In this document we will show how to assign IP addresses with our DHCP servers to computers that we are interested in, based on certain conditions such as belonging to an AD group, if they have an antivirus installed, If you have the S.O.. up-to-date… we may indicate whether we are interested in giving you an IP address of our areas or denying you access to the network,

The first thing will be to add the server role “Network Policy and Access Services”,

We will select only the role service “Network Policy Server” and continue with the installation wizard.

Open the Admin console “Network Policy Server” and we can manually configure NAP policies or through a wizard. Inside the NPS server we will start by clicking “Configure NAP”,

In the network connection method we will select “Dynamic Host Configuration Protocol (DHCP) and we give him a directive name, “Following”,

We will not add RAIUS clients, “Following”,

If we are interested, we can manually add the DHCP scopes of our DHCP servers, In this case, we will apply the directive to all areas, “Following”,

We can add a group of computers that we have previously created to grant only IP addresses to the members of that group, We could directly use the “Domain Computers” to restore access to an IP from our DHCP server only to the computers in our Active Directory, “Following”,

If we have update servers we can indicate them here, “Following”,

We mark a validator that we will apply to this directive, to require extra conditions on equipment, as it can be if they have Antivirus installed, Updated the team… We may also self-correct these conditions if they are not met by the equipment, and we will indicate if we want to give them access if they comply or not, “Following”,

We confirm that everything is correct & “End”,

We will create a GPO that we will apply to all the teams we are interested in, Where we will start the service “Network Access Protection Agent” automatically in “Equipment Setup” > “Policies” > “Windows Settings” > “Security Settings” > “System Services”

And we enable the 'DHCP Quarantine Application Client'’ in “Equipment Setup” > “Policies” > “Windows Settings” > “Security Settings” > “Network Access Protection” > “NAP Client Configuration” > “Compliance Customers”.

Optionally, we can edit the configuration of the default Windows security maintenance validator or create a custom one indicating if we require clients to have the firewall enabled, antivirus, Antispyware, Windows updates. In addition to configuring in the policy whether we want to meet all the conditions or only some of them.

And finally we will enable in our DHCP server ranges the “Network Access Protection”! and with this we will have a little more secure our network of customers, where only computers that meet all the conditions that interest us will access an IP!