Forefront Client Security SHA-SHV Deployment Guide
Applies To: Forefront Client Security
Overview
The Microsoft® Forefront® Integration Kit for Network Access Protection provides a way for two Microsoft technologies to work together: Forefront Client Security and Network Access Protection (NAP). These technologies provide administrators with a significant degree of control over the security and health of networked client computers. NAP uses system health agents (SHAs) and system health validators (SHVs) to monitor and assess the health of such computers.
This “Microsoft Forefront Client Security SHA/SHV Deployment Guide” describes how to implement the Microsoft Forefront Integration Kit for Network Access Protection.
Forefront Client Security
Forefront Client Security provides unified malware protection for business desktop computers, laptops, and servers from threats such as spyware, viruses, and rootkits. With Forefront Client Security, IT administrators can quickly and clearly see the current status of their networks, manage security for client and server computers, and view a history of malware activity in their environments.
Network Access Protection (NAP)
NAP is a policy enforcement platform with components that are built into Windows Server® 2008, Windows Vista, and 32-bit Windows® XP with Service Pack 3 (SP3). NAP uses a Network Protection Server (NPS), SHAs, and SHVs to monitor the health of computers in a network. NAP enables administrators to specify health requirements for their networks and to isolate computers that are noncompliant.
Solution Architecture
The following subsections specify the required components of the Integration Kit.
Required Components
Components that the solution requires include:
A Forefront Client Security 1.0 infrastructure
Network Access Protection, a component of Windows Server 2008, 32-bit or 64-bit editions, or Windows Server 2008 R2 editions
Active Directory® Domain Services (AD DS)
Operating System Requirements
To deploy the Integration Kit, server computers must be running Windows Server 2008 or Windows Server 2008 R2. Client computers must be running either a 32-bit or 64-bit version of one of the following operating systems:
Professional, Enterprise, or Ultimate editions of Windows 7
Business, Enterprise, or Ultimate editions of Windows Vista
Standard or Enterprise editions of Windows Server 2008 and Windows Server 2008 R2
Windows XP Professional Edition with SP3 (32-bit version only)
Tip
If you have previously installed an earlier version of this Integration Kit, you must uninstall both the Forefront Client Security SHA and the Forefront Client Security SHV before you can install this updated version.
Solution Components
The following core components are included in this solution:
Forefront Client Security SHA. A standard NAP client computer component that reports Forefront Client Security–related information to the NPS.
Forefront Client Security SHV. A standard NAP server computer component that interprets the Forefront Client Security–related information from computers that run the SHA.
The following diagram illustrates the architecture of the solution. Forefront Client Security is represented as FCS in the diagram.
.jpg "Solution architecture")
The diagram illustrates the principal components of the solution. In this deployment scenario, a computer that runs the Forefront Client Security SHA attempts to access a NAP–protected network resource. To do so, the built-in NAP client component queries each SHA about the health of the computer. The following numbered descriptions correspond to the numbered arrows in the diagram.
To monitor and report on Forefront Client Security–related aspects of computer health, the Forefront Client Security SHA first queries certain system registry settings. For example, it determines whether Forefront Client Security has been disabled.
The Forefront Client Security SHA also checks health information of system services that are considered critical to proper Forefront Client Security operation.
The Forefront Client Security SHA queries the WSUS client for information about patches and malware signature definition updates.
When queried by the Forefront Client Security SHA, the WSUS client retrieves the latest information from the local WSUS server to determine if any Forefront Client Security patches or malware signature definition updates are available. If patches are available, the SHA determines how long the patches have been available, which helps provide information about how out-of-date the managed computer is.
When the health data is gathered it is sent to the NPS, which uses the Forefront Client Security SHV to evaluate health information to determine whether the requesting computer is compliant with the predefined health policy.
The security agent runs on the managed computer and sends data to the Forefront Client Security Server Management system, which provides manageability, data collection, and reporting services.
User authentication and Group Policy are managed through AD DS.
Who Should Read this Guide
This guide is intended for IT managers, desktop and end user support personnel, IT generalists, and infrastructure specialists. It is not intended for application specialists or home users.
Chapter Summary
The Microsoft Forefront Client Security SHA/SHV Deployment Guide includes this overview as well as four chapters, which the following subsections describe.
Chapter 1: Integration Kit Requirements
This chapter provides information about the infrastructure elements that need to be in place before implementing the Microsoft Forefront Integration Kit for Network Access Protection, which requires a functioning NAP infrastructure and healthy Forefront Client Security infrastructure.
Chapter 2: Installation and Configuration Information
This chapter provides guidance for deploying the Integration Kit. It includes information about planning the policies, deploying the SHA to computers, and installing the server components.
Chapter 3: Client Remediation Actions
This chapter explains the different auto-remediation actions that might occur when using the Integration Kit, and describes which actions might require manual remediation by an administrator.
Chapter 4: Troubleshooting and Error Logging
This chapter provides guidance about interpreting the event messages that the Forefront Client Security SHA and SHV components generate as well as information about error logs generated by NAP and Forefront Client Security.
Style Conventions
| Element | Meaning |
|---|---|
Bold font |
Signifies characters typed exactly as shown, including commands, switches, and file names. User interface elements also appear in bold. |
Italic font |
Titles of books and other substantial publications appear in italics. |
<Italic> |
Placeholders set in italics and within angle brackets –<file name> – represent variables. |
|
Depicts code and script samples. |
Note |
Alerts the reader to supplementary information. |
Important |
Alerts the reader to essential supplementary information. |
Acknowledgments
The Solution Accelerators – Security and Compliance (SA-SC) team would like to acknowledge and thank the group of people who produced the “Microsoft Forefront Integration Kit for Network Access Protection.” The following individuals were either directly responsible or made a substantial contribution to the writing, development, and testing of this Solution Accelerator.
Content Developers and Experts
Amith Krishnan – Microsoft
Avinash Gupta – Microsoft
Dan Griffin – JW Secure, Inc.
Howard Lee – Microsoft
Jeff Sigman – Microsoft
John Gilham – Studio B Productions
Nic Sagez – Microsoft
Pat Fetty – Microsoft
Paul Terry – Microsoft
Sreenivas Addagatla – Microsoft
Yi Zhang – Microsoft
Developer
Dan Griffin – JW Secure, Inc.
