Health Check
Health Check is the Salesforce Setup feature that grades an org's security configuration against a baseline of recommended settings and produces a numeric score from 0 to 100.
Definition
Health Check is the Salesforce Setup feature that grades an org's security configuration against a baseline of recommended settings and produces a numeric score from 0 to 100. The score reflects how many of the platform's security settings (password policies, session settings, certificate management, network access, sharing rules, login flow controls) align with the Salesforce-recommended Standard Baseline. A score above 80 percent is healthy. A score below 50 percent indicates significant misconfiguration. The page lives at Setup, Security, Health Check.
Health Check is not an audit log or a forensics tool. It is a configuration assessment. The platform compares the current org settings against the baseline, flags each setting as Compliant, At Risk, or High Risk based on its deviation, and surfaces a Fix Risks button for each. Admins can also import Custom Baselines for industry-specific frameworks (NIST CSF, HIPAA, PCI DSS), giving compliance-driven organizations a more tailored target than the Salesforce default. The score is a single-number snapshot of the org's security posture.
How Health Check scores Salesforce security configuration
What Health Check actually measures
Health Check evaluates around 60 specific settings spread across six categories. Password Policies (minimum length, complexity, lockout threshold, expiration interval). Session Settings (timeout, force logout, IP locking, MFA enforcement). Network Access (Login IP ranges, trusted IP ranges, restrict to specified IPs). Certificate and Key Management (key sizes, valid certificates). Sharing Settings (org-wide defaults, sharing rule effectiveness). Login Behaviors (MFA enrollment, identity verification methods). Each setting has a baseline value and a current value. The deviation between them drives the score.
How the score is calculated
The score is not a simple percentage. Each setting in the baseline has a weight reflecting its security importance. A misconfiguration on Require MFA carries more weight than a misconfiguration on Password Expiration Length. The platform sums the weighted deviations and produces a 0 to 100 score. Compliant settings score 100 percent. At Risk settings score 50 percent. High Risk settings score 0 percent. The total is what appears at the top of the page. Salesforce does not publish the exact weights, but the relative impact is observable: fixing a High Risk MFA setting moves the score more than fixing five At Risk password settings.
Standard Baseline vs Custom Baselines
The Standard Baseline is the Salesforce-recommended default, updated periodically as security best practices evolve. Custom Baselines let an admin import an XML definition that overrides the standard with industry-specific targets. NIST CSF, HIPAA, PCI DSS, FedRAMP, and the CIS Controls all have community-maintained baselines that compliance-heavy orgs import. The Custom Baseline file format is XML and documented in the Health Check developer guide. Most orgs start with the Standard Baseline and switch to a Custom Baseline only when a specific compliance regime requires it.
Fix Risks: the one-click remediation
Each At Risk and High Risk setting has a Fix Risks link. Clicking it opens the setting page with the baseline-recommended value preselected. The admin reviews, confirms, and saves. The change applies immediately. The simplicity is the feature: Health Check removes the "where is this setting" friction by surfacing the path and the recommended value in one place. Most admins can move a baseline-divergent org from a 60 percent score to a 90 percent score in 30 minutes of clicking through Fix Risks.
Limits of Health Check
Health Check measures configuration, not behavior. It tells you the password expiration policy is set to 90 days but does not tell you whether users actually rotate their passwords. It tells you MFA is enabled but does not tell you whether every user has enrolled an MFA method. It tells you the network access settings include Trusted IP Ranges but does not check whether the ranges are still valid. For the operational reality of the security posture, you need Login History, Setup Audit Trail, Event Monitoring, and direct user-by-user spot checks. Health Check is the first pass, not the only pass.
Score history and tracking improvement
Salesforce records the Health Check score over time. The score history graph on the page shows the trend across the last 12 months. This is the data point compliance officers ask for in audits: "Show the score progression". Quarterly improvements are easy. A drop in the score after a release is a signal that Salesforce has tightened the Standard Baseline and the org's existing settings now lag. The history is also useful internally for tracking remediation work across releases.
