Enable Client Health Checks for DHCP and IPsec NAP Deployments

Applies To: Windows Server 2008

Enable client health checks

You can use this procedure to enable client health checks when you deploy Network Access Protection (NAP) with the Internet Protocol security (IPsec) and DHCP enforcement methods. Client health checks with these enforcement methods occur during the authorization process; however, these checks also occur at times when NPS does not perform the full authentication and authorization process. For example, when a DHCP client renews its IP address, a client health check is performed, but full authentication and authorization are not performed.


The Perform machine health check only setting is provided for use with network policies that also enforce health policy for NAP. Do not use this setting on policies that do not enforce health policy for NAP.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure.

To enable client health checks

  1. Open the Network Policy Server console, double-click Policies,and then double-click Network Policies.

  2. Double-click the policy for which you want to enable client health checks. The policy properties dialog box opens. Click the Constraints tab.

  3. In Constraints, ensure that Authentication Methods is selected.

  4. In the details pane, select the Perform machine health check only check box.

Additional considerations

For DHCP and IPsec NAP deployments, when NPS receives a request for a client health check that does not include the User Name attribute and the Identity Type condition is configured in NPS network policy with a value of Computer health check, the request matches the policy and, if all other conditions and constraints configured in the policy are also matched, the policy settings are applied.

For more information, see Network Policy Conditions Properties.