Development Lead
Frank Simorjay – Microsoft
Editors
Steve Wacker – Wadeware LLC
John Cobb – Wadeware LLC
Jennifer Kerns – Wadeware LLC
Reviewers and Contributors
From Microsoft:
Akshat Kesarwani, Brad Wright, Brendan Foley, Bret Clark, Byron Hynes, Carissa Matelich, Chase Carpenter, Chris Edson, Chris Reinhold, Chris Sfanos, Cyndee Young, Daryl Pecelj, Derick Campbell, Douglas Hill, Fabrizio Vitale, Federico Soto, Frank Zakrajsek, Gilbert Wong, Greg Lindsay, Jane Zhang, Jeff Newfeld, Jeff Wettlaufer,
Jim Cook, Joe Coulombe, Jose Luis Auricchio, José Maldonado, Jun Wang, Karl Grunwald, Kelly Hengesteg, Kevin Rhodes, Lambert Green, Margaret Arakawa, Michael Tan, Mike Burk, Mike Mitchell, Ming Xu, Neha Sharma, Paul Bryan, Paul Long, Paul Mayfield, Rukmani Gopalan, Ryan Hurst, Sanjay Gautam, Sara Thomas, Senthil Murugesan, Shain Wray, Shon Eizenhoefer, Spencer Bishop, Steve Espinosa, Steven Nelson, Stewart MacLeod, Travis Krick, Vinod Kancharla
Other reviewers:
Aaron Tiensivu – Berbee
Alex B. Chalmers – Ball State University
Andrew Julian – Allina Hospitals & Clinics
Bryan Edge-Salois – Volt Information Sciences
Chris Boscolo – Napera Networks
Dave Buck – Volt Information Sciences
Fatih Comlekoglu – Blue Ridge Networks
Jim Vanden Boom – Berbee
Kim Boring – Corestaff
Todd Hooper – Napera Networks
Product Managers
Alain Meeus – Microsoft
Jim Stuart – Microsoft
Shruti Kala – Microsoft
Program Manager
Tom Cloward – Microsoft
Release Manager
Karina Larson – Microsoft
Test Manager
Gaurav Singh Bora – Microsoft
Testers
Aseem Parashar – Infosys Technologies Ltd
Huzefa Aliasgar Hararwala – Infosys Technologies Ltd
Siddharth Sadanand Sawant – Infosys Technologies Ltd
Chapter 1: Integration Kit Requirements
This chapter is designed to help administrators plan to deploy the Microsoft Forefront Integration Kit for Network Access Protection. Requirements for the Integration Kit include Forefront Client Security and a functioning NAP infrastructure, as described in this chapter.
Forefront Client Security
Forefront Client Security is software that unifies the management of malware protection applications that would typically be managed independently.
Forefront Client Security includes a malware protection agent and a central management system. The malware protection agent can be deployed to desktop, laptop, and server computers in an organization. The central management system provides IT administrators with a central location to view and manage all the computers that run Forefront Client Security.
Forefront Client Security does not require IT administrators to create separate policies for each different type of malware (for example, viruses, Trojan horses, worms, spyware, and rootkits). Forefront Client Security streamlines the creation and management of antimalware policy by using a single policy for the various forms of malware. This structure helps IT administrators to create policies for their organizations that they know will be enforced for all defined malware.
The Integration Kit requires Forefront Client Security to be installed on the computers to be managed. In addition, the components in the following subsections are required.
Windows Server Update Services (WSUS)
This component is a distribution server that Forefront Client Security uses to distribute security agent and antimalware signature definition updates to computers in the organization. The WSUS server is a critical component of the Integration Kit. For guidance about deploying WSUS, see Deploying Microsoft Windows Server Update Services 3.0 (https://go.microsoft.com/fwlink/?LinkId=88892). For more information about how to use WSUS, see Microsoft Windows Server Update Services (https://go.microsoft.com/fwlink/?LinkId=88611).
Planning for WSUS to Distribute Forefront Client Security Updates
WSUS provides organizations with the ability to automatically download Microsoft product updates and distribute them to computers within the organization. WSUS connects to Microsoft Update and synchronizes the available updates to the local server. After you install and configure WSUS, you need to configure your computers to connect to the WSUS server to download updates. For more information about deploying Forefront Client Security to managed computers, see Deploying Client Security (https://go.microsoft.com/fwlink/?LinkId=88893).
Note
The recommended method of deploying Forefront Client Security to target managed computers is through Group Policy or an approved deployment solution. You can use the Microsoft Forefront Client Security Management console to deploy a Forefront Client Security policy. After the target computers receive the Forefront Client Security policy, they will contact the WSUS server and download the Forefront Client Security client components, which the WSUS server will have downloaded from Microsoft Update. This step requires that the managed computers be configured to connect to a WSUS server.
Adding Forefront Client Security to Your WSUS Infrastructure
The installation of the Forefront Client Security distribution component on your WSUS 2.0 server adds a service called the Forefront Client Security Update Assistant. This service causes WSUS to query Microsoft Update for updates once an hour, which allows WSUS to obtain signature definition updates at more frequent intervals than the default configuration of WSUS.
WSUS 3.0 natively supports checking for updates once an hour. Therefore, if you are running WSUS 3.0, you do not have to install the distribution component on the computer running WSUS. However, you must configure your WSUS server to check for updates every hour.
In addition, the installation of the distribution component configures your WSUS server to automatically synchronize the Forefront Client Security definition updates from Microsoft Update. Definition updates are also added to the Approve for Installation list in the WSUS Automatic Approval Options, which means that any definition updates downloaded by the WSUS server are automatically approved for installation by your managed computers.
To ensure that your WSUS server synchronizes the Forefront Client Security client components and that they can be downloaded and installed by your managed computers after you deploy your Forefront Client Security policy, you must add Updates to the Update classifications list in Synchronization Options in WSUS. For more information, see Approving the client components in WSUS (https://go.microsoft.com/fwlink/?LinkId=88895) on Microsoft TechNet®.
Forefront Client Security Management Server
This component is a Microsoft Operations Manager (MOM) server that provides central alerting, reporting, and administration of the antimalware security policies that are pushed to the managed computers.
MOM Considerations
The Forefront Client Security SHA can be installed with the /nomom option. However, if this option is used it is very important to disable the monitoring of the MOM component in the SHV’s configuration. It should also be noted that integrating with MOM is the recommended configuration for administration of Forefront Client Security, because it allows administrators to easily manage and update preconfigured or customized malware protection agents in a production environment. If the SHA is installed with the /nomom option there will be no way to obtain reporting or monitoring information.
Client Operating System Requirements
The Forefront Client Security software must be installed. The Forefront Client Security agent provides protection from threats such as spyware, viruses, and rootkits.
