Share via

3.3.1 Abstract Data Model

  • Article

The following is a state diagram for the WSHV:

WSHV state

Figure 4: WSHV state

  • When the WSHV is running and the NPS receives an SoH from a client that does not have the WSHA running, the NPS returns an error code to the client indicated that it is missing a particular SHA. This is handled by the Protocol Bindings for SoH [TNC-IF-TNCCSPBSoH] and does not involve the Windows Security Health Agent (WSHA) and Windows Security Health Validator (WSHV) Protocol [MS-WSH].

  • The health policy configuration ADM elements used by the WSHV are stored in the registry.<9> The health policy is used to evaluate the SoH sent by the client to the WSHV as described in section 3.3.7.3. The values for the ADM elements are as follows:

    Name

    Type

    Description

    MaxDurationSinceLastSync

    DWORD

    Specifies the maximum number of seconds allowed since software updates were last synchronized. The maximum value is 259,200 seconds (72 hours).

    AntiVirusUptoDate

    DWORD

    When the value of this ADM element is 1, the client is required to have antivirus signatures that are up-to-date. When the value is 0, the client can have antivirus signatures that are not up-to-date.

    AntiVirusRealTime

    DWORD

    When the value of this ADM element is 1, the client is required to have the antivirus software enabled. When the value is 0, the client can have the antivirus software disabled or not installed.

    AutoUpdate

    DWORD

    When the value of this ADM element is 1, the client is required to have the Automatic Updates feature enabled. When the value is 0, the client can have the Automatic Updates feature disabled.

    WUAllowed

    DWORD

    When the value of this ADM element is 1, the WSHA can query Windows Update for software updates. When the value is 0, the WSHA SHOULD NOT query Windows Update.

    EnforceUpdates

    DWORD

    When the value of this ADM element is 1, the WSHA enforces software updates on the client. When the value is 0, the WSHA does not enforce software updates on the client.

    WSUSAllowed

    DWORD

    When the value of this ADM element is 1, the WSHA can query Windows Software Updates Services for software updates. When the value is 0, the WSHA SHOULD NOT query Windows Software Update Services for software updates.

    MinimumSeverityRating

    DWORD

    When the value of this ADM element is 0x80, the client is required to have all Low, Moderate, Important, and Critical software updates installed. When the value is 0x100, the client is required to have all Moderate, Important, and Critical software updates installed. When the value is 0x200, the client is required to have all Important and Critical software updates installed. When the value is 0x400, the client is required to have all Critical software updates installed.

    Firewall

    DWORD

    When the value of this ADM element is 1, the client is required to have a firewall enabled. When the value is 0, the client can have the firewall disabled.

    AntiSpywareScanEnabled<10>

    DWORD

    When the value of this ADM element is 1, the client is required to have antispyware software enabled. When the value is 0, the client can have antispyware software disabled or not installed.

    AntiSpywareUptoDate<11>

    DWORD

    When the value of this ADM element is 1, the client is required to have antispyware signatures that are up-to-date. When the value is 0, the client can have antispyware signatures that are not up-to-date.