remediation Tool

Whereas Configuration Manager can usually automatically remediate non-compliance issues associated with its own SHA or SHV, this is not the case when the Configuration Manager SHA is missing. When the Configuration Manager SHV does not receive a Configuration Manager SoH, this indicates the absence of Configuration Manager SHA. NAP treats the client computer as non-compliant and places it into quarantine. Normally, an SHA is responsible for automatic remediation, but it cannot automatically-remediate its non-existence. In this circumstance, a generic NAP installation enables IT staff to define a custom-built Web page that users are referred to when they are quarantined in the restricted network. This Web page enables the quarantined user to navigate to various manual remediation tools that they might use to resolve compliance issues that could not be automatically remediated.

To expedite and simplify the process for its customers, Microsoft IT created a customized remediation tool by using the simple software development tools in the Microsoft Visual Studio® 2008 development system. The custom tool takes into account the specific policies required by Microsoft IT that NAP cannot automatically remediate, such as missing SHAs on the client computer. Its simple user interface enables users to understand the reason for being quarantined and remediates any unresolved issues from the NAP compliance checks.

The Microsoft IT custom automatic remediation tool attempts to resolve issues by using custom scripts. After an issue is resolved, the tool automatically closes, the remediated SHA issues a new SoH, and NAP performs the SoH validation process again. If the new SoH is valid, NAP restores unrestricted network access. If any of the compliance checks continue to fail, the computer may be blocked from accessing the network or quarantined to a restricted network until the computer can be brought into a compliant state. The custom tool also sends logs of each instance when the tool has run to a central Microsoft SQL Server® database, which provides Microsoft IT staff with remediation analysis data.

The custom remediation tool can handle non-compliance issues such as:

  • No Configuration Manager client is installed.
  • No antivirus application is installed.

Continuous Policy Checks

In addition to validating SoHs when connecting to the network, the Configuration Manager client runs hourly software update policy checks against the Management Point server while client computers are connected to the network. Anytime that new software updates are found, they are installed according to the Configuration Manager software update policy. This effort reduces the incidence of temporary quarantine restrictions during logons because the computers will have already been updated. This effort also ensures that high-priority updates are deployed enterprise wide as fast as possible. Wi-Fi enabled computers, such as laptops and Tablet PCs, can be automatically updated in the background as the user carries the device between meetings (if the device is not in sleep mode). Furthermore, Microsoft IT may not deem some available software updates as top-priority installations, but instead configure them to be installed at any time by a set future date. These updates will be downloaded and installed in the background while the user works, which also minimizes logon delays due to quarantine.


With the use of the Configuration Manager–NAP solution to keep corporate network–connected computers updated with the latest software updates, the Microsoft corporate network will be safer from an unintentional introduction of malware after the solution is rolled out to the entire company. Pilot users are already receiving the benefits of this protection. All Microsoft client computers that access the network will be better secured with required system software updates and system health settings, thereby minimizing system vulnerabilities—especially on mobile computers—both inside and outside the corporate network firewall. Upon full deployment of this solution, the deployment of critical zero-day updates will be fast and thorough throughout the enterprise, reducing the internal support overhead costs to Microsoft IT of identifying and containing malware outbreaks and cleaning up compromised computers.

Microsoft IT found another benefit of using Configuration Manager with NAP. By using Configuration Manager, Microsoft IT was able to apply granular control over the enforcement mechanism of NAP. This control enabled Microsoft to achieve customized compliance with the software update policy by all connecting NAP-capable computers, as well as target business-appropriate policies to specific forests and domain computers within Microsoft.

Configuration Manager can apply software updates based on applicability. For example, users of the 2007 Microsoft Office system will not receive security updates for Microsoft Office 2003 if the product is not installed. However, if NAP is configured to use the Windows SHA that is built into Windows Vista and Windows XP SP 3, NAP will enforce all required updates within a specified Microsoft Update category to be installed to all NAP-capable computers. By employing the Configuration Manager SHA to refine and filter the rules that NAP uses for enforcement, Microsoft IT can now select specific updates to enable for NAP enforcement based on more granular software update policies.