In addition, the Forefront Client Security system health agent (SHA) provided with this Integration Kit must be installed on all computers that you want to manage using this solution. The SHA can be installed on the following platforms:
32-bit and 64-bit versions of the Business, Enterprise, and Ultimate editions of Windows Vista
32-bit and 64-bit versions of the Professional, Enterprise, or Ultimate editions of Windows 7
32-bit and 64-bit versions of the Standard and Enterprise editions of Windows Server 2008 and Windows Server 2008 R2
32-bit version of Windows XP Professional Edition with SP3
Forefront Client Security – More Information
For more information about Forefront Client Security, see the following:
Forefront Client Security TechNet site(https://go.microsoft.com/fwlink/?LinkId=192451)
Forefront Client Security Engineering blog(https://go.microsoft.com/fwlink/?LinkId=192452)
Microsoft Forefront Client Security Planning and Architecture (https://go.microsoft.com/fwlink/?LinkID=82013)
Forefront Client Security overview(https://go.microsoft.com/fwlink/?LinkId=192453)
Microsoft Forefront Client Security (https://go.microsoft.com/fwlink/?LinkID=58862) home page
Network Access Protection
Planning a NAP infrastructure requires making decisions about health policy, enforcement, and remediation. For more information about configuring a NAP infrastructure, see the NAP Step-by-Step Guides on the main page of the Network Access Protection (https://go.microsoft.com/fwlink/?LinkID=139149) site on Microsoft TechNet.
To plan for your NAP implementation, you will need to:
Review the NAP architecture
Choose enforcement methods
Choose WSUS as your remediation infrastructure
Choose enforcement modes
Define NAP policy for each system health validator (SHV)
Before proceeding, administrators should be familiar with how users and computers are grouped and managed within the network. This knowledge can help define how to control network health evaluation and enforcement. Administrators should also understand the requirements and components of NAP because they will make decisions regarding the SHAs that are installed on the managed computers and SHVs that are installed on the NAP Network Policy Server (NPS).
Administrators will have to deploy these NAP components before they can configure and enable a network policy that enforces a Forefront Client Security health policy. Therefore, a good understanding of these concepts is necessary to the planning process.
NAP Enforcement Methods
Three built-in enforcement methods work in conjunction with NAP to enforce health policies. NAP enforcement methods are not mutually exclusive; administrators can choose to implement multiple enforcement methods in varying combinations. For more information about the three enforcement methods, see Network Access Protection (https://go.microsoft.com/fwlink/?LinkId=192455) on Microsoft TechNet. The available NAP enforcement methods are:
Dynamic Host Configuration Protocol (DHCP). Enforces health policies when a computer attempts to obtain an IP address from a Dynamic Host Configuration Protocol (DHCP) server.
Extensible Authentication Protocol (EAP) for IEEE 802.1X connections. Enforces health policies when a computer attempts to access a network using EAP (https://go.microsoft.com/fwlink/?LinkID=192459) through an 802.1X wireless connection or an authenticating switch connection.
Remote access for VPN connections. Enforces health policies when a computer attempts to gain access to the network through a virtual private network (VPN) (https://go.microsoft.com/fwlink/?LinkId=192460) connection.
Internet Protocol security (IPsec) communications. Enforces health policies when a computer attempts to communicate with another computer using IPsec (https://go.microsoft.com/fwlink/?LinkID=95394).
Terminal Services Gateway (TS Gateway) connections. Enforces health policies when a computer attempts to connect to internal resources through a TS Gateway server (https://go.microsoft.com/fwlink/?LinkId=192461).
NAP Enforcement Modes
NAP provides a way to enforce security policy and isolate noncompliant computers from your secure network through different enforcement modes. NAP enforcement mode settings allow you to specify what happens when computers do not comply with your organization’s health policy. For more information about the three enforcement modes, see the "NAP enforcement and network restriction" heading in the Network Access Protection (https://go.microsoft.com/fwlink/?LinkId=192455) article referenced earlier. There are three modes to select from:
Allow full network access. Specifies that the managed computer has unlimited network access. Select this mode for network policies defined for compliant NAP clients. This mode is equivalent to reporting mode because no network restriction is placed on the managed computer.
Allow full network access for a limited time. Specifies that the managed computer has unlimited network access up to a specific date and time. This mode is also known as deferred enforcement.
Allow limited access. Specifies that the managed computer has limited network access. Select this option for network policies defined for noncompliant NAP clients or for NAP ineligible clients.
You can also specify whether the SHA should perform auto-remediation on the NAP client computers.
Solution Architecture
The Forefront Client Security SHA/SHV solution includes the following components:
Forefront Client Security SHA. The SHA component is installed on computers to monitor their health, including whether Forefront Client Security is installed, patched, and has all of the latest signature definition files. The SHA sends a statement of health (SoH) to the Forefront Client Security SHV
Forefront Client Security SHV. The SHV component is installed on a Windows Server 2008–based server computer. The SHV provides an interface to configure a health policy on the NPS for Forefront Client Security.
The following figure shows the NAP architecture in this solution.
.jpg "Sample NAP architecture")
This diagram includes the following components:
Compliant NAP clients. Computers that run the SHA and that are allowed on the network because they comply with the NAP health policy.
NAP enforcement methods. Network access protocols that work with NAP to require the evaluation of a NAP client’s health state and provide restricted network access or communication. NAP enforcement methods work with a NPS to evaluate the health state of NAP clients, whether network access or communication is allowed, and the set of remediation actions that a noncompliant NAP client must perform. The four built-in enforcement methods are identified earlier in this chapter.
Forefront Client Security SHV and NPS. Computers that run Windows Server 2008 and the NPS service that store health requirement policies and provide health state validation for NAP.
Active Directory Domain Services (AD DS). The directory service that stores account credentials and properties and Group Policy settings. Although not required for health state validation, AD DS is required for IPsec-protected communications, 802.1X-authenticated connections, and remote access VPN connections.
Restricted network. A separate logical or physical network that contains:
Remediation servers. Computers that contain health update resources that NAP clients can access to remediate their noncompliant state. Examples include antivirus signature distribution servers and software update servers. Information about proper configuration of the Windows Server Update Services remediation servers required by this solution is provided in the next section.
NAP clients with limited access. Computers that are isolated in a restricted network when they do not comply with health requirement policies.
WSUS Remediation Server Configuration
This Solution Accelerator depends on Windows Server Update Services servers for client remediation. That is, for noncompliant NAP clients to be properly serviced, they must be able to reach a WSUS server even while isolated on a restricted network.
The following two procedures provide step-by-step instructions to help you properly configure the WSUS remediation server; proper configuration is essential for the solution to function properly.
Note
All steps and screen examples are for NAP in Windows Server 2008.
To set up a Remediation Server Group in NAP
On the NPS, click Start, click Run, type nps.msc, and then press Enter.
In the Network Policy Server console tree, open Network Access Protection, and then right-click Remediation Server Groups.
Click New.
In the New Remediation Server Group dialog box, enter a name for the group and then click Add.
