Health policies define which system health validators (SHVs) are evaluated, as well as how they are used to evaluate the health status of Network Access Protection (NAP) client computers. Based on the results of SHV checks, health policies classify client health status. When you create a health policy, you can enable one or more installed SHVs and select one of the following SHV checks.
You must select at least one SHV to use in a health policy. SHVs that are not selected in a health policy are not evaluated by the policy. The following types of SHV checks are available in a health policy:
-
Client passes all SHV checks. Use this setting to create a health policy that requires a client computer to meet the requirements of all enabled SHVs. This is the most restrictive setting that you can use to evaluate compliant computers.
-
Client fails all SHV checks. Use this setting to create a health policy that requires a client computer to fail to meet requirements of all enabled SHVs. This is the least restrictive setting that you can use to evaluate noncompliant computers.
-
Client passes one or more SHV checks. Use this setting to create a health policy that requires a client computer to meet the requirements of at least one enabled SHV. This is the least restrictive setting that you can use to evaluate compliant computers.
-
Client fails one or more SHV checks. Use this setting to create a health policy that requires a client computer to fail to meet requirements of at least one enabled SHV. This is the most restrictive setting that you can use to evaluate noncompliant computers.
-
Client reported as transitional by one or more SHVs. Use this setting to create a health policy for clients that report a status of transitional in extended state information. To use this setting, the SHV must support extended state reporting as part of the health evaluation process. A transitional state indicates that required services on the client are not ready to report health status. The transitional state can be temporary. For example, a client might report a status of transitional if services have been recently started.
-
Client reported as infected by one or more SHVs. Use this setting to create a health policy for clients that report a status of infected in extended state information. To use this setting, the SHV must support extended state reporting as part of the health evaluation process. This extended state information is used primarily by an antivirus system health agent (SHA) that is capable of reporting that the client is infected with malicious software (also called malware) that it cannot remove.
-
Client reported as unknown by one or more SHVs. Use this setting to create a health policy for clients that report a status of unknown in extended state information. To use this setting, the SHV must support extended state reporting as part of the health evaluation process. An unknown state indicates that the credentials of the end host cannot be determined. The unknown state can be temporary.
Although some SHVs check multiple settings on a client computer, an SHV check is an evaluation of the client computer against all requirements of the SHV. For example, the Windows Security Health Validator (WSHV) can check client computers for multiple software requirements and settings. A client computer might pass some of these checks, but it must meet all requirements of the SHV to pass the SHV check.
The Setting option under SHVs used in this health policy is new in Windows Server 2008 R2. If an SHV supports the storing of multiple configurations, you can use this setting to choose one of these configurations to use with your health policy. If an SHV does not support the storing of multiple configurations, you must configure settings in the Default Configuration.