Managing inactive clients in SCCM 2012

Without proper client cleanup and repair, your SCCM database will be cluttered and less useful. This article covers obsolete client removal and eventual client reinstallation.

One of the unfortunate aspects of being an SCCM administrator is client maintenance. When deploying applications, monitoring installations, and performing inventories, having up to date client records is very important.

Inactive clients in SCCM

Inactive clients in SCCM

When a client is no longer communicating with SCCM, you have a couple of options. But first, let’s learn why our clients become inactive and how to find them.

Why are my SCCM clients inactive? ^

The easiest way to explain this is to understand how a client remains active. A client remains active if it is discoverable and if it communicates with your SCCM servers. Communication can include:

  • Heartbeats
  • System Discovery
  • Network Discovery

So a client can be marked as inactive if it fails to update SCCM due to issues such as loss of connection, restrictive firewall settings, and client corruption. We are going to tackle this last problem in a bit.

When dealing with inactive clients, you might run across false positives. These are Active Directory computer accounts that have gone stale (no longer linked to a physical computer). When the System Discovery process runs, these objects are imported into SCCM. To avoid this issue, it is important to regularly clean stale computer accounts.

How can I clean up stale records in SCCM? ^

Two Site Maintenance tasks control stale record deletion in SCCM. Within the Configuration Manager console, these can be accessed under Administration/Site Configuration/Sites – Site Maintenance.

Site Maintenance is located within the top toolbar

Site Maintenance is located within the top toolbar

Within Site Maintenance, you will see two tasks named: Delete Aged Discovery Data and Delete Inactive Client Discovery Data. Both of these tasks should be enabled for inactive client data deletion.

Site Maintenance

Site Maintenance

While you can edit the scheduled run time, be sure to keep the task run-time greater than the heartbeat discovery time. By default, the heartbeat discovery runs once every 7 days. Failure to do so will result in zero clients and make client management very boring…

Creating a stale client Collection ^

Because the SCCM client can occasionally mess up, it is important to have a method for reinstallation. Step 1 in this process is building a stale client collection.

Under Assets and Compliance/Device Collections, create a new collection named Client Activity: Inactive. Edit the collection and make a note of the Collection ID. Then select Membership Rules.

My collection ID is GC10025E

My collection ID is GC10025E

Create a new query and paste the following in as the query statement:

This query simple checks to see if the Client Activity Status is equal to zero

This query simple checks to see if the Client Activity Status is equal to zero.

After the collection membership updates, you should have a list of every inactive client within your organization.

Exporting to Active Directory ^

Most SCCM admins might initiate a client push to take care of any on-line but inactive clients. I prefer to automate things a bit. This process will assume that you deploy the SCCM client with Group Policy and that you have that GPO scope to a specific security group.

Within the SCCM console, select the down arrow (top right of console). Then select Connect via Windows PowerShell.

Connect via Windows PowerShell

Connect via Windows PowerShell

Once PowerShell launches, you will need to import the Quest AD Management cmdlets (or modify this script to use the Active Directory cmdlets).

Copy the script below. You will need to modify the collectionID and modify the Add-QADGroupMember line to reflect your security group.

After running the script, you should now have a Security Group that contains all of your inactive clients. This group is scoped within a GPO that installs/reinstalls the SCCM client. The only step remaining is to remove the client from the group after the GPO has processed once.

Because you are likely using Group Policy scripts for installation, add a second script that contains the following:

Be sure to modify the GetObject command to match your group location. You will also need to delegate the ability for SELF to remove itself from the group. This will allow the computer to automatically un-scope itself after the GPO applies once. The end result will be a repaired client.

$CollectionMembers = Get-CMDevice -CollectionId GC10025E | Select -Property Name | Sort-Object Nameforeach ($CollectionMember in $CollectionMembers){Add-QADGroupMember -Identity "APP_SCCM 2012 SP1 Client" -Member $CollectionMember.name}

 

Want to write for 4sysops? We are looking for new authors.