In the Add New Server dialog box, provide the name of the WSUS server in the Friendly Name text box and then enter the IP address of the WSUS server in the IP Address or DNS name text box. Then click Resolve. The following screen shot is an example of such a configuration; of course, you would provide a unique IP address.
.jpg "New Remediation Server Group")
Click OK twice to close both the dialog boxes.
Enabling the remediation server for noncompliant computers
On the NPS, click Start, click Run, type nps.msc, and then press Enter.
In the Network Policy Server console tree, open Policies, and then click Network Policies.
In the details pane, double-click the policy for noncompliant clients.
In the Properties dialog box that opens, click the Settings tab and then click NAP Enforcement in the left pane as shown in the following screen shot.
.jpg "Configuring NAP Enforcement Setting on the NPS")
In the right pane, click Configure in the "Remediation Server Group and Troubleshooting URL" section.
In the Remediation Servers and Troubleshooting URL dialog box, select the Remediation Server Group that was created from the drop-down menu. For example, see the following screen shot.
.jpg "Remediation Servers and Troubleshooting URL")
Click OK and then select Enable auto-remediation of client computers. Click OK to close the dialog box.
The preceding two procedures are essential for the solution to function properly.
Network Access Protection – More Information
For more information about NAP, see the following:
Network Access Protection (NAP) (https://go.microsoft.com/fwlink/?LinkID=69752) site on Microsoft TechNet
NAP team blog (https://go.microsoft.com/fwlink/?LinkId=192462)
Introduction to Network Access Protection (https://go.microsoft.com/fwlink/?LinkID=117804) white paper
Support Webcast: Introduction to Network Access Protection (https://go.microsoft.com/fwlink/?LinkId=192463)
Chapter 2: Installation and Configuration Information
This chapter describes how to install and configure the two primary components of the Microsoft Forefront Integration Kit for Network Access Protection:
Forefront Client Security system health agent (SHA). The SHA is installed on the computers to be managed. It monitors Forefront Client Security configuration and functionality.
Forefront Client Security system health validator (SHV). The SHV is the server component, and it is installed on the NAP Network Policy Server (NPS).
Successful deployment and configuration of these components requires making planning decisions that include installation requirements and policy creation. This Solution Accelerator requires the following:
An Active Directory Domain Services (AD DS) environment.
Microsoft Forefront Client Security.
A local Windows Server Update Services (WSUS) server. See Deploying Microsoft Windows Server Update Services 3.0 (https://go.microsoft.com/fwlink/?LinkId=88892) for comprehensive deployment guidance. Additional helpful information might be available on the WSUS team blog (https://go.microsoft.com/fwlink/?LinkID=192464).
Network Access Protection, an initial deployment of which could be based on the built-in Windows SHA/SHV. See Network Access Protection (https://go.microsoft.com/fwlink/?LinkID=69752) on Microsoft TechNet for more information.
Installing the Forefront Client Security SHA
For NPS enforcement to work properly, you must install the SHA before the SHV. If you reverse the process and install the SHV before the SHA, the NPS will enforce a health policy with which none of its clients can comply, because the SHV (installed and configured on the NPS) is expecting to receive health information. If the SHA isn’t installed, that health information will not be included with client access requests. In such a situation, all managed computers would be considered noncompliant and could have their access restricted (depending on the NPS configuration).
The SHA can be installed on the following platforms:
32-bit and 64-bit versions of the Business, Enterprise, and Ultimate editions of Windows Vista
32-bit and 64-bit versions of the Professional, Enterprise, or Ultimate editions of Windows 7
32-bit and 64-bit versions of the Standard and Enterprise editions of Windows Server 2008 and Windows Server 2008 R2
32-bit version of Windows XP Professional Edition with SP3
Note
When installing on 32-bit versions of Windows, use FcsNapSha86.msi. When installing on 64-bit versions of Windows, use FcsNapSha64.msi.
Interactive Install
Complete the steps in the following procedure.
To interactively install the System Health Agent (SHA)
Double-click the FcsNapSha86.msi file.
For Windows Vista and Windows Server 2008, if the User Account Control dialog box appears, click Continue or provide credentials.
The Welcome page of the Microsoft Forefront Client Security System Health Agent Setup wizard will display, as shown in the following screen shot.
.jpg "Welcome page of wizard")
Click Next.
On the License Agreement page, review the license agreement. To accept it and continue, select the I accept option and click Next.
The Ready to Install page will display. To continue, click Install.
When the installation has completed as shown in the following screen shot, click Finish.
.jpg "System Health Agent successfully installed")
If you attempt to install the System Health Agent on an unsupported version of Windows (for example, Windows Server 2003), the installation will fail and display the following page:
.jpg "System Health Agent install failed")
Silent Install
Silent installation of the SHA is fully supported using the standard MSI command-line parameters. You can use this method when building a computer image using the automated deployment tools such as Microsoft Deployment, Systems Center Configuration Manager, or non-Microsoft deployment tools.
The following command will install the Forefront Client Security SHA with the basic user interface options during the package installation:
msiexec /I FcsNapSha.msi /qn
You can read more about the MSI command line options on the Msiexec (https://go.microsoft.com/fwlink/?LinkID=91245) page on Microsoft TechNet.
Service Account Considerations
The SHA is configured to run under the Local System account. This configuration is necessary for the SHA to perform auto-remediation.
Deployment through Active Directory Group Policy Software Assignment
Note
The following steps show how to use Group Policy to deploy the 32-bit version of the Windows Installer file, fcsnapsha86.msi. You will need to adjust the file names accordingly to deploy the 64-bit version, fcsnapsha64.msi.
To use Group Policy to deploy the SHA, there are four key tasks to complete:
Create a distribution point.
Create a Group Policy object (GPO) for deploying the fcsnapsha86.msi file.
Deploy the fcsnapsha86.msi file from the shared distribution folder as machine-assigned.
(Optional) Deploy the fcsnapsha86.msi file to specific security groups.
Target computers, or computers that are to receive the fcsnapsha86.msi file, must be joined to the same domain as the server on which the Windows Installer (.msi) file resides. After you assign the package, Windows Installer automatically installs the fcsnapsha86.msi file the next time users who are connected to the network start their computers.
We recommend that you inspect the properties of each computer to ensure that the fcsnapsha86.msi update has completed on the destination computer. Only a network administrator or someone who is logged on to a local computer as an administrator can remove the assigned software (that is, the fcsnapsha86.msi file) from the destination computer.
The tasks identified in this section are explained in detail in the following procedures.
Task 1: Create a Distribution Point
To assign software, you must create a distribution point on the server.
To create a distribution point
Log on to the server computer as an administrator.
