NAP FAQ: Enforcing Security Updates (out-of-the-box)
Hey! My name is Mike Burk. I am a Program Manager on the Windows Security team. My team is responsible for the out-of-the-box NAP experience in Windows XP SP3, Vista and Server 2008. It is called the Windows Security Health Agent (client-side) and Validator (server-side). You will see it abbreviated as WSHA/WSHV in a lot of our documentation and on the web.
We’ve been getting a lot of questions about how update enforcement using the WSHA/WSHV actually works. The first thing to keep in mind is that the WSHA/WSHV only enforces security updates.
The easiest way to discuss update enforcement is to step through each part of the “Security Update Protection” section of the WSHV user interface. This is the dialog that appears within the Network Policy Server (NPS) console on Windows Server 2008:
1. “Restrict access…” checkbox
This activates the “Security Updates Protection” checks within the WSHA/WSHV (as well as the other controls in the section).
2. Severity rating pull-down menu
This is the severity level assigned by the MSRC for the update. If a client is missing security updates of the specified severity or higher, it will be deemed non-compliant and given restricted network access. The default is “Important and above.”
Note: “Low and above” and “All” actually mean the same thing. We are fixing this in future versions.
3. Number of hours since last scanned
This is the number of hours since the last time the client synched with its appropriate update server. This is only assessed when joining the network. If the time since last online scan exceeds this value, then the client will be deemed non-complaint. The default for this value is 22 hours, though it can be configured from 1 to 72 hours. Also, if automatic remediation is selected in the NAP policy, the WSHV will instruct the WSHA to do an online scan to ensure all new security updates are accounted for.
4. Update sources
There are three sources for getting updates: Windows Server Update Services (WSUS), Windows Update (WU), or Microsoft Update (MU). The WSHV is configurable to allow an administrator to accept updates from each of these on Vista SP1 and XP SP3. What this means is that a client reports its status with respect to the updates it knows about, and also where it gets its updates. If this is an acceptable source for updates, as configured in the WSHV, then the WSHV will accept that update status. Microsoft Update is accepted by default since it contains all updates. If an administrator wants to control which updates are approved for his network, then he should configure the clients for WSUS and check the WSUS box in the WSHV user interface.
Note: WSHA on Vista RTM (not SP1 or later) is only compatible with WSUS for update enforcement. This is the default on the WSHV for configuring policies for Vista clients.
Remediation
If the NAP policy is set for "Automatic Remediation", then the WSHA will automatically download and install the missing updates. The WSHA on the client will query the Windows Update Agent on the client for updates upon boot or upon joining the network, and every hour thereafter. If the Windows Update Agent reports that an update is missing, then the WSHA will generate a NAP message and the WSHV will enforce compliance per the NAP policy.
Note: The periodic scan interval is configurable via the ScanInterval value in the registry key HKLM\Software\Microsoft\MSSHA\.
I hope this clarifies how the WSHA/WSHV helps to keep your clients updated with the latest security updates!
Mike Burk