Skip to main content

Health Score

The health score provides a single metric (0-100) that summarizes each agent's overall security posture. It combines vulnerability exposure, compliance status, update currency, and network exposure into a weighted score that helps you prioritize remediation efforts.

How the Score Is Calculated

The overall health score is a weighted average of four independent category scores:

CategoryDefault WeightWhat It Measures
Vulnerabilities50%Known CVEs in installed software and OS
Compliance25%Adherence to assigned compliance frameworks
Pending Updates15%Outstanding system and application updates
Network Exposure10%Open ports, firewall state, and attack surface

Each category produces its own score from 0 to 100, and the overall score is the weighted combination:

Overall = (Vulnerability x 0.50) + (Compliance x 0.25) + (Updates x 0.15) + (Network x 0.10)

Weights are configurable per-tenant in Settings > Health Scoring.

Score Ranges

ScoreStatusMeaning
80-100HealthySystem is secure and compliant
60-79Needs AttentionAction required but not critical
0-59CriticalImmediate attention required

Category Scoring Details

Vulnerability Score

Starts at 100 and deducts points based on open vulnerabilities:

FactorPenalty
CISA KEV (Known Exploited Vulnerability)-15 per vulnerability
KEV past its remediation due date-25 additional per overdue KEV
Critical severity (CVSS 9.0-10.0)-10 per vulnerability
High severity (CVSS 7.0-8.9)-5 per vulnerability
Medium severity (CVSS 4.0-6.9)-2 per vulnerability
Low severity (CVSS 0.1-3.9)-0.5 per vulnerability
Fix available but not applied-1 per vulnerability

KEV vulnerabilities and critical CVEs have the largest impact because they represent the highest real-world risk.

Compliance Score

Weighted average of all compliance framework scores assigned to the agent through its tags. If no frameworks are assigned, the score defaults to 100.

Frameworks with critical failures are weighted more heavily. A framework reporting multiple critical failures counts more in the average than one with only minor non-compliance.

Update Score

Starts at 100 and deducts points for pending updates and stale check-in data:

FactorPenalty
Pending Windows/system update-4 per update
Pending application update-2 per update
Software needing updates-1 per package
No update check in 7+ days-5
No update check in 14+ days-10 additional
No update check in 30+ days-20 additional

Agents that have not checked for updates recently receive escalating penalties.

Network Exposure Score

Starts at 100 and deducts points based on exposed ports and firewall state.

If the firewall is disabled, the network score is automatically 0. This reflects the critical importance of having a host firewall active.

When the firewall is enabled, points are deducted per exposed port based on risk level:

Port Risk LevelPenalty
Critical (e.g., Telnet, FTP)-25 per port
High (e.g., RDP, SMB internet-exposed)-15 per port
Medium-5 per port

Port risk is context-aware. A port that is only accessible on localhost or blocked by the firewall has no impact. The same port exposed to the internet is penalized based on the service type.

Viewing Health Scores

Agent Detail Page

Navigate to any agent and select the Health tab to see:

  • Overall score gauge: Circular gauge showing the 0-100 score with status label
  • Category cards: Four cards for Vulnerabilities, Compliance, Updates, and Network, each showing their individual score and key metrics
  • 30-day trend chart: Area chart showing score history with toggleable series for overall and each category
  • Fix These First: A prioritized list of the most impactful remediation actions, ranked by severity. Items link directly to the relevant tab for that agent.
  • History panel: Timeline of score-impacting events over the last 30 days (e.g., "New critical vulnerability detected", "3 pending updates installed")

Fleet Summary

The agent list shows each agent's health score, allowing you to sort and filter by health status. The endpoints table includes a health score column to quickly identify agents that need attention.

Trend Analysis

The system tracks daily health scores for 30 days and calculates a trend:

TrendCondition
ImprovingScore increased by more than 0.5 points over the period
StableScore changed by less than 0.5 points
DecliningScore decreased by more than 0.5 points
NewAgent has less than 7 days of history

Trends require at least 7 days of data to avoid false signals during the initial assessment period.

Configuring Weights

Navigate to Settings > Health Scoring to adjust how much each category contributes to the overall score.

  • Weight sliders: Adjust the weight of each category. Weights automatically balance to total 100%.
  • High-risk port configuration: Define which ports are considered critical, high, or medium risk for the network exposure calculation.

For example, if your organization prioritizes compliance over vulnerability patching, you could increase the Compliance weight and decrease the Vulnerability weight. The default weights reflect a security-first posture where known vulnerabilities carry the most impact.

Prioritized Actions

The "Fix These First" section on the Health tab generates up to 7 actions ranked by impact:

  1. CISA KEV vulnerabilities (sorted by remediation due date)
  2. Critical CVEs without KEV designation
  3. Critical and high-severity compliance failures
  4. High-risk network port exposures

Each action includes a severity indicator and links directly to the relevant section of the agent detail page where you can take corrective action.