Health Check and the broader Salesforce security stack
Health Check sits alongside three other security surfaces. Trust Center (trust.salesforce.com) shows the platform's own uptime and incident history. Security Center (a paid product) aggregates security telemetry across multiple orgs. Event Monitoring (a paid add-on) captures fine-grained event data. Health Check is the free, in-Setup configuration scorecard. The four together form the recommended security operations posture. Most orgs that take security seriously use all four, with Health Check as the daily-driver tool for configuration drift detection.
Running Health Check and remediating risks
Running Health Check is straightforward: open the page, read the score, and click Fix Risks on the settings that diverge from the baseline. The work is on the consumption and remediation side. Run it quarterly at minimum, monthly for compliance-heavy orgs.
- Open Health Check
Setup, Quick Find Health Check, click the link under Security. The page renders the current score, the baseline comparison, and the list of At Risk and High Risk settings.
- Review the score and the category breakdown
The top of the page shows the overall score. Below it, the score is broken down by category. Identify the lowest-scoring categories: Password Policies, Session Settings, Network Access. Focus remediation there.
- Click Fix Risks on a High Risk setting
Each High Risk setting has a Fix Risks link. Clicking opens the relevant Setup page with the baseline-recommended value highlighted. Review the recommended value, accept or adjust, save.
- Verify the score impact
After saving, return to Health Check. The score updates within a minute. Confirm the setting moved from High Risk to Compliant. If it did not, the saved value does not match the baseline target; re-check.
- Import a Custom Baseline if needed
For compliance-specific targets (HIPAA, PCI DSS), click Import Custom Baseline at the top of the page. Upload the XML file. Switch the active baseline to the custom one. The score recalculates against the new targets.
- Schedule a recurring review
Set a recurring Outlook or Google Calendar reminder for monthly or quarterly Health Check reviews. Salesforce updates the Standard Baseline with each release, so a previously 95 percent org can drift to 85 percent without any settings changing on the org side.
The Salesforce-recommended default set of security settings. Updated each major release. Most orgs use this baseline.
Org-imported XML definition that overrides the standard. Used for industry-specific compliance frameworks (HIPAA, PCI DSS, NIST CSF).
One-click remediation that opens the divergent setting with the baseline value highlighted. Streamlines remediation work.
Trend chart showing the Health Check score across the last 12 months. Used in compliance audits and quarterly security reviews.
Per-category sub-score: Password Policies, Session Settings, Network Access, Certificate Management, Sharing Settings, Login Behaviors.
- The Standard Baseline updates each Salesforce release. A previously 95 percent score can drop to 85 percent without any org-side setting changes. Re-review after each release.
- Health Check measures configuration, not behavior. A high score on MFA does not guarantee every user has enrolled MFA. Cross-check with the MFA enrollment report.
- Custom Baselines require an XML file in the documented format. Importing an invalid file silently fails. Validate against the Salesforce-published schema before uploading.
- Fix Risks does not always pick the most secure value. It picks the baseline-recommended value, which may not be the strictest possible setting. Compliance-driven orgs often go beyond the baseline.
- The score is a snapshot. It does not track whether a setting was loosened temporarily and then re-tightened. Use Setup Audit Trail to confirm temporal changes around the score.
Trust & references
Straight from the source - Salesforce's reference material on Health Check.
- Salesforce Health CheckSalesforce Help
- Create a Custom Baseline for Health CheckSalesforce Help
- How Health Check is CalculatedSalesforce Help
About the Author
Dipojjal Chakrabarti is a B2C Solution Architect with 29 Salesforce certifications and over 13 years in the Salesforce ecosystem. He runs salesforcedictionary.com to help admins, developers, architects, and cert/interview candidates sharpen their fundamentals. More about Dipojjal.
Test your knowledge
Q1. Why is understanding Health Check important for Salesforce admins?
Q2. In which area of Salesforce would you typically find Health Check?
Q3. What is the primary benefit of Health Check for Salesforce administrators?
Discussion
Loading discussion…