diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 3dfbe3ee24988821efff14150dd9ffcb3f9523c4..61d734d94e77167198c16f7b60d9aa5f87c37f00 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -36,6 +36,7 @@
     ctl_interface_stop_prop
     ctl_sigstop_prop
     device_config_boot_count_prop
+    device_config_reset_performed_prop
     e2fs
     e2fs_exec
     exfat
@@ -134,6 +135,7 @@
     secure_element_device
     secure_element_tmpfs
     secure_element_service
+    server_configurable_flags_data_file
     slice_service
     stats
     stats_data_file
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index b2c619c0790e7f2de21b66857336a776cca03548..c828a565b7b583051c6a7f73d6b6dbd10f75f548 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -34,6 +34,7 @@
     ctl_interface_stop_prop
     ctl_sigstop_prop
     device_config_boot_count_prop
+    device_config_reset_performed_prop
     exfat
     exported2_config_prop
     exported2_default_prop
@@ -121,6 +122,7 @@
     secure_element_device
     secure_element_service
     secure_element_tmpfs
+    server_configurable_flags_data_file
     slice_service
     stats
     stats_data_file
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 7e1993cce84732f330aadc46a928636aad8135b4..30f231ad10cf98106b884135806b4c71bd606bcd 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -18,6 +18,7 @@
     apexd_tmpfs
     biometric_service
     device_config_boot_count_prop
+    device_config_reset_performed_prop
     face_service
     fastbootd
     flags_health_check
@@ -54,6 +55,7 @@
     super_block_device
     system_lmk_prop
     system_suspend_hwservice
+    server_configurable_flags_data_file
     time_prop
     timedetector_service
     timezonedetector_service
diff --git a/private/file_contexts b/private/file_contexts
index 1035340808f48113251996f76e50c6f5264ed758..3284b68419d5727cfc5d3721cddb9bf040f54c5b 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -423,6 +423,7 @@
 /data/preloads(/.*)?	u:object_r:preloads_data_file:s0
 /data/preloads/media(/.*)?	u:object_r:preloads_media_file:s0
 /data/preloads/demo(/.*)?	u:object_r:preloads_media_file:s0
+/data/server_configurable_flags(/.*)? u:object_r:server_configurable_flags_data_file:s0
 
 # Misc data
 /data/misc/adb(/.*)?            u:object_r:adb_keys_file:s0
diff --git a/private/property_contexts b/private/property_contexts
index 67e6e0961322750bc78b68df888acddf444b42c4..390c845a169f9e74aecbcd80bf5c429c0ada2566 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -163,6 +163,7 @@ ro.boot.                u:object_r:exported2_default_prop:s0
 persist.time.           u:object_r:time_prop:s0
 
 # Properties that relate to server configurable flags
+device_config.reset_performed           u:object_r:device_config_reset_performed_prop:s0
 persist.device_config.attempted_boot_count        u:object_r:device_config_boot_count_prop:s0
 
 apexd.                  u:object_r:apexd_prop:s0
diff --git a/public/file.te b/public/file.te
index bc3262852ecef9f42f85e106bb0aca632d6dd87a..87636d3d70a00c7b714abeea3edd78b97e7c42a4 100644
--- a/public/file.te
+++ b/public/file.te
@@ -248,6 +248,8 @@ type preloads_data_file, file_type, data_file_type, core_data_file_type;
 type preloads_media_file, file_type, data_file_type, core_data_file_type;
 # /data/misc/dhcp and /data/misc/dhcp-6.8.2
 type dhcp_data_file, file_type, data_file_type, core_data_file_type;
+# /data/server_configurable_flags
+type server_configurable_flags_data_file, file_type, data_file_type, core_data_file_type;
 
 # Mount locations managed by vold
 type mnt_media_rw_file, file_type;
diff --git a/public/flags_heatlh_check.te b/public/flags_heatlh_check.te
index 1f6c8ee5798d6db1f93eca83f237d35ed6553d00..9a5ceebc20b83329c8187e42fce1470ec15af8a4 100644
--- a/public/flags_heatlh_check.te
+++ b/public/flags_heatlh_check.te
@@ -3,9 +3,23 @@ type flags_health_check, domain, coredomain;
 type flags_health_check_exec, system_file_type, exec_type, file_type;
 
 set_prop(flags_health_check, device_config_boot_count_prop)
+set_prop(flags_health_check, device_config_reset_performed_prop)
+
+allow flags_health_check server_configurable_flags_data_file:file create_file_perms;
 
 # system property device_config_boot_count_prop is used for deciding when to perform server
 # configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
 # wrong timing, trigger server configurable flag related disaster recovery, which will override
 # server configured values of all flags with default values.
 neverallow { domain -init -flags_health_check } device_config_boot_count_prop:property_service set;
+
+# system property device_config_reset_performed_prop is used for indicating whether server
+# configurable flags have been reset during booting. Mistakenly modified by unrelated components can
+# cause bad server configurable flags synced back to device.
+neverallow { domain -init -flags_health_check } device_config_reset_performed_prop:property_service set;
+
+# server_configurable_flags_data_file is used for storing whether server configurable flags which
+# have been reset during current booting. Mistakenly modified by unrelated components can
+# cause bad server configurable flags synced back to device.
+
+neverallow { domain -init -flags_health_check } server_configurable_flags_data_file:file no_w_file_perms;
diff --git a/public/property.te b/public/property.te
index d903e002159588eed6506d6b71063c69a582721e..bdd57d6e3b1ec6d7fc40c288294f70e6e9453872 100644
--- a/public/property.te
+++ b/public/property.te
@@ -27,6 +27,7 @@ type debuggerd_prop, property_type, core_property_type;
 type debug_prop, property_type, core_property_type;
 type default_prop, property_type, core_property_type;
 type device_config_boot_count_prop, property_type;
+type device_config_reset_performed_prop, property_type;
 type device_logging_prop, property_type;
 type dhcp_prop, property_type, core_property_type;
 type dumpstate_options_prop, property_type;
@@ -390,6 +391,7 @@ compatible_property_only(`
     -ffs_prop
     -fingerprint_prop
     -firstboot_prop
+    -device_config_reset_performed_prop
     -device_config_boot_count_prop
     -hwservicemanager_prop
     -last_boot_reason_prop
diff --git a/public/vendor_init.te b/public/vendor_init.te
index bbfd4184d48f0b413afaaa464ad1794d963f6d9a..2b9c733d9e4d0c92153d315543bc141ecffb3e4c 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -174,6 +174,7 @@ not_compatible_property(`
     set_prop(vendor_init, {
       property_type
       -device_config_boot_count_prop
+      -device_config_reset_performed_prop
       -restorecon_prop
       -netd_stable_secret_prop
       -firstboot_prop