locked
SHA on windows 2008 RRS feed

  • Question

  • Hi
    I am trying to applying IPSec enforcment using NAP

    But in any windows server 2008 there is a messge siad that SHA is not present!!!!!

    When I searched the forum I found that windows 2008 has not SHA!!!

    Is there is any new in this issue??????????

    Monday, June 1, 2009 1:57 PM

Answers

  • Hi,
     Here is the more information regarding the settings. http://technet.microsoft.com/en-us/library/dd125396.aspx  You can try selecting Compliant for the first two entries. It should work fine.

    Thanks
    -RamaSubbu SK


    Sorry! Microsoft doesn't own any liability & responsibility for any of my posting.
    Thursday, June 4, 2009 5:54 AM
  • Hi,

    You should turn off the NAP agent service if you don't have an installed SHA. You can give the server an exemption certificate as you described. If you install a SHA, the server can be a NAP client, but usually the "health" settings on servers are managed differently than client computers.

    -Greg
    Sunday, June 7, 2009 4:21 AM

All replies

  • Hi,
       I need bit more information to help you here. Where you are seeing "SHA Not Present" ? also, what is the SHA ID is it saying?

    Thanks
    -RamaSubbu SK


    Sorry! Microsoft doesn't own any liability & responsibility for any of my posting.
    Tuesday, June 2, 2009 12:59 AM
  • I saw It on windows 2008 server enterprise edition and standard edition as a notification message on system tray.

    The ID is 79744

    Tuesday, June 2, 2009 5:32 AM
  • Hi,
     Thanks for Reply. The SHA you are looking is Windows SHA. Windows SHA essentially depends on Windows Security Center to get the System Health. In the Windows Server 2008 SKUs there is no Windows Security Center service, so Windows SHA will not work properly there. You cannot use Windows Server as NAP Client machine only for Windows SHA. You can select "Compliant" for "SHV unable to contact required services" to work around this on the "Windows Security Health Validators Properties"

    Thanks
    -RamaSubbu SK
    Sorry! Microsoft doesn't own any liability & responsibility for any of my posting.
    Tuesday, June 2, 2009 5:57 AM
  • You are correct, Server 2008 does not come with a SHA installed by default.

    http://technet.microsoft.com/en-us/library/dd348492(WS.10).aspx

    Id                     = 79744
    Name                = Windows Security Health Agent
    Tuesday, June 2, 2009 5:59 AM
  • I tried what you said but it is sill not work!!!!

    Any suggestion?!
    Wednesday, June 3, 2009 9:04 AM
  • What you have tried and what is not working ? As of today, you cannot have the SHA#79744  working in Windows Server machine. If might want to create a exception rule for those machine if needed.
    Sorry! Microsoft doesn't own any liability & responsibility for any of my posting.
    Wednesday, June 3, 2009 6:53 PM
  • Ok thanks Rama. and am tried to select "Compliant" for "SHV unable to contact required services" as you said but still have the problem.

    Finally I give these servers a system health certificate that I created for NAP server and I hope this will work.

    thank you again for being patient with me.

    Thursday, June 4, 2009 5:49 AM
  • Hi,
     Here is the more information regarding the settings. http://technet.microsoft.com/en-us/library/dd125396.aspx  You can try selecting Compliant for the first two entries. It should work fine.

    Thanks
    -RamaSubbu SK


    Sorry! Microsoft doesn't own any liability & responsibility for any of my posting.
    Thursday, June 4, 2009 5:54 AM
  • Hi,

    You should turn off the NAP agent service if you don't have an installed SHA. You can give the server an exemption certificate as you described. If you install a SHA, the server can be a NAP client, but usually the "health" settings on servers are managed differently than client computers.

    -Greg
    Sunday, June 7, 2009 4:21 AM
  • Thanx Greg & Rama For ypur Help it's working now -Specially what Greg Mention you have to stop NAP Agent on windows 2008 server after give it a certificate. Thanx again
    Sunday, June 7, 2009 5:42 AM