How Host Integrity works

Host Integrity ensures that client computers are protected and compliant with your company's security policies. You use Host Integrity policies to define, enforce, and restore the security of clients to secure enterprise networks and data.
Process for enforcing security compliance on the client computer
Step 1: The client computer runs a Host Integrity check on the client computer.
The management server downloads the Host Integrity policy to the client computers in the assigned group. The client computers run the Host Integrity check, which compares each computer's configuration with the requirements that you add to the Host Integrity policy.
The Host Integrity policy checks for the existence for antivirus software, patches, hot fixes, and other security requirements. For example, the policy may check whether the latest patches have been applied to the operating system. See:
Step 2: The Host Integrity check passes or fails
  • If the computer meets all of the policy's requirements, the Host Integrity check passes.
  • If the computer does not meet all of the policy's requirements, the Host Integrity check fails. You can also set up the policy to ignore a failed requirement so that the check passes. See:
You can also set up peer-to-peer authentication in the Firewall policy, which can grant or block inbound access to the remote computers that have the client installed. See:
Step 3: Non-compliant computers remediate a failed Host Integrity check (optional)
  • If the Host Integrity check fails, you can configure the client to remediate. To remediate, the client downloads and installs the missing software. You can configure either the client to remediate or the end user to remediate in a predefined requirement or a custom requirement. Host Integrity then rechecks that the client computer installed the software. See:
  • If the Host Integrity check that verifies remediation still fails, the client applies a Quarantine policy. You can use a Quarantine policy to apply stricter restrictions to the failed computers. See:
  • While the client is in the Quarantine location, the Host Integrity check continues to run and to try to remediate. The frequency of the check and remediation settings are based on how you configure the Host Integrity policy. Once the client is remediated and passes the Host Integrity check, the client moves out of the Quarantine location automatically.
    In some cases, you may need to remediate the client computer manually.
Step 4: The client continues to monitor compliance
The Host Integrity check actively monitors each client's compliance status. If at any time the client’s compliance status changes, so do the privileges of the computer.
  • If you change a Host Integrity policy, it is downloaded to the client at the next heartbeat. The client then runs a Host Integrity check.
  • If the client switches to a location with a different Host Integrity policy while a Host Integrity check is in progress, the client stops checking. The stop includes any remediation attempts. The user may see a timeout message if a remediation server connection is not available in the new location. When the check is complete, the client discards the results. Then the client immediately runs a new Host Integrity check based on the new policy for the location.
You can view the results of the Host Integrity check in the Compliance log. See: