If you are configuring Windows Security Heath Validator for Security Update Protection, you have multiple options. One of these options are ‘Important and above’ as shown below:
This being the case, you may think that any Important Update available on the client will force the client to be non complaint. You may see the following on some of your clients. The two screenshots below show Windows Update detected 4 Important Updates, but the NAP Status is still marked as compliant.
It appears that you have Important Updates available, but the client is still being marked as compliant. This can be a little confusing if you don’t understand the difference between what Network Access Protection is looking for and what Windows Update is detecting.
Windows Update clients detects all Important updates and do not distinguish between Security updates and non Security Updates. The Windows System Health Validator is only concerned with Important Security updates.
The best way to determine if the client should be non-compliant when Windows Update is showing ‘Important Update available’ is to view available updates and determine if they are marked as Security Updates. In the example below you see that the first five Important Updates are Security updates. This will cause your client to be flagged as non-compliant until they are installed. The last Important Update on this list will not be recognized by NAP client.
Recommended Client Configuration will help you avoid this situation. If you are using Microsoft Update, Windows Update, or WSUS, you should configure your client to download and automatically install your updates. This will prevent your client from going non compliant in the first place because of updates that are available but not installed.
Also check out the newly available NAP Design Guide!
– Louis Hardy