To use the setting A firewall is enabled for all network connections, the firewall software that is running on the client computer must be Windows Firewall software or other firewall software that is compatible with Windows Security Center.

Firewall software that is not compatible with Windows Security Center cannot be managed or detected by Windows Security Health Agent (WSHA) on the client computer.

If you select A firewall is enabled for all network connections, WSHA on the client computer checks if firewall software is running on the client computer, and then takes the following actions:

• If the client computer is not running firewall software, the client computer is restricted to a remediation network until firewall software is installed and running.
  
  
• If the only firewall software running on the client computer is a firewall that is not compliant with Windows Security Center, WSHA reports to the Network Access Protection (NAP) service that no firewall is enabled, and the client computer is restricted to a remediation network.
  
  

	Important
	If you select A firewall is enabled for all network connections and client computers are not running Windows Firewall or other Windows Security Center-compliant firewall software, client computers cannot connect to your network.

If you do not select A firewall is enabled for all network connections, WSHA on the client computer performs no checks, and client computers that are not running firewall software are not prevented from connecting to your network.

Autoremediation

If you select An antivirus application is on, WSHA on the client computer verifies that antivirus software is running on the client computer. If the client computer is not running antivirus software, the client computer is restricted to a remediation network until antivirus software is installed and running.

The antivirus software that is running on the client computer must be compatible with Windows Security Center. Antivirus software that is not compatible with Windows Security Center cannot be managed or detected by WSHA on the client computer. If the only antivirus software running on the client computer is an antivirus application that is not compliant with Windows Security Center, WSHA reports to WSHV that no antivirus is enabled, and the client computer is restricted to a remediation network.

If you select Antivirus is up to date, WSHA on the client computer verifies that the antivirus definitions for your antivirus applications are the most current versions and are up-to-date.

To verify that antivirus software is running and that antivirus definitions are the most recent updates available, you must select both An antivirus application is on and Antivirus is up to date.

If you do not select An antivirus application is on, WSHA on the client computer performs no checks, and client computers that are not running antivirus software are not prevented from connecting to your network.

If you do not select both An antivirus application is on and Antivirus is up to date, WSHA on the client computer performs no checks, and client computers that are not running antivirus software or that are running antivirus software with out-of-date antivirus definitions are not prevented from connecting to your network.

If you select An antispyware application is on, WSHA on the client computer verifies that antispyware software is running on the client computer. If the client computer is not running antispyware software, the client computer is restricted to a remediation network until antispyware software is installed and running.

The antispyware software that is running on the client computer must be Windows Defender or other antispyware software that is compatible with Windows Security Center.

Antispyware software that is not compatible with Windows Security Center cannot be managed or detected by WSHA on the client computer. If the only antispyware software running on the client computer is an antispyware application that is not compatible with Windows Security Center, the WSHA reports to WSHV that no antispyware is enabled, and the client computer is restricted to a remediation network.

If you select Antispyware is up to date, WSHA on the client computer verifies that the antispyware definitions for your antispyware applications are the most current versions and are up-to-date.

To verify that antispyware software is running and that antispyware definitions are the most recent updates available, you must select both An antispyware application is on and Antispyware is up to date.

If you do not select An antispyware application is on, WSHA on the client computer performs no checks, and client computers that are not running antispyware software are not prevented from connecting to your network.

If you do not select both An antispyware application is on and Antispyware is up to date, WSHA on the client computer performs no checks, and client computers that are not running antispyware software or that are running antispyware software with out-of-date antispyware definitions are not prevented from connecting to your network.

Autoremediation

If you select Automatic Updating is on, and Microsoft Update Services is not enabled on the client computer, WSHA restricts the client computer to a remediation network until Microsoft Update Services is enabled.

Microsoft Update Services is enabled when one of the following settings is selected on the client computer:

• Install updates automatically (recommended)
  
  
• Download updates, but let me choose whether to install them
  
  
• Check for updates, but let me choose whether to download and install them
  
  

Autoremediation

Do not configure Security Update Protection in your WSHV policy unless client computers on your network are running Windows Update Agent. In addition, client computers that are running Windows Update Agent must be registered with a server running Windows Server Update Service (WSUS).

	Important
	If these conditions are not met and you configure Security Update Protection in your WSHV policy, the policy cannot be enforced by WSHA on the client computer, WSHA restricts client computers to a remediation network, and the clients cannot connect to your network.

If client computers are running Windows Update Agent and are registered with a WSUS server, you can configure Security Update Protection for your WSHV policy.

In that case, if you select Enforce quarantine for missing security updates and the most recent security updates are not installed, WSHA restricts the client computer to a remediation network until the most recent software security updates are installed.

You can configure Security Update Protection with several possible values that match security severity ratings from the Microsoft Security Response Center (MSRC). These values are:

• Critical only. If selected, client computers are required to have all security updates with an MSRC severity rating of Critical. If a client computer does not have these updates, it is restricted to a remediation network until the updates are downloaded and installed.
  
  
• Important and above. This is the default setting. If selected, client computers are required to have all security updates with an MSRC severity rating of Important or Critical. If a client computer does not have these updates, it is restricted to a remediation network until the updates are downloaded and installed.
  
  
• Moderate and above. If selected, client computers are required to have all security updates with an MSRC severity rating of Moderate, Important, or Critical. If a client computer does not have these updates, it is restricted to a remediation network until the updates are downloaded and installed.
  
  
• Low and above. If selected, client computers are required to have all security updates with an MSRC severity rating of Low, Moderate, Important, or Critical. If a client computer does not have these updates, it is restricted to a remediation network until the updates are downloaded and installed.
  
  
• All. If selected, client computers are required to have all security updates, regardless of their severity rating by the MSRC. If a client computer does not have the most recent updates, it is restricted to a remediation network until the updates are downloaded and installed.
  
  

After you configure the security update severity rating level, you can specify the minimum number of hours allowed since the client has checked the WSUS server for new security updates. The default value for the minimum synchronization time is 22 hours.

When a client computer first attempts to connect to a NAP-enabled network and the Security Update Protection setting is configured in the WSHV policy, WSHA determines whether to restrict the client computer to a remediation network based on the most recent time that the client computer checked the WSUS server for security updates. WSHA determines whether to restrict the client to a remediation network in the following way:

• If the client check for updates occurred at an interval greater than the WSHV-configured minimum number of hours allowed between checks, the client computer is restricted to a remediation network. After the client checks for updates and downloads and installs any recent updates, the client is allowed full network access.
  
  
• If the client check for updates occurred at an interval that is equal to or less than the WSHV-configured minimum number of hours allowed between checks, the client computer is not restricted to a remediation network.
  
  

Note

WSHA on the client computer only performs this check at the time that the client computer attempts to connect to the network. If the client computer remains connected to the network for longer than the configured minimum synchronization time, WSHA does not trigger a check for security updates, does not trigger download of updates, and does not restrict the client computer to a remediation network.

Autoremediation