Share via

Configure Policies for No Enforcement

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

The NAP health policy server uses the Network Policy Server (NPS) role service with configured health and network policies and system health validators (SHVs) to evaluate client health based on administrator-defined requirements. Based on the results of this evaluation, NPS instructs the HRA server to provide full access to compliant NAP client computers and to restrict access to noncompliant client computers.


The procedures used to configure NPS for the no enforcement method are identical to those used for NAP with IPsec enforcement. These two methods differ with respect to the application of IPsec policies to client computers.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (

Configure NAP policies for no enforcement with the NAP configuration wizard

The NAP configuration wizard helps you to set up NPS as a NAP health policy server. The wizard provides commonly used settings for each NAP enforcement method, and automatically creates customized NAP policies for use with your network design. You can access the NAP configuration wizard from the NPS console.


By default, the NAP configuration wizard creates a noncompliant network policy configured for full enforcement. When you use the NAP with no enforcement method, full enforcement mode does not restrict the access of noncompliant NAP client computers. However, these computers will receive NAP notifications. To change the NAP enforcement mode, see Configure Network Policy for Deferred Enforcement and Configure Network Policy for Reporting Mode.

To configure NPS using the NAP configuration wizard

  1. Click Start, click Run, type nps.msc, and then press ENTER.

  2. In the Network Policy Server console tree, click NPS (Local).

  3. In the details pane, under Standard Configuration, click Configure NAP. The NAP configuration wizard will start. See the following example.

  4. On the Select Network Connection Method for Use with NAP page, under Network connection method, select IPsec with Health Registration Authority (HRA), and then click Next.

  5. On the Specify NAP Enforcement Servers Running HRA page, click Next. If required, RADIUS clients and remote RADIUS server groups will be configured in another procedure.

  6. On the Configure User Groups and Machine Groups page, click Next. If required, user and machine group requirements will be configured in another procedure.

  7. On the Define NAP Health Policy page, verify that the SHVs you will use to monitor NAP client health requirements are listed after Name. By default, the Windows Security Health Validator is displayed.

  8. Select the check box next to each SHV that will be used to evaluate the health status of NAP client computers. To enable automatic remediation of noncompliant client computers, select the Enable auto-remediation of client computers check box, and then click Next.

  9. On the Completing NAP Enforcement Policy and RADIUS Client Configuration page, click Finish.

See Also


Configure RADIUS Clients for NAP
Configure Remote RADIUS Server Groups for NAP
Configure User and Machine Group Requirements