I use two primary hostcheck rules:  One checks for McAfee VS anti-virus version, and the other checks the issuer name of the machine certificate on Windows computers.  We use Windows Certificate Auto-enroll for computers, and check this certificate for both Wireless EAP-TLS and on the IVE for proving domain membership of computers.

They are enforced on a role, but must be evaluated on the realm, of course.

To avoid issues with hostchecker and realms with Mac and Linux and hotel kiosks, we check custom user agent string values in realm resrictions since this doesn't kick off Hostcheck which will lockup machines not supporting it.  (These are pushed to users using Group Policy)  

-=Dan=-

We use host checker policies to verify if the remote computer has certain Reg. entries. If they have these policy supplied reg. entries, then we allow the user to have access to the Network Connect option at the welcome page.

Other wise, they just are granted access to the book marks.

We're using Host Checker to assure that the clients (mostly from suppliers that do remote maintenance on production machines) are equipped with a virus scanner nd also have the latest Virus signatures and Windows Service Packs installed before Network Access is allowed.

We had no luck with the ckeck for individual Windows Patches (6.2R4, ESAP 1.4.7), Windows clients for which the chosen Patches were not applicable (due to another Windows Version), had also been blocked.

In our case we already have Systems Center doing remediation on the remote laptops. The only systems we allow NC are company laptops. If people connect from a non-company resource I simply don't let them NC. Instead I push them towards one of our VDI solutions (or towards Citrix if they annoy me).

Mathias if you dont mine me asking how is your av host checker policy setup? client specific or vendor? also any issues with setting the number of updates vs the days option that we had in the past?

We separated Win- and AV-HostChecker Policy. The AV-HC-Policy is divided into several rules, but those are mainly used to group the AV-Clients from the different vendors, so this serves mainly an organizational purpose. We select single products, not Vendors, so we can be sure that a halfway actual Virus scanner is used. I someone uses a virus scanner that we did not pick yet, we add it most of the time. Exceptions are outdated Scanners and those not supported by the IVE. We allow a grace period of up to 3 updates, depending on how often a vendor publishes AV-Patterns. We do not use the X days option anymore.