Computers can be grouped for update targeting based on a wide variety of Configuration Manager collections, such as membership in a security group, domain, or other collection definitions. For example, Configuration Manager can target specific groups of computers for updates by computer type, operating system version, or particular hardware and software inventory attributes. (Microsoft IT targeted NAP-capable computers in one specific domain for its pilot).

By using Configuration Manager, Microsoft IT can specify the unique enforcement date for each NAP-enabled software update, ranging from immediately to a date in the future, based upon the priority of the update. As long as the enforcement date is not immediate, the end user can install the software update package at any time prior to the deadline. Users who do not immediately install updates that have extended deadlines will continue to have full network access. But when the enforcement date arrives, users who have not installed the update have their network access restricted, and installation of the required software update occurs automatically.

With the Configuration Manager–NAP solution in place as a pilot deployment in the Microsoft network infrastructure, Microsoft IT can enforce compliance with relevant software update health policies before the affected computer can access the resources on the corporate network. Additional NAP framework plug-ins can also be used to expand the types of health policies that are used to control access to network resources. For example, Windows Vista and Windows Server 2008 provide a built-in Windows SHA/SHV plug-in that can enforce health policies for firewall usage and other common security configuration settings.

Lastly, thanks to the ability of Configuration Manager to work with NAP to enforce installation of software updates, Microsoft IT will gain a much higher level of confidence knowing that it will meet its goals of keeping client computers up-to-date. After running a pilot of 20,000 users, the percentage of compliance for policy-required, installed software updates was extremely high. More than 99 percent of the solution participants had all current software updates installed anytime they used NAP to access the network.

Key Takeaways and Best Practices

Microsoft IT rolled out the Configuration Manager–NAP solution for enforcing software updates through system health policy in a very complex environment that consists of multiple forests and domains. Because of its experience with the Configuration Manager–NAP solution pilot, Microsoft IT learned several lessons and developed some best practices:

