diff --git a/feature/posture/posture.go b/feature/posture/posture.go
index d8db1ac19..0c60d38b0 100644
--- a/feature/posture/posture.go
+++ b/feature/posture/posture.go
@@ -8,8 +8,10 @@ package posture
 
 import (
 	"encoding/json"
+	"fmt"
 	"net/http"
 
+	"tailscale.com/health"
 	"tailscale.com/ipn/ipnext"
 	"tailscale.com/ipn/ipnlocal"
 	"tailscale.com/posture"
@@ -25,6 +27,15 @@ func init() {
 	ipnlocal.RegisterC2N("GET /posture/identity", handleC2NPostureIdentityGet)
 }
 
+var postureSerialWarnable = health.Register(&health.Warnable{
+	Code:     "posture-checking-serial-collection-failed",
+	Title:    "Device Posture: serial number collection failed",
+	Severity: health.SeverityMedium,
+	Text: func(args health.Args) string {
+		return fmt.Sprintf("Could not collect device serial numbers for posture checking. (%v)", args[health.ArgError])
+	},
+})
+
 func newExtension(logf logger.Logf, b ipnext.SafeBackend) (ipnext.Extension, error) {
 	e := &extension{
 		logf: logger.WithPrefix(logf, "posture: "),
@@ -73,6 +84,9 @@ func handleC2NPostureIdentityGet(b *ipnlocal.LocalBackend, w http.ResponseWriter
 		res.SerialNumbers, err = posture.GetSerialNumbers(b.PolicyClient(), e.logf)
 		if err != nil {
 			e.logf("c2n: GetSerialNumbers returned error: %v", err)
+			b.HealthTracker().SetUnhealthy(postureSerialWarnable, health.Args{health.ArgError: err.Error()})
+		} else {
+			b.HealthTracker().SetHealthy(postureSerialWarnable)
 		}
 
 		// TODO(tailscale/corp#21371, 2024-07-10): once this has landed in a stable release
diff --git a/ipn/ipnlocal/local.go b/ipn/ipnlocal/local.go
index 3ca4ab0e9..654a78e24 100644
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -4212,6 +4212,8 @@ func (b *LocalBackend) CurrentUserForTest() (ipn.WindowsUserID, ipnauth.Actor) {
 	return b.pm.CurrentUserID(), b.currentUser
 }
 
+// CheckPrefs validates the provided user modifiable settings for correctness
+// and returns an error if they are invalid for the current backend.
 func (b *LocalBackend) CheckPrefs(p *ipn.Prefs) error {
 	b.mu.Lock()
 	defer b.mu.Unlock()
diff --git a/posture/serialnumber_stub.go b/posture/serialnumber_stub.go
index e040aacfb..6df9b4079 100644
--- a/posture/serialnumber_stub.go
+++ b/posture/serialnumber_stub.go
@@ -12,6 +12,7 @@ package posture
 
 import (
 	"errors"
+	"fmt"
 
 	"tailscale.com/types/logger"
 	"tailscale.com/util/syspolicy/policyclient"
@@ -19,5 +20,5 @@ import (
 
 // GetSerialNumber returns client machine serial number(s).
 func GetSerialNumbers(polc policyclient.Client, _ logger.Logf) ([]string, error) {
-	return nil, errors.New("not implemented")
+	return nil, fmt.Errorf("not implemented: %w", errors.ErrUnsupported)
 }