Keep Computers Updated

Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista

NAP helps administrators keep organization computers up-to-date by verifying the computers meet all of the system health requirements of the network health policy. The compliance of NAP client computers is checked when the computers first connect to the network; it is monitored while the computers remain connected. Computers running Windows 7, Windows Vista or Windows XP with SP3 include the Windows Security Health Agent (WSHA), which monitors the status of system health components associated with Windows Security Center (WSC).

The following illustration shows how NAP can be used to keep computers up-to-date while they are connected to the network, and how they are updated after they disconnect and then reconnect to the network.

NAP helps keep computers updated

When a computer is connected to the network, it is monitored to ensure it is current with health requirements. A computer might become out-of-date when a user goes on vacation. When the computer reconnects to the network, its health is evaluated. If the computer is noncompliant, its access will be restricted until it can be updated to meet requirements. NAP can automatically update the computer or the user can install the required updates. After the computer is updated, it is again granted full access to the network. A NAP client computer is able to monitor health status continuously by using software called system health agents (SHAs). Health requirements are defined on NAP servers using corresponding software called system health validators (SHVs).

System health agents

SHAs continuously monitor the health state of client computers. NAP client computers can use a single installed SHA to report their health, or they can have many SHAs installed, each of which monitors and provides unique information about the health state of the client computer. The Windows Security Health Agent (WSHA) is one example of client software that provides system policy checks and indicates system health. Other Microsoft SHAs are also available, including the System Center Configuration Manager SHA and the Forefront Client Security SHA (FCS SHA). In addition, because NAP uses an extensible, standards-based platform architecture, SHAs will be available from non-Microsoft vendors.

Windows System Health Agent

The WSHA monitors the operational status of Windows Security Center (WSC) on the NAP client computer. The following WSC components are monitored by the WSHA:

  • Firewall: If this requirement is enabled, the client computer must have a firewall that is registered with WSC and enabled for all network connections.

  • Virus Protection: If this requirement is enabled, the client computer must have an antivirus application installed, registered with WSC, and turned on. The client computer can also be checked to ensure that the antivirus signature file is up-to-date.

  • Spyware Protection: If this requirement is enabled, the client computer must have an antispyware application installed, registered with WSC, and turned on. The client computer can also be checked to ensure that the antispyware signature file is up to date. Spyware protection applies only to NAP clients running Windows Vista.

  • Automatic Updating: If this requirement is enabled, the client computer must be configured to check for updates from Windows Update. You can choose whether to download and install them.

  • Security Update Protection: If this requirement is enabled, the client computer must have security updates installed based on one of four possible values that match security severity ratings from the Microsoft Security Response Center (MSRC). The client must also check for these updates during a specified time interval. You can use Windows Server Update Services (WSUS), Windows Update, or both to obtain security updates.

System Center Configuration Manager SHA

The System Center Configuration Manager SHA monitors the compliance of a client computer with your required software updates. When a computer connects to the network, the System Center Configuration Manager SHA provides the current state of compliance, a site code, and a health state reference. The health state reference and site code are used to check whether a client computer has received the latest software update requirements from a System Center Configuration Manager management point. If the health state is determined to be out-of-date, the client computer downloads a new set of requirements and its health is evaluated again. The System Center Configuration Manager SHA monitors the following aspect of client configuration:

  • Software Updates: When you deploy a software update with System Center Configuration Manager, you can select the update for NAP evaluation and specify a date and time when the policy will become effective. Only those updates that have been enabled for NAP evaluation in the Configuration Manager console are required to be installed on compliant NAP client computers. When a software update is enabled for NAP evaluation, the health state reference on an SMS management point is automatically incremented so that NAP client computers receive the most recent software requirements.

For more information, see Network Access Protection in Configuration Manager (


The FCS SHA monitors the operational health of FCS on the client computer. The administrator-defined health policy on the SHV determines whether the client computer is compliant before it is allowed to access the network. To monitor and report on FCS-related aspects of computer health, the FCS SHA queries client registry settings, checks the status of system services, and verifies that the client has the latest updates and malware signature definitions. The FCS SHA also sends data to the FCS server management system, which provides manageability, data collection, and reporting services.

The FCS SHA monitors the client computer’s level of Microsoft Forefront protection. Noncompliance with the FCS SHA does not necessarily mean that the computer has a virus or some other malicious software, but that the FCS configuration is either incorrect or not up-to-date, as defined in the health policy. The FCS SHA can restart services on noncompliant computers, automatically update configuration settings, and install software updates, if required.

For more information, see Microsoft Forefront and Windows Server 2008 (

Non-Microsoft SHAs

Because of the standards-based design and extensibility of NAP, additional SHAs are available from non-Microsoft vendors that extend the capabilities of NAP to include a variety of software and configuration checks. For more information, see Network Access Protection Partners (