共用方式為


How to Monitor the System Health Validator Point with Performance Counters for Network Access Protection

Installing the Configuration Manager 2007 System Health Validator point results in the creation of a number of Performance counters for the object Configuration Manager System Health Validator. This allows you to baseline and monitor the following:

  • How often the Configuration Manager System Health Validator point processes statements of health.

  • When a newly installed client hasn't yet downloaded its Configuration Manager NAP policies.

  • How often a statement of health (SoH) is out of date.

  • How often a client is non-compliant with Configuration Manager NAP policies and requires software updates.

  • The number of compliant clients and the number of non-compliant clients.

  • Configuration Manager clients that have the Network Access Protection agent disabled.

  • Failures that occur on either the Configuration Manager client or the System Health Validator point.

These counters can be monitored by the Configuration Manager 2007 Management Pack for Operations Manager 2007, which can also monitor events the SMS_SYSTEM_HEALTH_VALIDATOR writes to the Windows Application event log on the Network Policy Server.

The individual Configuration Manager System Health Validator counters are listed in the following table:

Counter Name Description

Compliance is invalid

Total number of statement of health responses where the client SoH had invalid compliance information.

This condition usually indicates some kind of data corruption between the client and the System Health Validator point.

Compliance information missing

Total number of statement of health responses where the client SoH was missing the compliance information.

This condition occurs when the Network Access Protection client agent is enabled but the computer has not yet downloaded the site Configuration Manager NAP policies. This condition occurs with new clients.

The System Health Validator point will give a client in this condition a health state of compliant so that it can locate its site and management point to download Configuration Manager NAP policies and assess its compliance.

Compliance newer than health state reference

Total number of statement of health responses where the client SoH had compliance information that was newer than the health state reference.

This condition occurs when the client returns a compliance status using Configuration Manager NAP policies that are newer than the site health state reference. The statement of health is considered current.

No ConfigMgr NAP policies

Total number of statement of health responses where the client SoH had compliance information that indicated that no Configuration Manager NAP Policy had been defined yet.

This condition occurs when the Configuration Manager Network Access Protection client agent is enabled but no software updates are marked for NAP evaluation.

Compliance out of date

Total number of statement of health responses where the client was non-compliant because the client compliance information was older than the health state reference.

This condition occurs when the client's compliance information is older than the health state reference.

The System Health Validator point will give a client in this condition a non-compliant health state so that it can download the latest Configuration Manager NAP policies and re-evaluate its compliance.

Compliance matches health state reference

Total number of statement of health responses where the client SoH had compliance information that matched the health state reference and was hence deemed compliant by the Configuration Manager System Health Validator.

This condition occurs when the client's compliance information matches the health state reference. The statement of health is considered current.

Software updates not installed

Total number of statement of health responses where the client was non-compliant because all the required software updates were not installed.

This condition occurs when the client does not have applicable software updates by the Effective Date as defined in the Configuration Manager NAP policies.

The System Health Validator point will give a client in this condition a health state of non-compliant so that it can be remediated to install the software updates required for compliance.

ConfigMgr NAP client agent disabled

Total number of statement of health responses where the client was considered compliant because Configuration Manager NAP client agent was disabled (or client had no Configuration Manager NAP Client Agent policy.

This condition occurs under the following circumstances:

  • When the site is enabled for Network Access Protection but the NAP-capable client has not yet downloaded the latest machine policy to enable the new client agent setting.

  • When the System Health Validator point is installed on the site but the Network Access Protection client agent on that site is not enabled for NAP-capable clients.

  • When the site is enabled for Network Access Protection and the Network Access Protection client agent is enabled, but individual clients have a local policy that disables the Network Access Protection client agent or the Windows Network Access Protection service is not running on the client computer.

  • In a roaming scenario where a NAP-capable client from a Configuration Manager site not enabled for Network Access Protection roams into a Configuration Manager site that is enabled for Network Access Protection with a System Health Validator point.

SoH Expired (Absolute Date)

Total number of statement of health responses where the client was non-compliant because the SoH failed the time validation - Date created must be after.

This condition occurs when a client's statement of health is created before the date and time setting Date created must be after, which is configured in the System Health Validator Point Component Properties.

The System Health Validator point will give a client in this condition a health state of non-compliant so that it can be remediated to produce a newer statement of health. The client will be instructed to re-evaluate its statement of health.

SoH Expired (TTL)

Total number of statement of health responses where the client was non-compliant because the SoH failed the time validation - Validity period.

This condition occurs when a client's statement of health is outside the Validity period configured in the System Health Validator Point Component Properties.

The System Health Validator point will give a client in this condition a health state of non-compliant so that it can be remediated to produce a newer statement of health. The client will be instructed to re-evaluate its statement of health.

SoH Requests Total

Total number of statement of health requests received by the Configuration Manager System Health Validator.

SoH Requests/second

Number of statement of health requests received per second by the Configuration Manager System Health Validator.

SoH Response Failures

Number of times an error condition prevented the Configuration Manager System Health Validator from generating a statement of health response

SoH Response: Client Failures

Total number of statement of health responses where client failures were detected.

This condition occurs when the client is unable to assess its compliance because of an error condition on the client, which is either a component failure or a communication failure.

These failures can result in a health state of compliant or non-compliant, depending on how the Configuration Manager System Health Validator is configured on the Windows Network Policy Server. By default, both client failure categories are configured as non-compliant.

SoH Response: Compliant

Total number of statement of health responses where the client was compliant.

This condition occurs when the client's compliant status is successfully validated by the System Health Validator point because all the following apply:

  • The statement of health is not older than the setting Date created must be after.

  • The statement of health is within the configured Validity period.

  • The client site is valid.

  • The client has used up-to-date Configuration Manager NAP policies.

A failure did not occur on either the Configuration Manager client or the System Health Validator point.

SoH Response: Non-compliant

Total number of statement of health responses where the client was non-compliant.

This condition occurs when one of these situations apply:

  • The statement of health is older than the setting Date created must be after.

  • The statement of health is not within the configured Validity period.

  • The client does not have up-to-date Configuration Manager NAP policies.

  • The client has returned a non-compliant status because it does not have applicable software updates by the Effective Date as defined in the Configuration Manager NAP policies.

SoH Response: Server Failure

Total number of statement of health responses where server failures were detected.

This condition occurs when the System Health Validator point is unable to validate a client statement of health because of an error condition on the server, which is either a component failure or communication failure.

These failures can result in a health state of compliant or non-compliant, depending on how the Configuration Manager System Health Validator is configured on the Windows Network Policy Server. By default, both server failure categories are configured as non-compliant.

SoH Response: Unknown

Total number of statement of health responses where the client compliance could not be validated.

This condition occurs when the client's site was not known to the System Health Validator point. This can happen if Active Directory replication has not yet completed for a new Configuration Manager site or if the client is outside its Configuration Manager hierarchy.

This failure can result in a health state of compliant or non-compliant, depending on how the Configuration Manager System Health Validator is configured on the Windows Network Policy Server. By default, this error condition is configured as non-compliant.

See Also

Tasks

How to Configure the System Health Validator Active Directory Domain Services Query Interval
How to Specify the Option 'Date created must be after' for the Statement of Health
How to Specify the Validity Period for the Statement of Health

Concepts

Configuring Failure Categories for Configuration Manager Network Access Protection
About NAP Health State References in Network Access Protection
System Health Validator Point: Validation Process for Network Access Protection