You can configure Host Checker to re-check as needed. This setting is configured on the Host Checker Tab in Endpoint Security. You can also enable "Dynamic Policy Re-evaluation". This will refresh the roles after the Host Checker policy completes. For example, user A fails the HC Policy at logon because there AV is out-of-date. However, they get mapped to a more restrictive role and you permit access. While they're logged in, their AV is updated. Since you have "Perform check every" 10 minutes configured, the HC Policy will run again, and this time the user passes the HC policy. You also have the "Dynamic Policy Re-evaluation" enabled, so the HC Policy role is refreshed and new resources mapped.
Does this help?
John Judge JNCIS-SEC, JNCIS-ENT,
If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.