  • Deploy the Configuration ManagerNAP infrastructure in a pre-production environment first   An organization should thoroughly test and verify its server and client configuration settings. It should not keep everyone participating in the pilot permanently quarantined on the restricted network.
  • Rank customer effect   When planning for the pilot and eventual rollout of NAP, an organization should rank its internal groups according to which have the highest rate of business-critical contact with customers. Then, the organization can initially deploy the Configuration Manager–NAP solution to the internal groups that have the least critical, direct effect upon customers. This will minimize any potential problems with quarantine configuration.
  • Identify quarantine-accessible resources and create remediation list   The remediation list should consist of the server Internet Protocol (IP) address of customized resource services such as Management Points, Software Update Points, internal IT, and other corporate Web sites. The organization may also choose to enable access to application servers such as Exchange servers. It should consider any connectivity protocols that it may normally use. Microsoft IT normally requires IPsec authentication for access to any of its network resources, but it disabled IPsec for its restricted network. However, if the organization follows that example, it should note that its remediation servers are not authenticating the users who connect to them, so there must be no business-sensitive data or proprietary software available on those servers.
  • Use Group Policy   There are specific Configuration Manager Group Policy settings available that enable deployment of the Configuration Manager client by WSUS and assign the client to the proper Configuration Manager site. These settings are a dramatic improvement over what previously existed in Systems Management Server. The administrative burden of maintaining complex scripts used for client deployment and site assignment, which ran every time a user logged on to his or her computer, has been eliminated. Group Policy now manages this process. The use of Group Policy greatly simplified the deployment of the Configuration Manager–NAP software update solution for Microsoft IT. Additional best practices for using Group Policy include:
  • Use Group Policy to ensure that computers using the Configuration Manager–NAP solution point to the correct WSUS server. This ensures the availability of the software updates required by the Configuration Manager SHA for remediation. If the Configuration Manager SHA itself is missing, this specific WSUS server also enables the Configuration Manager client to be installed in remediation. Ensuring the use of a properly configured WSUS server enables successful remediation of client computers.
  • After the Configuration Manager–NAP solution is in place, continue using Group Policy to ensure the application and maintenance of necessary configuration settings. Other environments that may be run on the network may inadvertently change the settings for the specified WSUS server accessed by the client computer. Keeping in place the Group Policy setting that specifies the approved Configuration Manager WSUS server ensures that everything works as expected in remediation when quarantine is enforced.
  • Minimize potential client quarantine problems   An organization should choose one of two routes for deploying the solution to client computers:
  • Upon installation, set Configuration Manager in NAP to run initially in reporting mode. This enables administrators to use NAP reporting data to track the status of the Configuration Manager solution deployment to clients. This also helps to identify NAP configuration issues and needed exceptions to the health policy so that users who otherwise would go into quarantine can still work productively.
  • Choose to disable NAP under Configuration Manager for a particular site during the installation of the Configuration Manager clients until the Configuration Manager SHV is installed and is working with AD DS. After the organization installs and configures the SHVs on the same Windows Server 2008–based servers that are running NPS, it should be sure to have the SHVs publish to and query from AD DS before the NAP agent is enabled. Otherwise, client computers remain in quarantine until the SHVs are installed on the NPS server, the site publishes clients' health state references, and the NPS server validates the clients' health.
  • Verify the distribution process for required software updates   Before linking the Configuration Manager distribution process for software updates to the NAP enforcement mechanism, an organization should be sure that the existing software update distribution process works reliably. It should confirm that communication links between the Configuration Manager client and the Management Point and Distribution Point servers work well. Technical resources spent on troubleshooting an inconsistent or problematic software update remediation process could negate the benefits of implementing such a solution. Before the organization uses Configuration Manager to configure any particular software update to be NAP enforced, it should first deploy the software update package distribution points and configure the package to be targeted to client computers. Otherwise, the client computers will go into quarantine to get the update but will never exit because the software update is not available for installation.
  • Use a single forest deployment for storing health state references in the domain identified as the Master State Store   The organization will benefit from simplified, centralized administration of the Configuration Manager hierarchy, policy management, restriction network management, and SoH validation. Advantages of the single-forest Master State Store model include easier management of multiple domains, meeting developers' and programmers' requirements, and centralized management for software updates and NAP policies.
  • Put the NPS servers and Configuration Manager Site servers in the same forest   This simplifies administration of the enterprise-wide NAP service. Alternatively, an organization can configure the Configuration Manager Web site to publish the clients' health state reference to an identified forest where that domain's clients are joined.


Today's world of pervasive malware on the Internet is a threat to all connected computers. Highly connected, mobile business computers can unknowingly carry those threats into corporate networks. To protect the assets of its enterprise network, it was no longer sufficient for Microsoft IT to merely depend on perimeter security by regulating network access to authenticated user accounts. Microsoft IT needed more granular control over network access and health policy enforcement. The basic tool to provide this functionality for comprehensive network security is the NAP framework, which is built into both Windows Server 2008 and Windows Vista. However, NAP needed to be linked to specific plug-ins that allowed it to run compliance checks against defined policies.

Microsoft IT used NAP enforcement with Configuration Manager 2007 as the solution for keeping client computers updated for security-enhanced network access. By using Configuration Manager to control NAP enforcement for required software updates, Microsoft IT defined customized software update policies that covered updates that are mandatory for network access. Custom installation deadlines can be applied to these updates, depending on the critical nature of the updates. After it is connected, Configuration Manager continuously monitors and applies new updates as policies are updated, thereby ensuring that resolving vulnerabilities to zero-day exploits is fast and efficient.

The use of Configuration Manager with NAP provided Microsoft IT with the solution to better manage client computer health status, reduce vulnerability to malware infections that might be brought inside the corporate network, and offer its users a computing experience that is significantly less affected by out-of-date software.

For More Information

For more information about Microsoft products or services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada information Centre at (800) 563-9048. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information via the World Wide Web, go to:




© 2008 Microsoft Corporation. All rights reserved.

This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, Active Directory, SQL Server, Visual Studio, Windows, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
© 2014 Microsoft