2. The DHCP/VPN server or router/switch sends the health status, as presented by the client, to the Microsoft Network Policy Server, which is a machine based on the RADIUS protocol.

3. The Network Policy Server checks the health status against the criteria that the administrator sets and, based on the results of the check, does one of the following:

-- If the machine does not comply with the IT policy, the client is put into a restricted virtual LAN, is disallowed via IPsec rules or via 802.1x wire-level protection from talking with healthy machines, or is given a very limited set of routes via DHCP. Regardless of the method of restriction, the unhealthy client can access a few (presumably specially hardened) servers that have the resources needed for a client to fix itself. Steps 1 through 3 are then repeated.

-- If the machine complies with policy, the client is granted full access to the network.

On the client side, system health agents (SHA) and system health validators (SHV) are small pieces of code that ensure the checks and validations are made on each individual client machine as necessary, as mentioned in Step 1 above. Windows Vista will include default SHAs and SHVs that can be customized upon its release.