Read 4sysops without ads and for free by becoming a member!

1+
Share
57 Comments
  1. Author

    You could if you wanted to keep this all in SCCM. This could be advantageous if you don't have access to AD.

    2+

  2. Will 4 years ago

    I need to find if a specific task is running on computer in a specific OU in SCCM. Can you please provide a query?

     

    2+

  3. Author

    That is a really broad query, Will. By task - do you mean Scheduled Task? SCCM client tasks? A process in general?

    2+

  4. Will 4 years ago

    Yes, a scheduled task on a local computer.

    2+

  5. SGK 4 years ago

    Great post ..thanks

    Reg heartbeat -  if it is set to 7 days and the DDR record is created today then even if the machine goes out of the network till 18th the client activity is retained till Sep 18th in the console ?  Or after DDR the hardware inventory needs to run once today itself ?

    Also we have client push disabled at the moment. Can i set the GPO to a particular OU which in turn will be based on AD group which will contain the machines needing the reinstall ?

    1+

  6. Author

    I believe that only the heartbeat is required for the client to remain active. You can - just link that GPO only to that OU.

    1+

  7. SGK 4 years ago

    thanks for the reply

    Also the client could also be inactive if the machine goes out of the network after a week of sending the heartbeat right ? Then if none of the four policies trigger it wil stay inactive depeding on the setting  "Retain client status history for numder of days" .Say we have it set for 30 days and the client is back within 15 days of going out of the network. Then no action is needed right ?

    1+

  8. Author

    That is also correct - you may have already seen this but if not, read this technet article: https://technet.microsoft.com/en-us/library/hh338432.aspx

    1+

  9. Eddie Bennett 3 years ago

    This worked great for me to gather all my inactive clients. But now, I am stuck on how to get these back into working active form so I can see an active count in my reports. Where do I go from here.

    2+

    • Author

      Hi Eddie - you can either clear the client install flag on in SCCM or use your exported list to apply a startup script to the machines (in Group Policy). I prefer the Group Policy route.

      1+

  10. Jyoti 3 years ago

    Hi Joseph,

    I need to know about Security group creation, shall I simply give any new group name(colored as pink in script) in the powershell command?

    Or I need to create a security group in AD first and then name it in powershell command which you gave??

    1+

  11. shah 3 years ago

    Hi Joseph

    this is a great post. Problem is i am not sure if it is a solution to the problem i am having.  I have posted the issue in another forum but got no response.

    Basically, i see many clients are inactive say 20 out of 80 desktops and laptops. my goal is to make them active again. recently, i found one desktop client is inactive which was active just 2 weeks ago. i found no errors in the ccm logs on that client. pushed client again manually from wizard checking the uninstall existing client, but still inactive.

    only thing i recall i did in last 2 weeks is i changed the client from one AD computer group to another AD group under same OU.

    Following your article, i have already created a group in sccm 2012 for all inactive computers.

    Under this circumstances, what should i do? i would like to work on just this one or couple inactive client first and then the rest if successful.

     

    please help

    shah

    2+

  12. Johnny 3 years ago

    Hi, this is a great post. I have a simple question, if I delete all inactive clients only in SCCM 2012R2 and the clients still have the agent on them, if they come back online on the network, will these clients come back in the database or do they need to be reinstalled? I currently am not using GPO to install clients, they are installed via the discovery methods like AD discovery. Will the discovery method reinstall the client as it see's the client is not in the database?

    Thank You!

    4+

  13. Bruno 3 years ago

    Thnks man, help me a lot!!

    2+

  14. naraynana r 3 years ago

    How to delete duplicate host objects from sccm.

    1+

  15. Adi 2 years ago

    Hi,

    I have followed the steps until collection member updates. And the inactive client activity status were disappeared . But why the clients turn from Yes to No?

    Does anybody know how should I get the Yes back.

    Please help me cause I really new in this SCCM

    1+

  16. ComputerGeek 1 year ago

    How would i get pass this expressions error?

