Health policies define which system health validators (SHVs) are evaluated, as well as how they are used to evaluate the health status of Network Access Protection (NAP) client computers. Based on the results of SHV checks, health policies classify client health status. When you create a health policy, you can enable one or more installed SHVs and select one of the following SHV checks.
You must select at least one SHV to use in a health policy. SHVs that are not selected in a health policy are not evaluated by the policy. The following types of SHV checks are available in a health policy:
- Client passes all SHV checks. Use this
setting to create a health policy that requires a client computer
to meet the requirements of all enabled SHVs. This is the most
restrictive setting that you can use to evaluate compliant
computers.
- Client fails all SHV checks. Use this
setting to create a health policy that requires a client computer
to fail to meet requirements of all enabled SHVs. This is the least
restrictive setting that you can use to evaluate noncompliant
computers.
- Client passes one or more SHV checks.
Use this setting to create a health policy that requires a client
computer to meet the requirements of at least one enabled SHV. This
is the least restrictive setting that you can use to evaluate
compliant computers.
- Client fails one or more SHV checks.
Use this setting to create a health policy that requires a client
computer to fail to meet requirements of at least one enabled SHV.
This is the most restrictive setting that you can use to evaluate
noncompliant computers.
- Client reported as transitional by one or
more SHVs. Use this setting to create a health policy for
clients that report a status of transitional in extended state
information. To use this setting, the SHV must support extended
state reporting as part of the health evaluation process. A
transitional state indicates that required services on the client
are not ready to report health status. The transitional state can
be temporary. For example, a client might report a status of
transitional if services have been recently started.
- Client reported as infected by one or more
SHVs. Use this setting to create a health policy for clients
that report a status of infected in extended state information. To
use this setting, the SHV must support extended state reporting as
part of the health evaluation process. This extended state
information is used primarily by an antivirus system health agent
(SHA) that is capable of reporting that the client is infected with
malicious software (also called malware) that it cannot remove.
- Client reported as unknown by one or more
SHVs. Use this setting to create a health policy for clients
that report a status of unknown in extended state information. To
use this setting, the SHV must support extended state reporting as
part of the health evaluation process. An unknown state indicates
that the credentials of the end host cannot be determined. The
unknown state can be temporary.
Although some SHVs check multiple settings on a client computer, an SHV check is an evaluation of the client computer against all requirements of the SHV. For example, the Windows Security Health Validator (WSHV) can check client computers for multiple software requirements and settings. A client computer might pass some of these checks, but it must meet all requirements of the SHV to pass the SHV check.
The Setting option under SHVs used in this health policy is new in Windows Server 2008 R2. If an SHV supports the storing of multiple configurations, you can use this setting to choose one of these configurations to use with your health policy. If an SHV does not support the storing of multiple configurations, you must configure settings in the Default Configuration.