We have an MSI assigning the host to a group. Both the host MSI package and the group are set to a certain policy and/or to inherit the group's policy. Every time we push the MSI to a client however, the user goes to the group we specify with no policy assigned. This leaves the endpoint without our security whitelist from the policy it is supposed to be getting. We are forced to manually monitor the default "unassigned" folder and apply the policy every time our auto-deployment MSI hits a new endpoint. With hundreds of endpoints and a sensitive coporate environment, this is a real pain and security risk.