NAP and SCCM 2007 - how it works

Published Jan 21 2019 03:19 PM 114 Views

First published on MSDN on Nov 17, 2006

It's time to dig into the details of NAP/SCCM 2007 processing.  We will start the discussion with a few assumptions:
1. The basic NAP infrastructure is configured and working.
2. The Software Updates Management (SUM) infrastructure in SCCM 2007 is working and properly configured.
3. All of the required pieces of SCCM 2007 NAP are enabled and installed
4. A single NAP policy is in place
5. The only SHV in use is the SCCM 2007 SHV.  In practice, this likely won't be the case but will help simplify our discussion here.


Default settings in SCCM 2007 call for a new Statement of Health (SoH) to be generated every 24 hours.  This setting ensures that the compliance state for the agent will be reevaluated at least once per day.  Your machines, however, may be requested to submit themselves for NAP evaluation more frequently than that.  NAP evaluation occurs at every network access and when the NAP agent requests it.  By default, SCCM 2007 will store the last generated SoH and consider it valid for 24 hours.  This cached SoH will be submitted in response to every SoH request and used to evaluate compliance provided that it is still within the 24 hour validity window.


It is possible to change the default behavior and force the SCCM 2007 client to generate a new SoH each time a request is made for health status - essentially bypassing any use of cached SoH.  This option is configured by setting the 'Force a new scan before Security Compliance evaluation begins' option on the NAP client agent properties.  In this way it is possible to ensure that a new SoH will be submitted at each request.


Before talking about the flow of events it is also helpful to understand the various components on the SCCM 2007 client that work together to evaluate health state and handle SoH requests/responses.
SMSSHA - The SMS System Health Agent is the top level component that interacts with the NAP agent installed on the machine.  This is the component that is called to begin SoH evaluations or to act on SoH responses from the NAP agent.
CCMCCA - The CCM Computer Compliance Agent is called by SMSSHA during SoH generation to evaluate the NAP policies applied to the machine and to determine the compliance state compared to those policies.  During evaluation CCMCCA will call on other components, such as CIAgent, SDMAgent and WUAHandler to determine software update applicability.  At the end of processing CCMCCA will return the current compliance state to SMSSHA.  If the NAP server (SCCM 2007 SHV) determines that the client is unhealthy, CCMCCA will also orchestrate the remediation process by working with the components listed earlier.
LocationServices - LocationServices is called by SMSSHA during SoH generation to evaluate current whether the client is in quarantine state and, if so, to locate any required SCCM 2007 server components we may need to access.  While in quarantine state we will need access to the servers hosting our WSUS, MP and DP roles.  This information is provided back to SMSSHA.


Now that we understand all the options and components, lets look at the flow of events for NAP evaluation.  For this discussion we will assume that the NAP client agent is being called to generate a new SoH during a schduled scan.  This will trigger an evaluation to determine the clients compliance state and ability to access the network as follows:


-NAP client agent requests a new SoH be generated.
-SMSSHA component is called to handle SoH generation
-SMSSHA component calls CCMCCA to evaluate NAP policies and determine applicability
of assigned NAP policy and compliance state.
-SMSSHA component calls Location Services to determine if any 'fixup' servers are needed for the
current evaluation.
-SMSSHA merges the results of CCMCCA and Location Services to create the new SoH and submits
it forward to the NAP infrastructure for evaluation.
-The NAP server receives the SoH and forwards the SCCM 2007 specific SoH to the SCCM 2007 SHV
to evaluate health.
-The SCCM 2007 SHV forwards compliance state back to the NAP server which creates a response SoH
and returns that to the SCCM 2007 client agent.  Assuming the SCCM 2007 client is healthy, processing
stops here.  If the SCCM 2007 SHV reported the client as unhealthy then the client will be triggered to
remediate. Note:  A client may be fully compliant with NAP policy but still be seen as
unhealthy by the SCCM 2007 SHV due to an error condition, outdated SoH, etc.

If remediation is required, processing continues as follows:

-Once the response SoH is received from the NAP server indicating an unhealthy state the SCCM 2007
client agent will trigger remediation.  Remediation will proceed by invoking both CCMCCA and Location
Services to detect what policies are non compliant and what patches are needed.  The various components
of the Software Updates Management (SUM) infrastructure will be called on to install the required patches.
-Once remediation is complete a new SoH will be calculated according to the steps above and resubmitted
indicating that the client is now healthy.  The NAP server/SCCM 2007 SHV will confirm the new compliance
state and will return a SoH response indicating that client is clear to come on the network.

The entire process of SoH generation/evaluation is dependent on the resulting health state of the client.  Assuming the client is compliant the process of confirming health state should be very quick.  If remediation is required the total process will be dependent on how many updates are required.

Version history
Last update:
‎Apr 07 2020 09:10 AM
Updated by: