Configure IKEFlags Registry Settings
Updated: February 29, 2012
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012
When you configure certificate-based authentication with NAP, connection security rules can be configured to accept health certificates only. This option is not available with IP security policies. Use the IKEFlags registry setting on computers running Windows XP SP3 to cause health certificates to be preferred when multiple certificates are available for IPsec certificate-based authentication. The IKEFlags registry entry is a REG_DWORD type. You must manually create this entry if it does not already exist. For more information, see Health Enforcement and Remediation.
Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).
Use the following procedure to configure the IKEFlags registry setting on a client computer. You can also deploy this registry setting using Administrative Templates in Group Policy. For more information about this registry setting, see How to simplify the creation and maintenance of Internet Protocol (IPsec) security filters in Windows Server 2003 and Windows XP (http://go.microsoft.com/fwlink/?LinkID=69286).
On the NAP client computer, click Start, point to All Programs, click Accessories, click Command Prompt, type regedit, and then press ENTER. The Registry Editor opens.
In the Registry Editor, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\Oakley\IKEFlags.
To create the IKEFlags entry, right-click Oakley, point to New, click DWORD Value, and then type IKEFlags.
To set the value of IKEFlags, double-click IKEFlags, select Hexadecimal, under Value data, type 1c, and then click OK.
Close the Registry Editor.