Create a shared network folder where you are going to put the fcsnapsha86.msi file that you want to distribute. This folder is the distribution point for the software package.
Set permissions on the shared network folder to permit access to the distribution package. Assign access permissions for the following accounts:
Administrators
Authenticated users
Domain users
Optionally, you can configure Distributed File System (DFS) for the distribution point. We recommend this option because it provides more flexibility by ensuring uninterrupted availability of the distribution point if you have to replace the server. In addition, with DFS it is easier to have distribution points in multiple sites. For more information about DFS, see Reviewing the Benefits of Using DFS (https://go.microsoft.com/fwlink/?linkid=34229) on Microsoft TechNet.
Copy the fcsnapsha86.msi file to the distribution point.
Task 2: Create a GPO for Deploying the fcsnapsha86.msi File
You can create a GPO and link it to any Active Directory container that contains the target computers to which you want to deploy the fcsnapsha86.msi file. Such a container might be a site, a domain, or an organizational unit (OU).
The following instructions direct you to use a domain as a container and then to use security filtering to target the GPO to specific computers. For your environment, you might want to link the GPO to a different container, such as an OU. You can link to any Active Directory container that you want. Also, you can edit an existing GPO instead of creating a new GPO just for deploying the fcsnapsha86.msi file. However, we do not recommend that you edit the Default Domain Policy or the Default Domain Controllers Policy.
The following procedures show how you can use either the Group Policy Management Console (GPMC) or the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in to create a GPO for deploying the fcsnapsha86.msi file.
To create a GPO for deployment using the GPMC
On an administrative workstation, open the GPMC.
Note
An administrative workstation is one on which you are logged in as the Domain Administrator and on which the GPMC is installed.
In the console tree, right-click the domain name in the forest in which you want to create and link the GPO.
Click Create and Link a GPO Here.
In the New GPO dialog box, specify a name for the new GPO, and then click OK.
To create a GPO for deployment using Active Directory Users and Computers
On a domain controller or administrative workstation, open the Active Directory Users and Computers snap-in.
Locate the OU that contains the computers to which you want to deploy the fcsnapsha86.msi file.
Right-click the OU, and then click Properties.
In the Properties dialog box, click the Group Policy tab, and then click New.
In the New GPO dialog box, specify a name for the new GPO, and then click OK.
Task 3: Deploy fcsnapsha86.msi from the Shared Distribution Folder as Machine-Assigned
After you create a distribution point and create a GPO for deployment of the fcsnapsha86.msi file, you must modify the GPO by using the Software Installation and Maintenance feature of Group Policy. To deploy the fcsnapsha86.msi file, you must use the Computer Configuration node in the GPMC.
To edit a GPO for software deployment
Right-click the new GPO, and then click Edit.
In the GPMC, click Computer Configuration, click Software Settings, and then click Software Installation.
On the Action menu, point to New, and then click Package.
In the Open dialog box, type the full Universal Naming Convention (UNC) path of the shared installer package that you want to distribute in the File name box.
You can type the path using either of the following two syntax examples:
\\<ServerName>\<SharedFolder>\fcsnapsha86.msi
\\<ServerIP>\<SharedFolder>\fcsnapsha86.msiSelect the Windows Installer package, and then click Open.
In the Deploy Software dialog box, click Assigned, and then click OK. The shared installer package that you selected will display in the details pane of the GPMC.
Task 4: Deploy fcsnapsha86.msi to Specific Security Groups
You can use security filtering in Group Policy to deploy the fcsnapsha86.msi file only to computers that are members of a specific security group. For example, if you create a GPO at the domain level, you can use security filtering to configure the GPO to target only specific computers. To do so, you must create the security group and then add target computers as members.
To create a security group
Right-click the domain or Active Directory container that you want to target, click New, and then click Group.
Name the security group.
Click the Members tab, and then click Add.
Type the computer names, and then click OK.
To target fcsnapsha86.msi using security filtering
In the GPMC, double-click Group Policy Objects.
Select the GPO for which you want to apply security filtering.
In the results pane, click Add on the Scope tab.
In the Enter the object name to select dialog box, type the name of the group, the user, or the computer that you want to add to the security filter, and then click OK.
If Authenticated Users appears in the Security Filtering section of the Scope tab, select this group, and then click Remove. This step ensures that only members of the group or groups that you added can receive the settings in this GPO.
Note
The settings in a GPO apply only to the following users and computers:
- Users and computers that are contained in the domain, the OU, or the OUs where the GPO is linked.
- Users and computers that are specified in Security Filtering or that are members of a group that is specified in Security Filtering.
- Users and computers that are contained in the domain, the OU, or the OUs where the GPO is linked.
You can specify multiple groups, users, or computers in the security filter for a single GPO.
Forefront Client Security SHV Installation on the NPS
This section describes the installation of the Forefront Client Security System Health Validator.
Warning
It is essential that you deploy the Forefront Client Security SHA before the SHV. For a detailed explanation and steps for installing the SHA, see the "Installing the Forefront Client Security SHA" section at the beginning of this chapter.
The SHV can only be installed on 32-bit or 64-bit versions of Windows Server 2008. When installing on 32-bit versions of Windows, use FcsNapShv86.msi. When installing on 64-bit versions of Windows, use FcsNapShv64.msi.
To interactively install the System Health Validator (SHV) on the NPS
Double-click the FcsNapShv86.msi file.
If the User Account Control dialog box appears, click Continue or provide credentials.
The Welcome page of the Microsoft Forefront Client Security System Health Validator Setup Wizard will display, as shown in the following screen shot.
.jpg "System Health Validator Setup Wizard")
Click Next.
On the License Agreement page, review the license agreement. To accept it and continue, select the I accept option and click Next.
The Ready to Install page will display. To continue, click Install.
When the installation has completed, click Finish.
Note
If the Server Manager snap-in is open when you install the SHV, the SHV might not display. To display the SHV in Server Manager, you must close Server Manager and then reopen it.
The installation will fail if attempted on an unsupported version of Windows (for example, Windows Server 2003).
Forefront Client Security SHV Configuration
The recommended Compliant health policy configuration is shown in the following screen shot of the Network Policy Server MMC snap-in:
.jpg "Network Policy Server snap-in")
Note
All steps and screen examples are for NAP in Windows Server 2008.
Double-click the Compliant health policy to configure it. The following screen shot shows the Compliant health policy configuration. You must activate the Forefront Client Security SHV by selecting it for it to be included in your health policy. You will need to do so for both the Compliant and Noncompliant health policies.
