search cancel

Computers getting policies they were not defined to get


Article ID: 173014


Updated On:


IT Management Suite


Policies have been defined to go to a set of computers with an exclude defined ended up going to computers in the exclude filter.




There is a very unlikely scenario where during a filter update an excluded computer could fall briefly into a target allowing things to run on computers that should have been excluded.

For example:

  • A Maintenance Window policy has a target with the following definition
    • Include all Windows Workstations
    • Exclude a specific location like US or South America

When the Delta Resource Membership Update runs it clears the membership of the filter first then rebuilds it.  If this takes 1 second and a computer that was in the exclude example above checked in, in the middle of that 1 second it could possibly get the policy if the membership cache was out of date and it had to evaluate its applicability again.

NOTE: An updated version of this stored procedure was added to our ITMS 8.5 release.



To resolve this backup the existing stored procedure spResourceTargetDeltaUpdate and execute the attached file against the Symantec_CMDB database to create an updated version that does not clear the membership as the initial step.



spResourceTargetDeltaUpdate_New.sql get_app