Choose a Compliance Strategy

Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista

Before you deploy NAP, you must define which client configuration will be considered compliant and which will be considered noncompliant with health requirements. You might begin your NAP deployment using the system health agent (SHA) and system health validator (SHV) that is provided with the Windows operating system. Later, you can customize and expand your NAP deployment by installing other SHVs on your NAP health policy servers and deploying the corresponding SHAs to client computers.

The following figure shows the System Health Validators object in Windows Server 2008 NPS console. The installed SHVs are displayed, including Windows Security Health Validator (WSHV), the default SHV that is available with Windows Server 2008. When you install new SHVs, they are added to the list and become available for use in your health policies.

System health validators in the NPS console

For more information about configuring SHVs, see System Health Validators.

Using Windows Security Center with NAP

WSHV analyzes the operational status of Windows Security Center (WSC) on NAP client computers. Client computers use a corresponding SHA, called Windows Security Health Agent (WSHA), to report the status of WSC whenever a client computer attempts to connect to a network or the status of WSC changes.

Windows Security Health Validator in Windows Server 2008

In Windows Server 2008, to edit WSHV settings, double-click Windows Security Health Validator in the details pane of the NPS console. The Windows Security Health Validator Properties page will open. See the following figure.

WSHV Properties page

The page displays five error code settings that are available for all installed SHVs. For more information about these error codes, see System Health Validators.

To configure client health requirements using WSHV, click Configure to open the Windows Security Health Validator page. In the following example, NAP client computers are required only to have a firewall enabled.

Windows Security Health Validator page

By default, the Windows Vista tab is displayed. There following WSC components can be configured for Windows Vista:

  • Firewall. If selected, the client computer must have a firewall that is registered with WSC and enabled for all network connections.

  • Virus Protection. If selected, the client computer must have an antivirus application installed, registered with WSC, and turned on.

  • Antivirus is up to date. If selected, the client computer can also be checked to ensure that the antivirus signature file is up-to-date.

  • Spyware Protection. If selected, the client computer must have an antispyware application installed, registered with WSC, and turned on.

  • Antispyware is up to date. If selected, the client computer can also be checked to ensure that the antispyware signature file is up-to-date. Spyware protection applies only to NAP clients running Windows Vista.

  • Automatic Updating. If selected, the client computer must be configured to check for updates from Windows Update. You can choose whether to download and install them.

  • Security Update Protection. If selected, the client computer must have security updates installed based on one of four possible values that match security severity ratings from the Microsoft Security Response Center (MSRC). The client must also check for these updates using a specified time interval. You can use choose to use Windows Server Update Services (WSUS), Windows Update, or both to obtain security updates.

To configure requirements for NAP client computers running Windows XP SP3, click the Windows XP tab. Configuration for Windows XP is identical to Windows Vista, except that the two spyware protection components are not available.

For more information, see System Health Validators.

Security Health Validators in Windows Server 2008 R2

In Windows Server 2008 R2, you can reduce the cost of deployment and ownership of NAP servers by specifying multiple configurations of an SHV. When you configure a health policy, you can select one of these SHV configurations. When you configure a network policy for health evaluation, you select a specific health policy. Therefore, different network policies can specify different sets of health requirements based on a specific configuration of the SHV. For example, you can create a network policy that specifies that intranet-connected computers must have antivirus software enabled and a different network policy that specifies that VPN-connected computers must have their antivirus software enabled and signature file up-to-date.


To use multi-configuration SHVs, NAP health policy servers must be running a Windows Server 2008 R2 operating system.
Multi-configuration SHVs are only available for SHVs that support this feature, for example the WSHV. Multi-configuration SHV is not available if the SHV vendor has not designed the SHV to support this feature.

When an SHV supports the multi-configuration SHV feature, different settings can be stored in multiple SHV configuration profiles. When you configure a health policy, you can choose which SHV will be used, and custom settings for the SHV if these have been configured. For example, using this feature you might create the following two health policy configurations:

  • Default configuration. The client computer must have a firewall and Windows Update enabled, antivirus and antispyware applications must be on and up-to-date, and all important security updates must be installed.

  • Trusted configuration. The client computer must have an antivirus application on and up-to-date.

These settings can then be used to create health policies requiring either default configuration settings or trusted configuration settings. You can create as many unique configuration settings as you require.

Previously, it was necessary to use a different NAP health policy server to specify a different set of configurations for the same SHV. In Windows Server 2008 R2, with multi-configuration SHV, a single NAP health policy server can be used to deploy multiple configurations of the same SHV.

Multi-configuration SHV affects the procedures used to configure SHVs and health policies. SHV configuration is divided into settings configuration and error codes configuration. For more information, see “To configure system health validators in Windows Server 2008 R2” in Configure System Health Validators at


When configuring WSHV (the default SHV that is available with Windows Server 2008 R2), whenever you create a new, custom WSHV configuration, you must restart the Network Policy Server service. If you create a new WSHV configuration and do not restart the Network Policy Server service, and then select this new configuration to be applied to a compliant or a noncompliant health policy, this WSHV configuration is not applied to your health policy.

Using System Center Configuration Manager with NAP

The Microsoft System Center Configuration Manager SHA and SHV can be used to require that specific software updates are installed on client computers before they are allowed access to the corporate network. When a computer connects to the network, the System Center Configuration Manager SHA provides status about the client computer that indicates whether it has received recent software update requirements and if those updates have been installed. If the client computer is determined to be out-of-date, it can download a new set of requirements and then install the required software. The software can be installed automatically or manually (that is, through user intervention).

To configure software requirements for clients running the System Center Configuration Manager SHA, use the Configuration Manager console on a System Center Configuration Manager management point. When you deploy a software update with System Center Configuration Manager, you can select the update for NAP evaluation and specify a date and time when the policy takes effect. Only those updates that have been enabled for NAP evaluation in the Configuration Manager console are required to be installed on compliant NAP client computers. For more information about System Center Configuration Manager and NAP, see Network Access Protection in Configuration Manager (

Using Forefront Client Security with NAP

The Forefront Client Security (FCS) SHA monitors the operational health of FCS on the client computer. You can define settings on the SHV that will determine the required FCS configuration on the client computer. The FCS SHA queries client registry settings, checks the status of system services, and verifies that the client has the latest updates and malicious software (also called malware) signature definitions. The FCS SHA also sends data to the FCS server management system, which provides manageability, data collection, and reporting services.

Noncompliance with the FCS SHA does not necessarily indicate that the computer has a virus or some other malicious software. Rather, it indicates that the FCS configuration is either incorrect or not up-to-date, as defined in the SHV. The FCS SHA can restart services on noncompliant computers, automatically update configuration settings, and install software updates, if required. For more information about FCS, see Microsoft Forefront Client Security ( and Forefront Client Security (

Using non-Microsoft SHAs and SHVs

Other SHAs are available from non-Microsoft vendors that extend the capabilities of NAP to include a variety of software and configuration checks. For more information about non-Microsoft SHAs, see Network Access Protection Partners (