Using Host Integrity

You use Host Integrity policies to define and enforce the security of your devices.
Host Integrity ensures that Windows devices are protected and compliant with your company's security standards.
Host Integrity policies include custom requirements against which the compliance of the device is checked. For example, you can define a requirement to check for the existence of a Windows registry key.
You can also use a Host Integrity policy to push custom scripts to your devices to solve certain issues that are difficult to solve otherwise. For example, installing a secondary software on a device or fixing bugs on the devices.
When you apply a Host Integrity policy to a device or device group, you are required to enter a one-time PIN that is sent to your email address. A PIN is also required if a Host Integrity policy is part of a policy group that is applied to a device or device group.
After you enter the PIN, you can apply Host Integrity policies until the end of your login session. When you sign in next time and want to apply a Host Integrity policy to a device or device group, you will be required to enter a new PIN.
Host Integrity is only supported on Windows devices. The minimum Symantec agent version is SEP 14.3 RU1 MP1.
Step 1: The Host Integrity check runs on the device.
A Host Integrity policy uses the policy requirements to check the device configuration.
The Host Integrity policy checks for the existence of Windows registry keys, patches, hot fixes, or other security conditions. For example, the policy might check whether the latest patches have been applied to the operating system. See:
Step 2: The Host Integrity check passes or fails.
If the device meets all of the policy's requirements, the Host Integrity check passes.
If the device does not meet all of the policy's requirements, the Host Integrity check fails. You can set up the policy to ignore a failed requirement so that the check passes.
Devices that fail the Host Integrity check trigger the policy targeting Quarantine rule.
  • The Default Quarantine Firewall Policy is automatically targeted to these devices to restrict them.
  • You can edit the policy to apply more restrictions to the quarantined devices.
While the device uses the Quarantine Firewall policy, the Host Integrity check continues to run on its configured schedule.
After the device passes the Host Integrity check, the device moves out of the Quarantine location automatically and no longer uses the Default Quarantine Firewall policy. See:
Step 3:
Non-compliant computers remediate a failed Host Integrity check (optional)
  • You can configure Host Integrity to download a file to remediate devices that fail the Host Integrity check. To remediate, the device downloads and installs the missing software. Host Integrity then rechecks that the device installed the software. See the following:
  • If the Host Integrity check that verifies remediation still fails, a Quarantine policy target rule is automatically applied to the device. You can use the Quarantine policy to apply stricter restrictions to the devices that failed the check. See the following:
  • While the device is in the Quarantine location, the Host Integrity check continues to run and to try to remediate. The frequency of the check and remediation settings are based on how you configure the Host Integrity policy. Once the client is remediated and passes the Host Integrity check, the Quarantine policy is no longer targeted to the device. In some cases, you may need to remediate the client computer manually.
Step 4: The Host Integrity check continues to monitor device compliance.
The Host Integrity check actively monitors each device's compliance status. If at any time the compliance status changes, so do the privileges of the device.
  • If you change a Host Integrity policy and apply it to a device, the device then runs a Host Integrity check based on the new policy settings.
  • If a different Host Integrity policy is targeted to the device while a Host Integrity check is in progress, the device stops checking. When the check is complete, the device discards the results. Then the device immediately runs a new Host Integrity check based on the new policy that is targeted.
    When the device stops checking, the stop includes any remediation attempts. The user might see a timeout message if a remediation server connection is not available in the new location.
You can view the results of the Host Integrity check in the Compliance log.