Planning for Operating System Deployments in a NAP-Enabled Environment
Updated: May 14, 2015
Applies To: System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1
When you deploy an operating system and the System Center 2012 Configuration Manager client into an environment that uses Network Access Protection (NAP), you must take additional configuration steps. Failing to configure an operating system deployment correctly for Network Access Protection can result in the newly deployed computers having restricted network access with failed remediation.
Clients that run Windows Vista and Windows Server 2008 natively support Network Access Protection, whereas computers running Windows XP do not natively support Network Access Protection and require the installation of an additional Network Access Protection client. For more information about the Network Access Protection Client for Windows XP, see the Network Access Protection website.
Network Access Protection supports a number of enforcement mechanisms, such as IPsec, 802.1X, VPN, and DHCP. Each enforcement mechanism requires its respective Network Access Protection enforcement client to be enabled and the Windows Network Access Protection Service started and configured for automatic startup. For more information about the prerequisites to use Network Access Protection with software updates in Configuration Manager, see Prerequisites for Software Updates in Configuration Manager.
Use the steps in the following sections to ensure that the enforcement mechanism and the Windows Network Access Protection Service is enabled and will interact correctly with the Configuration Manager client when you deploy an operating system into a NAP-enabled environment.
The Reference Computer Is Configured for Network Access Protection
The following scenario is appropriate if all your operating system deployments are in a NAP-enabled environment, using the same NAP-enforcement mechanism:
Configure the reference computer with the operating system, service packs, security updates, applications, settings, tools and desktop customization.
If the operating system is Windows XP, install the Network Access Protection Client for Windows XP.
Enable the appropriate Network Access Protection enforcement clients.
Configure the Windows Network Access Protection service to start automatically, and start the service.
Capture the operating system image by using capture media.
Create a task sequence that references the captured image.
Deploy the task sequence to the destination computers.
With this configuration, the Network Access Protection enforcement client and Windows Network Access Protection Service start automatically in the newly deployed computer because they are part of the image. Also, they will already be running when the Configuration Manager client installs, ensuring that the Configuration Manager client can bind to the Windows Network Access Protection Service.
The Reference Computer Is Not Configured for Network Access Protection
The following scenario would be appropriate if only some of your computers are installed into a NAP-enabled environment or if you must add the configuration for Network Access Protection to an existing captured image:
Configure the reference computer with the operating system, service packs, security updates, applications, settings, tools and desktop customization.
Capture the operating system image by using capture media.
Create a deployment task sequence that references the captured image.
If the operating system is Windows XP, add a task sequence step that will run in the newly deployed operating system to install the Network Access Protection Client for Windows XP.
Add a custom task sequence step that runs in the newly deployed operating system to enable the appropriate Network Access Protection enforcement clients.
Note
Use the command-line utility, netsh nap client set enforcement <enforcement ID> enable. For more information, see the Windows Network Access Protection documentation. For ongoing configuration, ensure that Group Policy configures the enforcement clients.
Add a task sequence step that runs in the newly deployed operating system to configure the Windows Network Access Protection Service to start automatically, and start the service.
Note
For ongoing configuration, ensure that Group Policy configures this service.
Add a task sequence step to restart the computer.
Note
This restart is required to ensure that the enforcement clients and the Windows Network Access Protection Service are already running when the Configuration Manager client starts, and ensures that the Configuration Manager client can correctly bind to the Windows Network Access Protection Service.
Deploy the task sequence to the destination computers.