.jpg "Compliant health policy configuration")
The following screen shot of the Network Policy Server snap-in shows the Noncompliant health policy:
.jpg "Noncompliant health policy")
The Forefront Client Security SHV error configuration summary is shown in the following screen shot of the Network Policy Server snap-in:
.jpg "SHV error configuration summary")
The general configuration properties options for the Forefront Client Security SHV are shown in the following dialog box:
.jpg "SHV Properties dialog box")
Recommended Client Service Policy Settings
Require that the Windows Update Agent (WUA) service is installed: Selected
Require that the WUA service is enabled: Selected
Require that the WUA service is set to auto-start: Selected
Require that the Microsoft Operations Manager (MOM) service is installed: Selected
Require that the MOM service is enabled: Selected
Require that the MOM service is set to auto-start: Selected
Note
If you have installed the Forefront Client Security product with the /nomom option, you must disable all Microsoft Operations Manager checks.
Require that the Forefront Client Security Antimalware (FCSAM) service is installed: Selected
Require that the FCSAM service is enabled: Selected
Require that the FCSAM service is set to auto-start: Selected
Require that the Security State Assessment (SSA) service is installed: Selected
Require that the SSA service is enabled: Selected
Require that the SSA service is set to auto-start: Selected
Check the registry to ensure Forefront Client Security is fully operational: Selected
These recommended Client Service Policy Settings are shown in the following screen shot:
.jpg "Recommended Client Service Policy settings")
Recommended WSUS Server Policy Settings
Note
Settings in this section can only be configured to 100 days or fewer. If you enter a policy setting value that is more than 100 days (for example, 899 days), it will be reset to 100 days and this value will be used to determine whether published updates are available.
Forefront product updates: Selected and set to 14 days
This value determines how many days since an update for the Forefront Client Security product has been published on the WSUS server before a managed computer is considered unhealthy.
System health agent updates: Selected and set to 14 days
This value determines how many days since an update for the Forefront Client Security SHA has been published on the WSUS server before a managed computer is considered unhealthy.
Antivirus/antispyware signature updates: Selected and set to 3 days
This value determines how many days since signature definitions updates are published on the WSUS server before a managed computer is considered unhealthy.
These recommended WSUS Server Policy Settings are shown in the following screen shot:
.jpg "Recommended WSUS Server Policy settings")
Additional Information
This section provides additional setting and configuration information that might be useful.
Note
When you uninstall the SHV, a dialog box might warn you that the COM surrogate is running and should be closed. Because the SHV COM surrogate might be used by other components, we recommend that you not shut it down. If this error appears, click OK. The uninstallation process will continue.
Advanced Forefront Client Security SHA Settings
The Forefront Client Security SHA has three additional settings that can be configured by editing the Windows registry on the NAP clients. All three of the following registry values are located under the key path:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FcsNapSha
ServicesHealthPollingFrequencyMinutes
Type: REG_DWORD
Description: Controls the frequency (in minutes) with which service-related managed computer health changes are monitored by the SHA. The default is 1 (that is, one poll every minute). This configuration includes any health setting that pertains to the following:
The WSAUSERV update service. On Windows Vista and Windows Server 2008, this service is called the Windows Update Agent service. On Windows XP, it is Automatic Updates.
The Microsoft Operations Manager service (MOM).
The Microsoft Forefront Client Security Antimalware service (FCSAM).
The Microsoft Forefront Client Security State Assessment service (FcsSas).
Checking the registry to ensure Forefront Client Security is fully operational.
UpdatesHealthPollingFrequencyMinutes
Type: REG_DWORD
Description: Controls the frequency (in minutes) with which product updates-related managed computer health changes are monitored by the SHA. The default is 120 (that is, one poll every two hours). Administrators should use caution when decreasing this value, because doing so increases the load on the WSUS server and can temporarily force managed computers into noncompliant status more often while waiting for WSUS replies.
AllowNapToCacheStatementOfHealth
Type: REG_DWORD
Description: Determines whether the SHA may use a cached statement of health, if available, upon start-up. The default is one (that is, enable the use of the cached data, if any). Administrators should use caution when disabling this value, especially when product updates (WSUS) health checking is enabled, because the managed computer will be forced into noncompliant status until the WSAUSERV client service starts and a reply can be received from the WSUS server. Following a reboot of the managed computer, that sequence can take up to a few minutes
Additional Windows XP SP3 x86 Client Configuration Information
This section provides additional information for x86-based client computers that run Windows XP with Service Pack 3 (SP3).
Note
The NAP agent must be enabled and set to auto-start on the client computer.
Configure the NAP Service to Start Automatically
The NAP service is initially configured to start manually following installation. The service must be configured to start automatically for this solution to work properly.
To configure the NAP service to start automatically
Click Start, click Run, type services.msc and press Enter.
In the right pane, right-click Network Access Protection Agent, and then click Properties.
For the startup type, select Automatic, and then click OK.
Windows Security Center Group Policy
If you use the Windows SHA on x86-based computers running Windows XP SP3 that are joined to a domain, those computers should be configured in such a way that Windows Security Center is started with Group Policy.
To configure Windows Security Center using Group Policy
Click Start, click Run, type gpedit.msc and then press Enter.
In the console tree, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Security Center.
In the Details pane, double-click Turn on Security Center (Domain PCs only).
In the Properties dialog box, select Enabled, and then click OK.
If you do not perform these configuration steps, the client computer might be flagged as noncompliant after it is rebooted.
Windows Firewall Configuration
Microsoft Knowledge Base article 892504 (https://go.microsoft.com/fwlink/?LinkId=192482) is also relevant with regard to compliance with the Windows SHA.
DHCP Client Enforcement
In Windows Vista and Windows Server 2008, DHCP client enforcement can be accomplished using the NAP Client Configuration console. For Windows XP, client enforcement must be done using the following command:
netsh.exe nap client set enforcement ID = "79617" ADMIN = "ENABLE"
IPsec Client Enforcement
On x86-based computers running Windows XP SP3 that have the NAP service enabled, IPsec enforcement is enabled by completing the steps in the following procedure.
Note
Display limitations might cause the commands in the following procedure to display on more than one line. Each should be entered as a single line at the command prompt.
To enable IPsec on an x86-based Windows XP SP3 computer
Enable IPSec enforcement by running the following command in a command prompt window while logged on with administrator privileges:
netsh.exe nap client set enforcement ID = "79619" ADMIN = "ENABLE"Configure the health registration settings by creating a Trusted Server Group with the following command:
netsh.exe nap client add trustedservergroup name = "groupName" requirehttps = "DISABLE"Set up the trusted URLs for the NPS. Modify and use the following commands according to your configuration:
netsh.exe nap client add server group = "Trusted HRA Servers" url = "https://NPS1.Contoso.com/domainhra/hcsrvext.dll"netsh.exe nap client add server group = "Trusted HRA Servers" url = "https://NPS1.Contoso.com/domainhra/hcsrvext.dll"
After these commands are executed, the Health Request Agent settings are enabled on the client computer.
