Effective Policy
The Effective Policy view shows the resolved set of all policy settings applied to an agent, including collision detection across multiple policy sources. This is the Resultant Set of Policy (RSoP) for each endpoint.
Conformance vs. Compliance
The Effective Policy tab uses the term conformance (Conformant / Non-Conformant) rather than "compliance." This is intentional. In TridentStack Control, "compliance" refers specifically to security compliance frameworks (CIS Benchmarks, DISA STIGs, NIST controls) managed under the Compliance tab. Effective Policy conformance is a different concept: it measures whether the actual value of a policy setting on the endpoint matches the desired value configured by the winning policy source. Using distinct terminology avoids confusion between these two features.
Why This Matters
In real environments, policy settings can come from multiple sources simultaneously:
- TridentStack Control platform policies you configure in the Configuration Policies page
- Active Directory Group Policy Objects (GPOs) from your domain controllers
- Intune MDM policies from Microsoft Endpoint Manager
- Local registry settings applied manually or by scripts
When the same setting is defined by more than one source, conflicts arise. The Effective Policy view shows you exactly which source wins for each setting and highlights any conflicts that were resolved.
Viewing Effective Policy
Navigate to any Windows agent's detail page and select the Effective Policy tab.
The Effective Policy tab is only available for Windows agents. Linux agents do not have the same multi-source policy model.
Summary Strip
At the top, a summary shows:
- Settings per source: Count of settings from each source (Platform, Domain GPO, Intune MDM, Local)
- Conformance rate: Percentage of settings where the actual value matches the desired value
- Conflicts: Total number of settings where multiple sources compete (highlighted in amber when greater than zero)
- Domain context: The domain name if the agent is domain-joined
Settings Table
Each row in the table represents a single policy setting:
| Column | Description |
|---|---|
| Setting Name | Human-readable name (e.g., "Configure Automatic Updates") |
| Type | Setting type: Registry, Security, Drive Mapping, or Service |
| Policy | Which policy object defined this setting |
| Desired Value | The configured value |
| Actual Value | What the agent currently reports |
| Conformance | Whether desired matches actual (Conformant / Non-Conformant / Unknown) |
| Source | Which source provided the winning value (Platform, Domain GPO, Intune, Local) |
Conflict Details
Click any row to expand it and see three sections:
- Setting Details: Registry key path, category, and state
- Conformance Check: Side-by-side comparison of desired vs. actual values
- Policy Precedence: Shows which sources competed for this setting and which one won
When a setting has a conflict, the expanded view displays the full precedence chain. For example:
Policy Precedence
[Winner] Server Hardening Policy (Platform)
[Overridden] Default Domain Policy (Domain GPO)
How Conflicts Are Resolved
Source Priority
When the same setting is defined by multiple sources, the highest-priority source wins:
| Priority | Source | Description |
|---|---|---|
| 4 (highest) | Platform | TridentStack Control configuration policies |
| 3 | Intune MDM | Microsoft Endpoint Manager policies |
| 2 | Domain GPO | Active Directory Group Policy |
| 1 (lowest) | Local | Manual registry settings not claimed by any other source |
TridentStack Control platform policies take precedence over all other sources. This ensures your TridentStack Control-managed settings are always enforced, even when GPOs or MDM policies target the same setting.
Within-Platform Conflicts
When an agent has multiple TridentStack Control platform policies targeting the same registry key (e.g., two policies both configure "Minimum password length"), the system resolves by:
- Policy priority value: Each policy object has a priority (1-1000). Higher priority wins.
- Conservativeness scoring: If priorities are equal, the more conservative (safer) configuration wins. For example, manual approval is more conservative than automatic approval.
Detection, Not Manual Resolution
Conflict resolution is automatic. You cannot manually pick a winner for individual settings. To change which policy wins:
- Adjust the priority value on your policy objects
- Remove the conflicting setting from one of the competing policies
- Reassign tags so the agent only receives one of the conflicting policies
Filtering and Search
- Source filter: Toggle buttons to show/hide settings from specific sources (Platform, Domain GPO, Intune, Local)
- Type filter: Filter by setting type (Registry, Security, Drive Mapping, Service)
- Search: Find settings by name or registry key path
- Sort: By setting name, type, policy name, conformance status, or source
Data Sources
The Effective Policy tab combines data from multiple agent telemetry channels:
| Source | How Data Is Collected |
|---|---|
| Platform policies | Agent receives desired state from TridentStack Control server during check-in |
| Domain GPO | Agent runs gpresult /xml and sends the parsed output |
| Intune MDM | Agent reads Configuration Service Provider (CSP) registry entries |
| Local | Registry values detected that are not claimed by any of the above sources |
| Actual values | Agent reports current registry values for comparison |
The RSoP document is cached and refreshed when policy changes are detected. It uses ETag-based caching so the agent only re-downloads when something has changed.