As a side note, HI policies work fine entirely independently of the other SEP policies, but they can be used in combination with them.
Assignment of HI Policies to a group, adds a "Quarantine" location to it. Clients that fail the HI check in the HI Policy will use policies in this "Quarantine" location instead, meaning you can apply more stringent security to those machines that fail their HI checks.
The most common action we see, is for admins to apply a more secure FW policy to clients when they fail their HI checks. So you're missing a beat by not having the FW installed (but you can still make sure everything else is more secure).