Health Policies
Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista
Health policies define which SHVs are evaluated, as well as how they are used to evaluate the health status of NAP client computers. Based on the results of SHV checks, health policies classify client health status. When you create a health policy, you can select one of seven SHV checks and enable one or more installed SHVs. See the following figure.
Health policy configuration
You must select at least one SHV to use in a health policy. SHVs that are not selected in a health policy are not evaluated by the policy. The following types of SHV checks are available in a health policy:
Client passes all SHV checks. Use this setting to create a health policy that requires a client computer to meet the requirements of all enabled SHVs. This is the most restrictive setting that you can use to evaluate compliant computers.
Client fails all SHV checks. Use this setting to create a health policy that requires a client computer to fail to meet requirements of all enabled SHVs. This is the least restrictive setting that you can use to evaluate noncompliant computers.
Client passes one or more SHV checks. Use this setting to create a health policy that requires a client computer to meet the requirements of at least one enabled SHV. This is the least restrictive setting that you can use to evaluate compliant computers.
Client fails one or more SHV checks. Use this setting to create a health policy that requires a client computer to fail to meet requirements of at least one enabled SHV. This is the most restrictive setting that you can use to evaluate noncompliant computers.
Client reported as transitional by one or more SHVs. Use this setting to create a health policy for clients that report a status of transitional in extended state information. To use this setting, the SHV must support extended state reporting as part of the health evaluation process. A transitional state indicates that required services on the client are not ready to report health status. The transitional state can be temporary. For example, a client might report a status of transitional if services have been recently started.
Client reported as infected by one or more SHVs. Use this setting to create a health policy for clients that report a status of infected in extended state information. To use this setting, the SHV must support extended state reporting as part of the health evaluation process. This extended state information is used primarily by an antivirus SHA that is capable of reporting that the client is infected with malicious software (also called malware) that it cannot remove.
Client reported as unknown by one or more SHVs. Use this setting to create a health policy for clients that report a status of unknown in extended state information. To use this setting, the SHV must support extended state reporting as part of the health evaluation process. An unknown state indicates that the credentials of the end host cannot be determined. The unknown state can be temporary.
Although some SHVs check multiple settings on a client computer, an SHV check is an evaluation of the client computer against all requirements of the SHV. For example, the WSHV can check client computers for multiple software requirements and settings. A client computer might pass some of these checks, but it must meet all requirements of the SHV to pass the SHV check.
Health policy design considerations
If your NAP deployment includes multiple SHVs, consider creating health policies to match each possible combination of health conditions so that you use these health policies as conditions in network policies. The following table displays health policies that you can create to evaluate clients for a NAP deployment that includes three SHVs (A,B,C).
Policy name | SHV checks | SHVs used |
---|---|---|
Pass A |
Passes all |
A |
Fail A |
Fails all |
A |
Pass B |
Passes all |
B |
Fail B |
Fails all |
B |
Pass C |
Passes all |
C |
Fail C |
Fails all |
C |
Pass A, B |
Passes all |
A, B |
Fail A, B |
Fails all |
A, B |
Pass A, C |
Passes all |
A, C |
Fail A, C |
Fails all |
A, C |
Pass B, C |
Passes all |
B, C |
Fail B, C |
Fails all |
B, C |
Pass A, B, C |
Passes all |
A, B, C |
Fail A, B, C |
Fails all |
A, B, C |
The configuration examples shown in this table do not use a condition of Client fails one or more SHV checks because this type of SHV check does not specify which SHV failed when multiple SHVs are used. A policy design that uses Client fails all SHV checks allows you to create unique troubleshooting URLs for each possible health condition, but the client is not notified of all the health checks that were performed. To provide notifications on the client computer about health requirements for which it is compliant as well as those for which it is found to be noncompliant, you must enable all SHVs in the health policy and use a setting of Client fails one or more SHV checks.