Q. Does Microsoft System Center Configuration Manager 2007 (SCCM) have its own version of Network Access Protection (NAP), separate from that of Windows Server 2008, that can restrict network access?

A. No. This is a common misunderstanding. SCCM 2007 increases the functionality of the NAP that is part of Server 2008.

SCCM has a NAP site role that extends NAP by adding additional System Health Validator (SHV) policy support, which is used to validate system health based on the presence of Software Updates. SCCM installs an additional SHV into the Network Policy Server (NPS) on Server 2008, and that SHV points to the SCCM SHV site role. That site role relates to the NAP policy extensions that can be added to a software update.

SCCM requires Server 2008 and NPS. The network enforcement methods of DHCP, IPSec, and 802.1x are used as they usually are with NAP; SCCM doesn't have its own restriction mechanism.

SCCM is useful in making clients compliant by using the SCCM distribution points to deploy patches and software to unhealthy systems.

Related Reading:

Check out hundreds more useful Q&As like this in John Savill's FAQ for Windows. Also, watch instructional videos made by John at ITTV.net.
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.