SHV Multi-Config in Windows Server 2008 R2

  • Article

In Windows Server 2008, a system health validator (SHV) installed on the NPS server can be configured in a single way. This works well if your system health requirements are the same for all of your NAP enforcement methods and all of your computers. However, some deployments require different sets of health requirements for different enforcement methods and different groups of computers. For example, you might want to specify that desktop computers must have their anti-virus software enabled and VPN-connected computers must have their anti-virus software enabled and signature file up-to-date.

In Windows Server 2008 R2, the NAP platform supports SHVs in multiple configurations to support these more advanced configurations, a feature known as SHV multi-config. Existing SHVs must be updated to take advantage of this new feature and new SHVs should be written to use this feature. The Windows Security Health Validator (WSHV) provided with Windows Server 2008 R2 supports SHV multi-config. For more information, see the new INapComponentConfig3 API at https://msdn.microsoft.com/en-us/library/dd392506(VS.85).aspx.

To see the SHV multi-config support for the WSHV, use the Network Policy Server snap-in and open Network Access Protection-System Health Validators-Windows System Health Validator-Settings. The following figure shows an example.

Windows System Health Validator settings 

For a larger version of this figure, click here.

There is a default configuration that you can configure if you only need a single configuration of the WSHV settings. This default configuration cannot be deleted or renamed. When you create health requirement policies with the NAP wizard, it will configure your health policies to use this default configuration.

To create another configuration for the WSHV, do the following:

1. Right-click Settings, and then click New.

2. In the Configuration Friendly Name dialog box, type a name for the new configuration, and then click OK.

3. In the Windows Security Health Validator dialog box, specify the system health requirements and then click OK.

The following figure shows an example of a new WSHV configuration with the name WSHV Settings for DHCP.

WSHV Settings for DHCP

For a larger version of this figure, click here.

To specify the use of a non-default configuration for the WSHV in the Network Policy Server snap-in, open Policies-Health Policies, and then double-click the name of the health policy that you want to modify. On the Settings tab, in the SHVs used in this health policy list, click the drop-down arrow in the Setting column for the Windows Security Health Validator SHV to see a list of configurations. The following figure shows an example.

Example of selecting an SHV configuration

Click the desired configuration of the WSHV, and then click OK.

NAP Product Team