Microsoft IT: 120,000 NAP Clients deployed - it's just too darn easy!

Hello All, Brent Atkison here with the deployment team responsible for rolling out Network Access Protection (NAP) internally at Microsoft. Back in March 2007, Adam Carter provided a quick update on our internal deployment status and I wanted to follow that up with the latest and greatest news on our efforts to NAP the World (starting with Microsoft)!

Back in March we had deployed NAP to ~30k clients internally at Microsoft. Since then we have been busy adding new domains and scenarios into our NAP deployment and our total reach has grown significantly. We now have over 120k clients reporting in on our IPsec NAP deployment. This includes clients reporting in from across the globe including Europe, Africa, Far East, South America, North America, and many other remote locations. Our current deployment consists of several scenarios:

1) Deferred enforcement (meaning we don’t restrict access, we simply notify the user) for the out of box Windows System Health Agent to Redmond, North America and our test domain. This includes auto-remediation (automatically fixing client computer if at all possible). This was recently deployed to North America and we saw an increase in health compliance immediately following turning it on!

2) Reporting mode within the above listed domains for lab deployments

3) Reporting mode to global locations

4) Reporting mode for Windows Server 2008 in select domains

Our next steps are to move a specific target domain (with ~14k clients) to deferred enforcement for three separate System Health Agents (SHAs) (including the Windows SHA, a 3rd party AV SHA, and the Systems Center Configuration Manager [SCCM] SHA) with remediation turned on. Following that we will be moving the same domain to enforcement with matching IPsec policy (meaning clients will lose access to some resources until they are healthy) for that domain. From there we will be looking to expand to other larger domains until we are reaching all domain joined clients.

In addition to our IPsec deployment we have recently had some great success with our internal VPN deployment. We have several clients using NAP VPN as their main remote connectivity method. This includes full enforcement (meaning the client is quarantined if determined to be unhealthy) running with the three separate SHAs called out above. We recently used this pilot to show NAP off at our internal product fair with great success. Clients are able to meet health requirements while also gaining very quick access to the corporate network. Remediation is also turned on for these clients providing auto fix up for all required components.

NAP THE WORLD (and MICROSOFT!)

Brent Atkison
GROUP MANAGER, MMS NAP