Without proper client cleanup and repair, your SCCM database will be cluttered and less useful. This article covers obsolete client removal and eventual client reinstallation.

Joseph Moody

Joseph Moody is a network admin for a public school system and helps manage 5,500 PCs. He is a Microsoft Most Valuable Professional (MVP) in Cloud and Datacenter Management and blogs at DeployHappiness.com.

One of the unfortunate aspects of being an SCCM administrator is client maintenance. When deploying applications, monitoring installations, and performing inventories, having up to date client records is very important.

Inactive clients in SCCM

Inactive clients in SCCM

When a client is no longer communicating with SCCM, you have a couple of options. But first, let’s learn why our clients become inactive and how to find them.

Why are my SCCM clients inactive? ^

The easiest way to explain this is to understand how a client remains active. A client remains active if it is discoverable and if it communicates with your SCCM servers. Communication can include:

  • Heartbeats
  • System Discovery
  • Network Discovery

So a client can be marked as inactive if it fails to update SCCM due to issues such as loss of connection, restrictive firewall settings, and client corruption. We are going to tackle this last problem in a bit.

When dealing with inactive clients, you might run across false positives. These are Active Directory computer accounts that have gone stale (no longer linked to a physical computer). When the System Discovery process runs, these objects are imported into SCCM. To avoid this issue, it is important to regularly clean stale computer accounts.

How can I clean up stale records in SCCM? ^

Two Site Maintenance tasks control stale record deletion in SCCM. Within the Configuration Manager console, these can be accessed under Administration/Site Configuration/Sites – Site Maintenance.

Site Maintenance is located within the top toolbar

Site Maintenance is located within the top toolbar

Within Site Maintenance, you will see two tasks named: Delete Aged Discovery Data and Delete Inactive Client Discovery Data. Both of these tasks should be enabled for inactive client data deletion.

Site Maintenance

Site Maintenance

While you can edit the scheduled run time, be sure to keep the task run-time greater than the heartbeat discovery time. By default, the heartbeat discovery runs once every 7 days. Failure to do so will result in zero clients and make client management very boring…

Creating a stale client Collection ^

Because the SCCM client can occasionally mess up, it is important to have a method for reinstallation. Step 1 in this process is building a stale client collection.

Under Assets and Compliance/Device Collections, create a new collection named Client Activity: Inactive. Edit the collection and make a note of the Collection ID. Then select Membership Rules.

My collection ID is GC10025E

My collection ID is GC10025E

Create a new query and paste the following in as the query statement:

This query simple checks to see if the Client Activity Status is equal to zero

This query simple checks to see if the Client Activity Status is equal to zero.

After the collection membership updates, you should have a list of every inactive client within your organization.

Exporting to Active Directory ^

Most SCCM admins might initiate a client push to take care of any on-line but inactive clients. I prefer to automate things a bit. This process will assume that you deploy the SCCM client with Group Policy and that you have that GPO scope to a specific security group.

Within the SCCM console, select the down arrow (top right of console). Then select Connect via Windows PowerShell.

Connect via Windows PowerShell

Connect via Windows PowerShell

Once PowerShell launches, you will need to import the Quest AD Management cmdlets (or modify this script to use the Active Directory cmdlets).

Copy the script below. You will need to modify the collectionID and modify the Add-QADGroupMember line to reflect your security group.

After running the script, you should now have a Security Group that contains all of your inactive clients. This group is scoped within a GPO that installs/reinstalls the SCCM client. The only step remaining is to remove the client from the group after the GPO has processed once.

Because you are likely using Group Policy scripts for installation, add a second script that contains the following:

Be sure to modify the GetObject command to match your group location. You will also need to delegate the ability for SELF to remove itself from the group. This will allow the computer to automatically un-scope itself after the GPO applies once. The end result will be a repaired client.

$CollectionMembers = Get-CMDevice -CollectionId GC10025E | Select -Property Name | Sort-Object Nameforeach ($CollectionMember in $CollectionMembers){Add-QADGroupMember -Identity "APP_SCCM 2012 SP1 Client" -Member $CollectionMember.name}


Win the monthly 4sysops member prize for IT pros


Related Posts

  1. ITguyCharlie 4 years ago

    Awesome! I have been struggling with this issue for some time now. Thanks


  2. Author
    Joseph Moody 4 years ago

    Glad it helped you! Let me know how your cleanup goes!!


  3. Zack 4 years ago

    Great post! Exactly what I needed!


  4. Oz 4 years ago

    Here's a write-up I wrote on Oct 3rd which is more of a step-by-step guide for anyone wanting to create a collection of inactive or active computers: http://wp.me/p2m1uI-c7


  5. Author
    Joseph Moody 4 years ago

    Thank you Zack! Let me know if you have any questions.