Servicing Health

Servicing Health, on the endpoint Health tab, runs pre-flight checks that look at the system state Windows cumulative updates depend on. When one of these checks fails, the next cumulative update will install, reboot, then roll back at 98% with errors like 0x800f0922 and revert to the prior state. The Servicing Health section surfaces the failing check up front so you can fix the underlying cause before triggering an install, instead of troubleshooting the failure afterward.

This section appears on Windows endpoints only. The status badge in the section header summarizes the endpoint's overall readiness:

BadgeMeaning
Ready for updatesAll checks passed. The endpoint is in a state where cumulative updates can install successfully.
Action recommendedOne or more checks returned a warning. The next update may still install, but the warned-on subsystem (for example, free space approaching its threshold) is worth addressing.
Update install blockedOne or more checks returned a critical finding. Cumulative updates that try to install in this state are expected to fail. The fix is shown inline along with the relevant Microsoft KB article.

When everything is healthy, the section displays a single line confirming all checks passed and the timestamp of the most recent measurement. When a check fails, only the failing checks are listed, each with a plain-language summary, the recommended fix, and a link to the Microsoft KB article that documents the supported repair procedure.

Checks performed

CheckWhat it looks atWhy it matters
WinRE Configuration ConsistencyThe reagentc /info output, C:\Windows\System32\Recovery\ReAgent.xml, and the WinRE entry in the Boot Configuration Data store. The check passes when WinRE is disabled, or when WinRE is enabled and the BCD identifier in ReAgent.xml matches what reagentc reports.Cumulative updates refresh winre.wim when WinRE is enabled. When ReAgent.xml references a partition or BCD entry that no longer exists (a common state on long-lived imaged systems), the install reaches the post-reboot commit phase and reverts. The Microsoft-supported reset script in KB5034957 is the standard repair.
EFI System Partition Free SpaceThe total and free bytes on the GPT EFI System Partition (mounted briefly via mountvol).Post-April 2026 cumulative updates ship larger boot files than the legacy 100 MB ESPs common on older Windows 10/11 systems can absorb. The check warns at <100 MB free and flags critical at <50 MB free. Resize procedure is documented in KB5028997.
Recovery Partition SizeThe total size of the partition that holds winre.wim, identified by parsing the WinRE location reported by reagentc /info and looking up the partition with Get-Partition.winre.wim has grown across recent feature updates; recovery partitions sized to the legacy 500 MB no longer fit the current image. The check warns at <750 MB and flags critical at <500 MB. The resize procedure is documented in KB5034957.
CBS Pending OperationsHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PendingRequired and RebootPending registry keys, plus C:\Windows\WinSxS\pending.xml.Pending Component-Based Servicing operations from a previous failed update or feature change block subsequent cumulative updates from installing. The check warns when any indicator is present and recommends dism /online /cleanup-image /restorehealth followed by a reboot.
C: Free SpaceThe free bytes on the C: drive (queried directly via Win32 GetDiskFreeSpaceExW).Cumulative updates download and stage content under C:\Windows\SoftwareDistribution and C:\$WinPE_Boot before installing. Recent CUs need 8-10 GB of headroom at peak. The check warns at <20 GB free and flags critical at <10 GB free.
CheckSUR ErrorsThe last 256 KB of C:\Windows\Logs\CBS\CheckSUR.log, counting (f) lines that are not followed by a (fix) line on the next non-blank row.Unrepaired entries in the CheckSUR log strongly correlate with cumulative update failures. The check warns when any unrepaired errors are present and recommends dism /online /cleanup-image /restorehealth and sfc /scannow.

Frequency

Probes run shortly after the agent connects to the server (on agent startup, restart, or reconnect). Findings are stored as the latest known state, one row per check per endpoint, so the section reflects the most recent measurement rather than a history. To re-run probes manually, restart the TridentStack Control agent service on the endpoint.

What to do when a check fails

  1. Read the Fix line on the failing check for a one-sentence summary of the supported repair.
  2. Click the linked Microsoft KB article for the full procedure.
  3. After running the repair on the endpoint, the next probe submission will clear the finding (or, if the issue persists, re-flag it with details that help narrow down the cause).

Dismissing a warning

You can dismiss a specific Servicing Health warning for a single endpoint. A dismissed warning stops counting toward that endpoint's Update Health and is shown as "Exempted".

The warning details, the check, the plain-language summary, the recommended fix, and the Microsoft article link, are selectable text with a "Copy details" action, so you can send them to whoever owns the endpoint.

Dismissing hides the warning from your dashboards; it does not change the endpoint itself, so the endpoint may still defer the update until the underlying issue is resolved. You can restore a dismissed warning at any time.

The same details and Dismiss action are also reachable from the Update Health status on the Endpoints list. Clicking a flagged Update Health status opens the details.