Device not leaving group.... but it did in the logs

I have a group that I use to target some very specific unix policies to. My desktop team told me they were getting hit by some of those actions so I thought maybe it was sort of a race condition on the group not getting evaluated for one group before evaluating this one:


So just to cover my butt, I added “not windows of operating system” to the end of the group (redundant in this case, but whatever) and while checking up on one of the win10 desktops in this group that was just imaged on the 19th, I see this in the logs:

At 04:23:11 -0500 - actionsite (
Relevant - XXX - All Devices - No Infrastructure (fixlet:75414)
Relevant - XXX WIN Workstations (fixlet:4650)
Relevant - XXX - All Unix Devices - No Infrastructure (fixlet:459824)
Relevant - XXX Workstations (fixlet:3075740)

At 04:23:32 -0500 - actionsite (
Relevant - NIC Servers - Data Center (not) (fixlet:75374)
Fixed - NIC Servers (fixlet:75372)
Fixed - XXX - All Unix Devices - No Infrastructure (fixlet:459824)

…so it did pop into the group, then back out. However the console shows the endpoint is still in the group. Even after updating the relevance and force refreshing the device, it still shows as being part of the unix group. Any thought on how/why this is happening?

As sort of a part 2 of this, I have a site on on another root showing sort of the same thing. I set the relevance to the site to “No Computers” so I can delete it, but I still have active endpoints showing applicability to the site. I’m wondering if this is an overarching sign of issues we are having.

On the screenshot it looks like you’ve set the criteria for ‘Relevance is false’ which I think is opposite of what you want.

As to the log file, the group changing to Fixed doesn’t mean it’s non-relevant, it could mean that it’s joined the group…which gets back to your original idea, I think, regarding the order in which groups are evaluated and joined. There’s actually an Action associated with that; I’m not how that’s displayed in the client log but it’ll show up the client settings in the registry.

Has the machine showed up in the Windows Servers or Windows Clients groups yet (also visible via Registry)? And…to troubleshoot further you could check the group summary page to list the generated relevance and try running that through the fixlet debugger on the endpoint.

It was effectively the same thing:

I’ll see what I can to do run a fast query but I don’t have direct access to that device.

Ah, ok I misread and assumed the actual relevance was ‘not windows of operating system’. Sorry about that.

Is it showing up in those Windows groups at the console?

So it did actually update for the windows endpoints. I still find it odd that some macs are also still in this group even though they are in the “XXX Workstations” group. Seems like once they evaluated the group, it didn’t re-evaluate. I’m thinking if I go shake the tree I could get those macs to go out of this group too.

If it’s a problem where the client evaluation cycle is too long (so it takes a long time to come back around and re-evaluate the group), you could edit the group so it shows up as “new” and gets priority on re-evaluating. Even if you don’t actually make a change, the act of changing the changing the group will give it priority.