  6. Author
    Joseph Moody 4 years ago

    Thank you for the link Oz! By the way, I like your blog name!


  7. TG 4 years ago

    How can I query workstations that dont have sccm client installed on them?


  8. Author
    Joseph Moody 4 years ago

    Hey TG - this query will work for you:

    select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where (SMS_R_System.Client is null or SMS_R_System.Client = 0) and SMS_R_System.Name != "Unknown"


  9. Germancio 4 years ago

    Hi Joseph! Very helpfull post! Thank you very much!
    Just a little thing: in the last query you have to replace "unknown" with 'unknown' . It's just a simple thing but sometimes took a while to figured out.
    Have a Good Life bro!
    PS: Sorry my bad english, just learning!


    • Author
      Joseph Moody 4 years ago

      Glad it helped you! Syntax can be a bit strange in SCCM.


  10. rajkumar 3 years ago

    Hi Joseph Moody,

    I am a begineer in SCCM 2012 I am having internest to learn SCCM 2012, could you help me.


  11. Author
    Joseph Moody 3 years ago

    The best way is to play around with it. Check out Microsoft Virtual Academy and go through the courses. Next, get a good book.

    4sysops has a great list of free ebooks: https://4sysops.com/archives/free-e-books-for-windows-administrators/


  12. Hudson Medeiros 2 years ago

    For those who have gotten "Ambiguos Identity" error in Add-QADGroupMember block of the powershell script, replace the line with this:

    Get-QADComputer $CollectionMember.name | Add-QADGroupMember -Identity "APP_SCCM 2012 SP1 Client"

    And don't forget to replace the name of the group with the one which suits your environment.


  13. Author
    Joseph Moody 2 years ago

    Thank you for the tip Hudson!


  14. Jeff 2 years ago

    Hi Joseph,

    Under what circumstances would you recommend the fix you layout, versus buying a solution (like Adaptiva Client Health or Absolute DDS)?


  15. Author
    Joseph Moody 2 years ago

    Hey Jeff,

    You don't get too much reporting with this solution so a 3rd party program may give you that feature.


  16. Guguianu 2 years ago

    Hi , I don't agree on your vision of how a client become inactive with configuration manager 2012, even if a part of what you are saying is true. A client inactivy is determined by the client status settings in the monitoring space in SCCM console.
    What is in there ? :

    Client Policy request cycle
    Heartbeat discovery cycle
    hardware inventory cycle
    Software inventory cycle
    Status message cycle

    Please correct me if I'm wrong .



  17. Author
    Joseph Moody 2 years ago

    Hi Guguianu - I think we are essentially saying the same thing. Your explanation is a bit more in depth though.


    • Glen 1 year ago

      Perhaps the confusion lies with the last paragraph of the client inactive section where your talking about discovering records from AD, which from my understanding does not impact client activity.

      This is how I interpreted it and assume Guguianu did as well.



      • Author
        Joseph Moody 1 year ago

        Gotcha - in that section, I was referring to the practice of removing a physical computer (or imaging it with a new name) and not cleaning up AD. Those machines will become inactive and then will eventually change to client No.


  18. Ramy Karam 2 years ago

    Hello Joseph Moody,

    Thanks for the post but I don't understand the second part after I finish the device collection , what should I do in the power shell ? whats is the important of this . I mean can you explain what  to do ?




  19. Adam 2 years ago

    If anyone is wondering how to do the PowerShell part without Quest this is the best way I've found to do it.

    #Import Active Directory Module

    import-module ActiveDirectory


    #Import SCCM Module

    Import-Module 'C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\bin\ConfigurationManager.psd1'


    #Connects to the SCCM Site

    Set-Location SCCM Site Name


    #Removes all computers which are currently in the AD Security Group

    Get-ADGroupMember "Security Group Name" | ForEach-Object {Remove-ADGroupMember "Security Group Name" $_ -Confirm:$false}


    #Gets the members of the Device Collection

    $CollectionMembers = Get-CMDevice -CollectionId PRE00070 | Select -Property Name | Sort-Object Name


    #Gets the Distinguished Name of each Computer in the Device Collection

    ForEach ($CollectionMember in $CollectionMembers){

    $SGMembers = Get-ADComputer -identity $CollectionMember.name | select -Property DistinguishedName


    #Adds each Computer in the Device Collection to the AD Security Group

    $SGMembers | ForEach-Object {Add-ADGroupMember -Identity "Security Group Name" -Members $SGMembers.DistinguishedName}




  20. Author
    Joseph Moody 2 years ago

    Thanks for the update Adam!


  21. RubenDLR 2 years ago

    So I'm confused about clean up schedule. We have heartbeat set to once a day, so should clean up then be everyday too?