    PS BW1:\> $CollectionMember = $CollectionMembers | $CollectionMembers = Get-CMDevice -CollectionId BP1001FB | Select -Pr
    operty Name | Sort-Object Name | Foreach-Object { Get-QADComputer $_.name | Add-QADGroupMember -Identity "SCCM_AD_Group" }
    At line:1 char:42
    + $CollectionMember = $CollectionMembers | $CollectionMembers = Get-CMD ...
    + ~~~~~~~~~~~~~~~~~~
    Expressions are only allowed as the first element of a pipeline.
    + CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : ExpressionsMustBeFirstInPipeline

    0

    • @ComputerGeek

      You doubled a part of the code. Probably a copy/paste error...

      And therefore you added a second equal ( = ) sign where it is not allowed.

      $CollectionMember = $CollectionMembers |     $CollectionMembers =       Get-CMDevice -CollectionId BP1001FB | Select -Property Name | Sort-Object Name | Foreach-Object { Get-QADComputer $_.name | Add-QADGroupMember -Identity "SCCM_AD_Group" }

      I guess this would work better:

      0

      • ComputerGeek 1 year ago

        Thanks. So I figured out an alternative (Clean One-Liner) but there's only one problem. It works inside SCCM's Console Powershell console, but when i try it outside I get an AD Error. 

        So again works perfectly from SCCM powershell prompt inside Console, but when i call in the modules and connect in, It tells me it cant find the identity. 

        I even tried to substitute Distinguished name, and still got the same error. 

        0

        • @ComputerGeek

          You get the error because at the end of your command line $_$ means nothing for PowerShell.

          Try $_ instead...

          0

          • ComputerGeek 1 year ago

            Here is what i get with that below. It's missing a parameter to validate the argument. Still not sure what it's looking for here. 

            Add-ADGroupMember : Cannot validate argument on parameter 'Members'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.
            At C:\SCCM-ADD-ADGroupMember2.ps1:11 char:145
            + ... ct{Add-ADGroupMember "ADDGROUPNAMEHERE" -Members $_ }
            +                                                                      ~~
                + CategoryInfo          : InvalidData: (:) [Add-ADGroupMember], ParameterBindingValidationException
                + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember</pre		
            0
            • @ComputerGeek

              This means that the following code returns nothing

              Thus, when you pipe a null result to the Add-ADGroupMember cmdlet it says "The argument is null or empty&quot

              0

              • ComputerGeek 1 year ago

                What would be the proper way to grab all devices inside the collection name and then add them to the security group? 

                I tried both methods above using QAD and regular AD. That does not work. 

                Any ideas?

                0

                • @ComputerGeek

                  Is the collection name valid?

                  Does it appear in the collection list?

                  0

  17. ComputerGeek 1 year ago

    @Luc Fullenwarth 

    The collection name is valid. Remember I was able to get this working but only in the SCCM Powershell Window, launching it from the console. When i try to run the script inside Powershell ISE i get the error. 

    This one-liner below does pull the collection and add the computers to the Security Group successfully. The only problem is it doesnt work in Powershell ISE. Gets stuck on an error. 

    0

  18. ComputerGeek 1 year ago

    @Luc Fullenwarth 

    Figured it out. No distinguished Names or SamAccount required. Also didnt need the QAD commandlets. The Key was the expand Property. This helps because if you need to update AD Security Groups and you dont want to manually update it, you can automate it. Script works perfectly below: 

    Get-CMDevice -CollectionName "DEVICECOLLECTIONNAMEHERE" | 
        Select -ExpandProperty Name | 
            ForEach-Object{ Add-ADGroupMember -Identity "ADGROUPNAMEHERE" -Members $_$ }

    2+
    avatar
  19. Akshay 1 year ago

    Hi,

    I am new SCCM learner

    I want to check Inactive SCCM client reason & Troubleshooting steps, also

    how to deploy SCCM client on more than 300 systems.

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account