Share via

Proper way to Reset Machine Policy

Steve Carneol 26 Reputation points
2022-01-14T19:22:31.787+00:00

When it comes to resetting the Machine Policy, there are lots of articles that explain how to do it yet none of them do a very good job of explaining the process plus many of them have conflicting information, especially when it comes to the order in which to trigger the various codes (TriggerSchedule). Let's start with the first thing that everyone seems to agree on and that is resetting the policy on the client using the ResetPolicy Method. There are two ways of resetting the policy:

Value Description
0 The next policy request will be for a full policy instead of the change in policy since the last policy request.
1 The existing policy will be purged completely.

I find using Value=1 does a better job of resetting the machine policy but I find others use 0 in their Right Click Tools. Verdict still out on which one to use.
Next we use the TriggerSchedule Method to perform a couple of Machine Policy Actions just like we have in the ConfigMgr Control Panel applet and RCT's.
There are 3 trigger codes that I consistently find in various scripts and tools but are issued in different orders. They are:

Machine Policy Assignments Request {00000000-0000-0000-0000-000000000021}
Machine Policy Evaluation {00000000-0000-0000-0000-000000000022}
Machine Policy Agent Cleanup {00000000-0000-0000-0000-000000000040}

All of the scripts and RCT's trigger the Machine Policy Assignments Request {00000000-0000-0000-0000-000000000021} before a Machine Policy Evaluation {00000000-0000-0000-0000-000000000022} but the real question is, when to run the Machine Policy Agent Cleanup {00000000-0000-0000-0000-000000000040}? Some scripts and tools do it before the Request and Evaluation while others do it after. One would assume doing the Cleanup at the end but there are some very popular tools like the Recast RCT's and other scripts from MVP's that perform the Cleanup first.

Initiating a machine policy refresh and evaluation...
PSCode Information: 0 : ([wmiclass]'ROOT\ccm:SMS_Client').ResetPolicy(0)
PSCode Information: 0 : ([wmiclass]'ROOT\ccm:SMS_Client').TriggerSchedule('{00000000-0000-0000-0000-000000000040}')
PSCode Information: 0 : ([wmiclass]'ROOT\ccm:SMS_Client').TriggerSchedule('{00000000-0000-0000-0000-000000000021}')

Perhaps the order doesn't matter so I will stop here and wait for others to comment.

Microsoft Security Intune Configuration Manager Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. AllenLiu-MSFT 49,311 Reputation points Microsoft External Staff
    2022-01-17T08:54:48.243+00:00

    Hi, @Steve Carneol
    Thank you for posting in Microsoft Q&A forum.

    In fact, the order doesn't matter for the three machine policy.

    Machine Policy Assignment Request downloads the applicable policy, merges it into WMI, and also kicks off an evaluation of that policy (this is identical to using the control panel applet).

    Machine Policy Evaluation just looks through the existing policy already on a system in WMI and acts accordingly.

    The reason for two separate actions is because there are other ways to deliver policies to clients than from the MP so we need a way to re-evaluate what's in WMI.

    Machine Policy Agent Cleanup clean up all the policy in WMI.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.