Chapter 3: Client Remediation Actions
Network Access Protection (NAP) provides a mechanism to automatically resolve problems on managed computers that do not comply with network policy requirements.
This process is called auto-remediation. If auto-remediation is unsuccessful, NAP notifies the user that the managed computer is not compliant, and that the user must perform some manual steps before their computer is allowed to access the network. The following section provides a scenario that describes the remediation experience for users.
Remediation User Experience
This scenario provides a set of steps that describe the user experience for both auto-remediation and manual remediation using features of the Microsoft Forefront Integration Kit for Network Access Protection. In this scenario, a network administrator has installed the client and server components of the Integration Kit and successfully tested the network environment, including NAP and Forefront Client Security.
Forefront Integration Kit for NAP remediation scenario
The network administrator accesses the Forefront Client Security SHV configuration dialog box on the Network Policy Server (NPS), and then selects the following check boxes:
The Microsoft Operations Manager (MOM) service must be installed.
FCSAM (Forefront Client Security Antimalware) service must be running.
The administrator has implemented NAP with DHCP and configured a health policy requiring that all computers determined to be noncompliant after submitting DHCP requests are only allowed restricted access to the network. The administrator has also enabled auto-remediation.
A managed computer submits a DHCP request that includes a statement of health (SoH), which contains health information from the Forefront Client Security/NAP client component of the Forefront Client Security SHA.
The managed computer’s SoH states that the MOM service is not installed and that the FCSAM service is not running.
The Integration Kit's server component, the system health validator (SHV), inspects the SoH, and identifies the managed computer as noncompliant based on the administrator’s policy settings defined in step 1.
The NPS notifies the DHCP server to provide the noncompliant computer with restricted access to the network.
The NPS also sends information back to the managed computer in the form of a notification message to advise the user of the following requirements:
The user must install the MOM service on the computer.
Because the SHA cannot perform this action automatically, the message notifies the user to install the MOM client. (Ideally, this step would have actually been performed by the system administrator, for example through Group Policy).
The managed computer must run the FCSAM service.
The SHA performs this action automatically. That is, after receiving the server response, the SHA immediately attempts to start the FCSAM service.
After the MOM service is installed and the FCSAM service is running, the managed computer sends a new SoH to the NPS. The compliant computer is then granted full access to the production network.
Auto-remediation
Auto-remediation assists administrators by attempting to automatically resolve issues of noncompliant computers as determined by the NAP SHV policy. Auto-remediation works after the Forefront Client Security SHA is installed on the managed computer and the NAP SHV network health policy is configured.
The following table provides information about messages that are presented during auto-remediation. Most of the resolutions require users to start a corresponding service, and then to configure it to run automatically. Procedures that detail how to perform these tasks using the Services console are provided after the table.
The first column defines the SHV requirement. If the requirement is not met, the SHA attempts to automatically resolve the problem.
Table 3.1. Auto-remediation States and Actions
| SHV configuration requirement | Success status message | Failure status message | Failure resolution |
|---|---|---|---|
WUA service must be running. |
The Windows Update Agent service has been started. |
Patching failed because the Windows Update Agent service is not running. |
Start the WUA service using services.msc. |
WUA service must be set to start automatically. |
The Windows Update Agent service has been set to auto-start. |
Patching failed because the Windows Update Agent service is not set to auto-start. |
Configure the WUA service to start automatically. |
MOM service must be running. |
The Microsoft Operations Manager service has been started. |
Patching failed because the Microsoft Operations Manager service is not running. |
Start the MOM service. |
MOM service must be set to start automatically. |
The Microsoft Operations Manager service has been set to auto-start. |
Patching failed because the Microsoft Operations Manager service is not set to auto-start. |
Configure the MOM service to start automatically. |
FCSAM service must be running. |
The Microsoft Forefront Client Security Antimalware service has been started. |
Patching failed because the Microsoft Forefront Client Security Antimalware service is not running. |
Start the FCSAM service. |
FCSAM service must be set to start automatically. |
The Microsoft Forefront Client Security Antimalware service has been set to auto-start. |
Patching failed because the Microsoft Forefront Client Security Antimalware service is not set to auto-start. |
Configure the FCSAM service to start automatically. |
SSA service must be running. |
The Microsoft Forefront Client Security State Assessment service has been started. |
Patching failed because the Microsoft Forefront Client Security State Assessment service is not running. |
Start the SSA service. |
SSA service must be set to start automatically. |
The Microsoft Forefront Client Security State Assessment service has been set to auto-start. |
Patching failed because the Microsoft Forefront Client Security State Assessment service is not set to auto-start. |
Configure the SSA service to start automatically. |
Forefront product updates – Check for missing Windows Software Update Services (WSUS) Forefront product updates |
Microsoft Forefront Client Security product updates have been installed. |
Patching failed because Microsoft Forefront Client Security product updates could not be installed. |
Test connectivity between the managed computer and the WSUS server. Verify that other types of system patches are available and are being successfully installed. |
SHA updates – Check for missing WSUS Forefront product updates. |
Microsoft Forefront Client Security product updates have been installed. |
Patching failed because Microsoft Forefront Client Security product updates could not be installed. |
Test connectivity between the managed computer and the WSUS server. Verify that other types of system patches are available and are being successfully installed. |
Antivirus/antispyware signature updates – Check for missing WSUS antivirus/antispyware signature updates. |
Microsoft Forefront Client Security product updates have been installed. |
Patching failed because Microsoft Forefront Client Security product updates could not be installed. |
Test connectivity between the managed computer and the WSUS server. Verify that other types of system patches are available and are being successfully installed. |
Use the following procedures to start services and configure them to run automatically.
To start a service
Open the Services console. To do so:
Click Start.
In the Start Search box, type Services and then click Services. (In Windows XP, click Run, type Services and then press Enter.)
In the Services console, select the service that you want to start, and then in the left pane, click Start under the service’s name.
To configure a service to start automatically
Open the Services console. To do so:
Click Start.
In the Start Search box, type Services and then click Services. (In Windows XP, click Run, type Services and then press Enter.)
In the Services console, right-click the service that you want to configure, and then click Properties.
In the Properties dialog box, in the Startup type drop-down list, select Automatic, and then click OK.
Manual Remediation
If managed computers cannot automatically remediate problems that occur, the users must remediate the problems manually. The following table includes possible problems that might require manual remediation and actions that users can perform to resolve them.
