Summary
"Machine Policy refresh failed" error on application request
Symptoms
Error: "Machine Policy refresh failed" error on application request and following log can be confirmed in RunPolicy.log
--
<![LOG[Error running policy for schedule on computer_name Error: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))]LOG]!
--
Resolution
The ESD Service account needs to be a local admin on the client machine where the machine policy refresh is being performed. The machine policy refresh is not strictly necessary. It just speeds up the deployment process. By default, the SCCM client will perform a machine policy refresh on its own every 60 minutes. We use something very similar to the following powershell script to perform the refresh. If the following works when run under the context of the ESD service account, then App portal should work as well.
Invoke-WmiMethod -Namespace root\CCM -Class SMS_Client -Name TriggerSchedule -ComputerName <MachineName> -Credential <domain>\<esdServiceAcount> -ArgumentList "{00000000-0000-0000-0000-000000000021}"