  22. Author
    Joseph Moody 2 years ago

    You would want to set it greater than 1 day. For example, if you set it for two days - clients will be removed from SCCM after 2 days of no heartbeat. That is a very aggressive cleanup schedule that can lead to unnecessary client reinstalls.


  23. patrick 2 years ago

    hi i'm just learning sccm 2012. I've discovered a bunch of AD computers in the all systems devices, but i want to safely test this on just a few pcs.

    i have reconfigured the system discovery to a single TEST OU with a few computer accounts. my question is, is it safe to delete the PC's listed in the all systems or will that delete or hard their AD account? for instance SCCM discovered our DC and Exchange server and i don't want them in SCCM yet.


    so is it safe to delete those computer devices out of SCCM?





  24. Author
    Joseph Moody 2 years ago

    Hi Patrick - it is safe to delete their record from SCCM.


  25. Mark 1 year ago

    Since you have a script that is using the SCCM PS Module couldn't you eliminate the AD piece all together by adding "Install-CMClient -CollectionId" or "Get-CMDevice -CollectionId | foreach {Install-CMClient -Device $_}"?


  26. Author
    Joseph Moody 1 year ago

    You could if you wanted to keep this all in SCCM. This could be advantageous if you don't have access to AD.


  27. Will 1 year ago

    I need to find if a specific task is running on computer in a specific OU in SCCM. Can you please provide a query?



  28. Author
    Joseph Moody 1 year ago

    That is a really broad query, Will. By task - do you mean Scheduled Task? SCCM client tasks? A process in general?


  29. Will 1 year ago

    Yes, a scheduled task on a local computer.


  30. SGK 1 year ago

    Great post ..thanks

    Reg heartbeat -  if it is set to 7 days and the DDR record is created today then even if the machine goes out of the network till 18th the client activity is retained till Sep 18th in the console ?  Or after DDR the hardware inventory needs to run once today itself ?

    Also we have client push disabled at the moment. Can i set the GPO to a particular OU which in turn will be based on AD group which will contain the machines needing the reinstall ?


  31. Author
    Joseph Moody 1 year ago

    I believe that only the heartbeat is required for the client to remain active. You can - just link that GPO only to that OU.


  32. SGK 1 year ago

    thanks for the reply

    Also the client could also be inactive if the machine goes out of the network after a week of sending the heartbeat right ? Then if none of the four policies trigger it wil stay inactive depeding on the setting  "Retain client status history for numder of days" .Say we have it set for 30 days and the client is back within 15 days of going out of the network. Then no action is needed right ?


  33. Author
    Joseph Moody 1 year ago

    That is also correct - you may have already seen this but if not, read this technet article: https://technet.microsoft.com/en-us/library/hh338432.aspx


  34. Eddie Bennett 10 months ago

    This worked great for me to gather all my inactive clients. But now, I am stuck on how to get these back into working active form so I can see an active count in my reports. Where do I go from here.


    • Author
      Joseph Moody 10 months ago

      Hi Eddie - you can either clear the client install flag on in SCCM or use your exported list to apply a startup script to the machines (in Group Policy). I prefer the Group Policy route.


  35. Jyoti 10 months ago

    Hi Joseph,

    I need to know about Security group creation, shall I simply give any new group name(colored as pink in script) in the powershell command?

    Or I need to create a security group in AD first and then name it in powershell command which you gave??


    • Author
      Joseph Moody 10 months ago

      Create the group in AD first and then put that name into your PowerShell script.


  36. shah 9 months ago

    Hi Joseph

    this is a great post. Problem is i am not sure if it is a solution to the problem i am having.  I have posted the issue in another forum but got no response.

    Basically, i see many clients are inactive say 20 out of 80 desktops and laptops. my goal is to make them active again. recently, i found one desktop client is inactive which was active just 2 weeks ago. i found no errors in the ccm logs on that client. pushed client again manually from wizard checking the uninstall existing client, but still inactive.

    only thing i recall i did in last 2 weeks is i changed the client from one AD computer group to another AD group under same OU.

    Following your article, i have already created a group in sccm 2012 for all inactive computers.

    Under this circumstances, what should i do? i would like to work on just this one or couple inactive client first and then the rest if successful.


    please help



  37. Johnny 6 months ago

    Hi, this is a great post. I have a simple question, if I delete all inactive clients only in SCCM 2012R2 and the clients still have the agent on them, if they come back online on the network, will these clients come back in the database or do they need to be reinstalled? I currently am not using GPO to install clients, they are installed via the discovery methods like AD discovery. Will the discovery method reinstall the client as it see's the client is not in the database?

    Thank You!


  38. Bruno 4 weeks ago

    Thnks man, help me a lot!!


Leave a reply

Your email address will not be published. Required fields are marked *



Please ask IT administration questions in the forum. Any other messages are welcome.

© 4sysops 2006 - 2017

Log in with your credentials


Forgot your details?

Create Account