Table 3.2 Manual Remediation States and Actions
| Requirement | Manual remediation message | Suggested action |
|---|---|---|
WUA service must be installed. |
Patching failed because the Windows Update Agent service was not found. Please contact your Administrator. |
WUA service is a built-in Windows system component. This error indicates a corrupted installation of the Windows operating system. |
MOM service must be installed. |
Patching failed because the Microsoft Operations Manager service was not found. Please contact your Administrator. |
Install or repair the MOM installation. |
FCSAM service must be installed. |
Patching failed because the Microsoft Forefront Client Security Antimalware service was not found. Please contact your Administrator. |
Install or repair the Forefront installation. |
SSA service must be installed. |
Patching failed because the Microsoft Forefront Client Security State Assessment service was not found. Please contact your Administrator. |
Install or repair the Forefront installation. |
Forefront Antivirus and Antispyware Real Time Protection (RTP) must be enabled. |
Microsoft Forefront Client Security is not fully operational. Please contact your Administrator. |
Enable Forefront Client Security and its real-time protection options using the Forefront product configuration dialog box. |
More Information
Additional information and links are available on the Network Access Protection (https://go.microsoft.com/fwlink/?LinkID=139149) site on Microsoft TechNet.
Chapter 4: Troubleshooting and Error Logging
This chapter provides information about operational errors that might occur when using the Microsoft Forefront Integration Kit for Network Access Protection. It includes information about how to identify and troubleshoot such errors as well as the type of information that gets logged about such errors.
Troubleshooting
When troubleshooting, we recommend that you first examine the System log using the Event Viewer. The logs on both the managed computer and the server might be useful for troubleshooting the problem.
In addition, there are other components that are not central to the Integration Kit that can cause operational problems. Issues with Active Directory® Domain Services (AD DS), Microsoft Forefront Client Security, Network Access Protection (NAP), and Microsoft Update can potentially affect client connectivity. Therefore, depending on the observable nature of the problem, it is important to follow appropriate troubleshooting steps for these components as well.
The remainder of this chapter focuses on troubleshooting the operational environment using:
System health agent (SHA) events
System health validator (SHV) events
NAP error events
Forefront Client Security error events
SHA Events
During operation, the Forefront Client Security SHA creates Application log events using the source name FcsNapSha. Use the Event Viewer (eventvwr.exe) to check for events specific to SHA errors. The Application log is located under Windows Logs in Event Viewer.
Table 4.1. SHA Events
| Message | Event ID | Level | Significance |
|---|---|---|---|
The client computer has been instructed to auto-remediate |
129 |
Information |
This event means that the Forefront Client Security SHA has received a response from the NPS, and that the response includes instructions for the managed computer to correct some aspect of its compliance requirements. The managed computer is expected to automatically correct one or more security settings before it can be assigned access to the NAP-protected resource. |
The client computer needs fixes and is not instructed to auto-remediate |
130 |
Information |
This event means that the SHA has received a response from the NPS that indicates the managed computer is not in compliance and that manual intervention by the user is required to remediate the problem. This situation can occur when required software has not been installed. For example, if the administrator has configured the Forefront Client Security SHV to require MOM, and the MOM client has not been installed, affected computers will generate this event. |
The client computer has notified the NAP Agent of its health changes |
131 |
Information |
This event means that one of the security configuration settings monitored by the SHA has been changed. Note The NPS determines whether the change meets a requirement, does not meet a requirement, or whether it represents a change that the administrator can ignore. |
The check for product updates resulted in error %1 |
132 |
Information |
This event means that the Forefront Client Security SHA encountered an error in its attempt to contact the Windows Server Update Services (WSUS) server. The resulting error code is included in the message. Note Windows Update service failures can be attributed to the BITS service being disabled. Ensure that BITS is enabled and running. |
The check for product updates resulted in %1 update(s) being found |
133 |
Information |
This event means that the SHA successfully contacted the WSUS server. The number of matching Forefront Client Security-related product updates advertised by the WSUS server (which could be zero) is included in the message. |
SHV Events
During operation, the Forefront Client Security SHV creates Application log events using the source name FcsNapShv. Use the Event Viewer (eventvwr.exe) to check for events specific to SHV errors.
Table 4.2. SHV Events
| Message | Event ID | Level | Significance |
|---|---|---|---|
The Microsoft Forefront Client Security system health validator received a non-patched statement of health response |
2 |
Information |
This event means that the Forefront Client Security SHV received a statement of health indicating a noncompliant managed computer. |
The Microsoft Forefront Client Security system health validator received a compliant statement of health response |
3 |
Information |
This event means that the Forefront Client Security SHV received a statement of health indicating a compliant managed computer. |
The Microsoft Forefront Client Security system health validator was loaded successfully |
4 |
Information |
This event means that the SHV is currently in use by the NPS. |
The Microsoft Forefront Client Security system health validator was unloaded successfully |
5 |
Information |
This event means that the SHV is not currently in use by the NPS. |
NAP Error Logs
During operation, the NPS creates System log events using the source name NPS. Use the Event Viewer (eventvwr.exe) to check for events specific to NAP errors.
NPS troubleshooting content is available on Microsoft TechNet in the Windows Server 2008 Technical Library (https://go.microsoft.com/fwlink/?LinkId=89710). Additional information about troubleshooting NAP clients is available on the NAP Infrastructure (https://go.microsoft.com/fwlink/?LinkID=192484) page on Microsoft TechNet.
Core NPS content is also available on a Windows Server 2008–based computer after you install NPS. The content is located in the file radius.chm, which is located in the \Windows\System32 directory by default. Other NPS content is available on the Network Policy Server for Windows Server 2008 (https://go.microsoft.com/fwlink/?LinkId=192487) page on Microsoft TechNet.
Forefront Client Security Error Logs
Forefront Client Security events are logged in the System log and you can view them using the Event Viewer (eventvwr.exe). Forefront Client Security events come from a variety of sources, including DataTransformationServices and FcsMs. The Forefront Client Security events are documented on Microsoft TechNet in the Forefront Client Security Troubleshooting Event IDs (https://technet.microsoft.com/en-us/library/bb643195.aspx) topic. For more information about how to troubleshoot Forefront Client Security, see Forefront Client Security Troubleshooting (https://go.microsoft.com/fwlink/?LinkId=63019).
More Information
Additional information is available through the following related resources:
TechNet Webcast: Troubleshooting Microsoft Forefront Client Security (Level 200) (https://go.microsoft.com/fwlink/?LinkId=192490)
Forefront Client Security Team Blog (https://go.microsoft.com/fwlink/?LinkId=87108)
The Definitive Guide to NAP Logging (https://go.microsoft.com/fwlink/?LinkId=192491) entry on the Windows Server Customer Advisory Team blog
The Cable Guy: Troubleshooting NAP Enforcement (https://go.microsoft.com/fwlink/?LinkID=192492)