Kaseya Community

Policy - Out of Compliance

  • Since upgrading to 6.3, I have noticed that almost every day, over 80% of my machines inside of Kaseya go out of compliance.  I'd like to figure out how to track down what is causing it to go out of compliance.  Could someone point me in the right direction on how to troubleshoot these type of issues?

  • im surprised your having the issue since 6.3 it's always been an issue for me and has largely defeated the point of policy management.

    You can use this SQL to tell you all the machines and policys that are out of compliance 

    SELECT TOP 1000 [partitionId]
    ,[agentGuid]
    ,[policyFK]
    ,[policyStatusCode]
    ,[policyStatus]
    FROM [ksubscribers].[policy].[VpolicyAgentStatus]where policyStatusCode <> 5
    
    
    i really haven't looked into why policys haven't been going out i've logged some billion kaseya tickets around the issue and no one has been able to resolve it or even understand the problem . I have spent SIGNIFICANT time tying to automate the clear overrides which solves my problem.
    
    
    What i did was create a SQL server agent iob to run an hour after i run my compliance check .  my SQL then clears the overrides and everything is back in compilance for the next day
    
    

    Declare @Agentguid varchar(50)

    Declare @policyObjectTypeFK varchar(5)

     

    use ksubscribers

     

    DECLARE curCounters CURSOR For

    SELECT policy.policyObjectAgentStatus.agentGuid, policy.policyObjectAgentStatus.policyObjectTypeFK from policy.policyObjectAgentStatus where policy.policyObjectAgentStatus.policyObjectStatus <> 5 

     

                    OPEN curCounters

                    FETCH next FROM curCounters INTO @Agentguid, @policyObjectTypeFK;

                                    WHILE @@FETCH_STATUS = 0

                                                    BEGIN                                  

                                                                    --print @Agentguid

                                                                    --print @policyObjectTypeFK;

                                                                   

                                                                    EXEC [policy].[agentPolicyObjectOverrideRemove] @partitionId = 1,@agentGuid = @Agentguid,@policyObjectTypeFK = @policyObjectTypeFK

                                                                 

                                                    FETCH next FROM curCounters INTO @Agentguid, @policyObjectTypeFK;

                                                    END

        CLOSE curCounters

       DEALLOCATE curCounters  

    
    
     
  • Surprisingly I had 0 issues in 6.2.  It's really odd, as I didn't make make many changes to my policies, but I would definitely like to understand what it is that causes it to be out of compliance, so I could fix the problem.  Right now I'm doing something similar but manually (going in each day and clearing the overrides).

  • Actually, looking into it I think the issue might be caused by the following scenario.

    I have a policy that schedules an agent procedure that runs once an hour across my network.  This procedure basically checks a bunch of things, and if it finds something that isn't normal, it takes corrective action.  What I've noticed since I posted the message is I now have 6 machines out of policy.  Every single one of them had something out of the ordinary, and action was taken.

    I recently re-wrote the procedure so that it wasn't hard coded (instead of having the same code in multiple places, I optimized it by placing it in it's own procedure), and instead it calls other procedures via the executeProcedure call.  I'm actually thinking this is causing the problem.  I might try re-writing it again to not call the other procedure and see if that fixes it, as that was the major change I made.

  • Grumple,

    We have the same issue in one of our policies that some of almost all agents goes out of compliance sometimes.

    We always see that the inside the agents that are out of compliance the procedures have a override?!

    We just started tracking the issue, so no findings yet. Please keep this topic updated with your findings.

  • I have just investigated this issue in our system where every night the same agents and the same policies are out of compliance.

    In my case the issue is i have two policies applying the same setting eg i have policy A applying event set 1 and i have policy B also applying event set 1 to the same machine.

    It would seem that policy A gets applied then policy B and policy B puts policy A out of compliance.

    I think this behavior is silly but this seems to be how it works  

  • After escalating our issues with support, this is how we end up:

    There were made some design changes in 6.3 policy management, agents were marked "out of compliance" when an agent procedure was manually run on this agent.

    They recognised that that design is not good and as such, is reverted in a hotfix.

  • Bsis, that hotfix was already released or in a future release? We're having the same issue as well

  • Elliot,

    The hotfix was placed manually on our system by Support.

    I gues it will follow quickly to general release.

    Or refer your support tickets tou ours : CS152276 & CS153970

  • I have been work with tech support for 6 weeks on this. There have been 2 hotfixes for this so far... only one hotfix per ticket allowed so there should be at least one more.

    I helped identify 3 settings for workstations that were always out of compliance. This was fixed with the first 2 related hotfixes. (CS143685,147095)

    the next issue was the servers had one setting that awlays appeared to be out of compliance. This was fixed with the last related hotfix. (CS152949)

    The current issue is that although the icon indicates servers out of compliance, you can view the details and they indicate it is compliant. So which is right? read on.

    I think it is important to note that despite the out of compliance indications, the policy settings were always applied correctly. This appears to be just a problem coding the compliance checking algorithims.

    I have spent a lot of time with tech support to resolve this and we're getting close. They have been extremly busy. I call twice a day to check on progress and give feedback when the hotfix comes out. The problem for me has been that by the time I give them the feedback, usualy within 24 hours, the tech working on it moves on to another task. It takes a couple of days to get the newly assigned tech up to speed.

    That said, we have to remember that the techs don't use the software like we do. They work on little bits of the whole and do not always know how the bits go together.

    I just checked on my applied hotfixes and there are at least a couple of thousand that have been applied this year - they've been busy!

    I'll try to update this thread when I know we can count on the compliance reporting.

  • I just can't win.  As of today, my server has started to mark every single "Alert" policy as the reason it's causing all my machines to be "out of compliance."  And since I have several alerts setup on all machines, they're now all out of compliance, and I can't clear it.  Any ideas what might cause this?

  • What do you mean you have several alerts setup on your machines.

  • For example, I have a policy that set's an alert to notify via e-mail when any machine has a disk that reaches below 25%, I have another alert set to notify when any machine has been offline in kaseya for 24 hours, etc (some of these are set globally, some are set for a specific group of machines).  But according to policy management, they're all out of compliance, and when I hover over a machine, it says the alerts are the reason.

  • I'm having the exact same problem. 72+ hours ago machines that were completely in compliance are now suddenly out of compliance due to "Alerts" in a generic server policy I have set.

    I'm on the SaaS Kaseya Platform. Is anyone getting anywhere with their support?  I find the support is typically atrocious

  • Here same problem. Applied one policy with one alert and still out of compliance (agent status). If i look at monitor-> alerts i dont see the agent status setting added.

    At this moment we can't trust our policies.