About Configuration Manager Local Policy

System Center

Updated: October 28, 2009

Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2

The Policy Agent, in Microsoft System Center Configuration Manager 2007, performs the following tasks:

  • Requests and receives policy assignments from the management point.

  • Evaluates policy assignments.

  • Requests and receives policies from the management point.

  • Stores policies and settings.

Requesting Policy Assignments

The Policy Agent requests a policy from the management point on its schedule by sending messages. In response to these messages, the management point sends a full set of policy assignments that have changed since the last time the Policy Agent asked. If the policy has not changed, no reply is sent from the management point to the Policy Agent.

If the client has not previously retrieved policy, a full set of policy is sent. Otherwise the policy delta is sent. A full set of policy is set if an error condition, such as a CRC error has occurred, or if client automation is being used.

Machine policy schedule is always active. User policy schedule is only active when a user is logged on.

The Policy Agent stores the policy assignments for the computer and for each user in the policy store in Windows Management Instrumentation (WMI).

Any revocations that occur arrive as part of the policy assignment request.

Evaluating Policy Assignments

When the Policy Agent receives new policy assignments, it evaluates each policy assignment to see if it is applicable and if it should be executed. The Policy Agent also evaluates these assignments on a regular cycle. The evaluation cycle for a machine policy is different from a user policy.

Requesting Policies from the Management Point

When a policy assignment is marked as applicable, the policy is requested. To minimize unnecessary communication, the Policy Agent checks to see whether the policy is already present in the policy store. If the policy is present, no communication is required. If the policy is not present in the policy store, the Policy Agent requests that the Data Transfer Service download the policy from the management point.

noteNote
A significant advantage is gained by downloading policies through a URL that is using BITS because local internet caches are leveraged when multiple clients request the same policy. BITS does not apply to policies that contain sensitive data in mixed mode.

Policy Storage and Settings

When the Policy Agent receives a notice indicating that a requested policy has been downloaded, it stores the policy in the policy store in WMI. The client executes those actions when the schedules become available. Policies are deleted from the store when all corresponding policy assignments have been revoked.

Custom Policy and Software Distribution

If you plan to use software distribution to distribute the schema, you should distribute it in advance of creating the actual custom policy. Software distribution policy arrives after the custom policy on new client deployments and this can cause the custom policy to become invalid.

See Also

Show: