Share via

Best Practices Analyzer

Applies To: Windows Server 2008 R2

In Windows management, best practices are guidelines that are considered the ideal way, under typical circumstances, to configure a server as defined by experts. For example, it is considered a best practice for most server technologies to keep open only those ports required for the technologies to communicate with other networked computers, and block unused ports. Although best practice violations, even crucial ones, are not necessarily problematic, they indicate server configurations that can result in poor performance, poor reliability, unexpected conflicts, increased security risks, or other potential problems.

Best Practices Analyzer (BPA) is a server management tool that is available in Windows Server® 2008 R2. BPA can help administrators reduce best practice violations by scanning one or more roles that are installed on Windows Server 2008 R2, and reporting best practice violations to the administrator. Administrators can filter or exclude results from BPA reports that they do not have to see. Administrators can also perform BPA tasks by using either the Server Manager GUI, or Windows PowerShell cmdlets.

BPA can also be used on remote servers that are running Windows Server 2008 R2, by using Server Manager targeted at a remote server. For more information about how to run Server Manager targeted at a remote server, see Remote Management with Server Manager.

Best Practices Analyzer

BPA is installed by default on all editions of Windows Server 2008 R2 except the Server Core installation option.


Instructions for installing Windows PowerShell, and modules for Server Manager and Best Practices Analyzer on the Server Core installation option of Windows Server 2008 R2 are available in Remote Management with Server Manager.

Because the units analyzed by BPA are server roles, the interface for BPA is located on role home pages in the Server Manager console. For more information about roles, see Roles, Role Services, and Features. Best Practices Analyzer is one of the areas of the Summary section of a role’s home page.

How BPA works

BPA works by measuring a role’s compliance with best practice rules in eight different categories of a role’s effectiveness, trustworthiness, and reliability. Results of measurements can be any of the three severity levels described in the following table.

Severity level Description


Noncompliant results are returned when a role does not satisfy the conditions of a rule.


Compliant results are returned when a role satisfies the conditions of a rule.


Warning results are returned when a role is compliant as operating currently, but may not satisfy the conditions of a rule if changes are not made to its configuration or policy settings. For example, a scan of Remote Desktop Services might show a warning result if a license server is unavailable to the role, because even if no remote connections are active at the time of the scan, not having the license server prevents new remote connections from obtaining valid client access licenses.

BPA rule categories

The following table describes the categories of best practice rules against which roles are measured during a BPA scan.

Category Name Description


Security rules are applied to measure a role’s relative risk for exposure to threats such as unauthorized or malicious users, or loss or theft of confidential or proprietary data.


Performance rules are applied to measure a role’s ability to process requests and perform its prescribed duties in the enterprise, within expected periods of time given the role’s workload.


Configuration rules are applied to identify role settings that might require modification for the role to perform optimally. Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role from performing its prescribed duties in an enterprise.


Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the role to operate optimally and securely.


Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise.


Predeployment rules are applied before an installed role is deployed in the enterprise, to let administrators to evaluate whether best practices were satisfied before you use the role in production.


Postdeployment rules are applied after all required services have started for a role, and the role is running in the enterprise.

BPA Prerequisites

BPA Prerequisite rules explain configuration settings, policy settings, and features that are required for the role before BPA can apply specific rules from other categories. A prerequisite in scan results indicates that an incorrect setting, a missing role, role service, or feature, an incorrectly enabled or disabled policy, a registry key setting, or other configuration has prevented BPA from applying one or more rules during a scan. A prerequisite result does not imply compliance or noncompliance. It means that a rule could not be applied, and therefore is not part of the scan results.

How to open BPA

You can open BPA in the Server Manager console by opening the home page for a server role that supports BPA.

To open BPA in Server Manager

  1. Open Server Manager. To open Server Manager, click Start, point to Administrative Tools, and then click Server Manager.

  2. In the tree pane, open Roles, and then select the role for which you want to open BPA.

  3. In the details pane, open the Summary section, and then open the Best Practices Analyzer area.

Running BPA

For more information about how to run BPA scans, see Running and Filtering Scans in Best Practices Analyzer in this Help.