Policies have been defined to go to a set of computers with an exclude defined ended up going to computers in the exclude filter.

8.1

There is a very unlikely scenario where during a filter update an excluded computer could fall briefly into a target allowing things to run on computers that should have been excluded.

For example:

• A Maintenance Window policy has a target with the following definition
  • Include all Windows Workstations
  • Exclude a specific location like US or South America

When the Delta Resource Membership Update runs it clears the membership of the filter first then rebuilds it.  If this takes 1 second and a computer that was in the exclude example above checked in, in the middle of that 1 second it could possibly get the policy if the membership cache was out of date and it had to evaluate its applicability again.

NOTE: An updated version of this stored procedure was added to our ITMS 8.5 release.

To resolve this backup the existing stored procedure spResourceTargetDeltaUpdate and execute the attached file against the Symantec_CMDB database to create an updated version that does not clear the membership as the initial step.