Sorry, I believe daldden is correct, without the agent you can still scan using the built-in Nessus scanner.
We don't use the Nessus scanner, but these are some things to consider if you use the scanner. These are from memory though so anyone who actively uses the scanner may be able to give more up to date or complete info:
1) You have to decide which vulnerabilities you want to scan for.
2) The more plug-ins you enable, the longer (obviously) the scan takes.
3) There are configuration steps for many of the plug-ins
4) Your users will still need to go to a login page in order to be scanned.
5) You have to configure the remediation information (URL, steps, etc) for each plug-in you enable.
From our view point, the only reason we would enable the scanner is if we were looking for a specific vulnerability, perhaps a new threat that didn't yet have a patch. If it had a patch, we would watch for the patch using the agent (installed or web based).
It was much easier for us to use the agent, to scan their system and make sure that the MS critical hot fixes were installed and/or an AV system was installed and up to date. As mentioned, if there is a patch for a vulnerability, you can use the agent to make sure that specific hot fix is installed.
Remember that there is also a web agent. The web agent is an ActiveX or Java (you pick which one you want to use) applet that is loaded onto the person's machine, the system scanned, then the applet is unloaded.
Of course, the agent is only for MSoft (with some MAC options), so if you have Linux systems, the Nessus scanner would be your only option.
