Is anyone else getting this issue:
1. I deploy Kaseya agent on a machine. The agent gets all the policies from the group it goes into.
2. I change the group of this agent. I do ClearOverride + Reprocess policies on the agent
3. After all is done, the agent still has several policies that were linked to the previous group, but not to the second group.
I have triple checked and none of the policies in question should normally get to this agent. If I deploy the Kaseya Agent with the correct installer for the second group, the agent does receive the correct policies, so this is clearly an issues with policies from the previous group sticking with the agent after it was moved. I am running the latest 220.127.116.11 on premise VSA.
I also had this issue and opened a ticket for it about 2-3 months ago. I thought there was a bug as I don't remember policy management working like this.
I was told this is normal and that old policies may or may not clear until the "View Compliance" event runs. You should see this under Policy Management>Summary>Logs.
I have found it can take several hours for the old policies to be removed. It always ends up showing only the correct policies applied. It just now takes longer than before for some reason.
We've minimized this issue with the following settings in Policy Management / Configure / Settings:
Deployment Interval - 15 minutes
Compliance Check - every 1 day(s) within 240 minutes of 08:00...
We have a procedure that runs between 4-5am to detect group changes and potentially block or unblock policies. The compliance check at 8am
Our MSP practice has just over 2500 endpoints - smaller practices can increase the compliance check cycle to 2-4 times a day, but except when first deploying your policies (or in dev), this should not be too often as it puts a load on your VSA. Our DEV platform with 9 agents runs the compliance check hourly and has a deploy interval of 5 minutes.
We also use the Compliance Check option and it runs daily.
The policies from the first group where kept for several days even after the Compliance Check runs.