- SmartDeploy: Rethinking software deployment to remote workers in times of a pandemic - Thu, Jul 30 2020
- Outlook attachments now blocked in Office 365 - Tue, Nov 19 2019
- PolicyPak MDM Edition: Group Policy and more for BYOD - Tue, Oct 29 2019
One of the unfortunate aspects of being an SCCM administrator is client maintenance. When deploying applications, monitoring installations, and performing inventories, having up to date client records is very important.
Inactive clients in SCCM
When a client is no longer communicating with SCCM, you have a couple of options. But first, let’s learn why our clients become inactive and how to find them.
Why are my SCCM clients inactive?
The easiest way to explain this is to understand how a client remains active. A client remains active if it is discoverable and if it communicates with your SCCM servers. Communication can include:
- Heartbeats
- System Discovery
- Network Discovery
So a client can be marked as inactive if it fails to update SCCM due to issues such as loss of connection, restrictive firewall settings, and client corruption. We are going to tackle this last problem in a bit.
When dealing with inactive clients, you might run across false positives. These are Active Directory computer accounts that have gone stale (no longer linked to a physical computer). When the System Discovery process runs, these objects are imported into SCCM. To avoid this issue, it is important to regularly clean stale computer accounts.
How can I clean up stale records in SCCM?
Two Site Maintenance tasks control stale record deletion in SCCM. Within the Configuration Manager console, these can be accessed under Administration/Site Configuration/Sites – Site Maintenance.
Site Maintenance is located within the top toolbar
Within Site Maintenance, you will see two tasks named: Delete Aged Discovery Data and Delete Inactive Client Discovery Data. Both of these tasks should be enabled for inactive client data deletion.
Site Maintenance
While you can edit the scheduled run time, be sure to keep the task run-time greater than the heartbeat discovery time. By default, the heartbeat discovery runs once every 7 days. Failure to do so will result in zero clients and make client management very boring…
Creating a stale client Collection
Because the SCCM client can occasionally mess up, it is important to have a method for reinstallation. Step 1 in this process is building a stale client collection.
Under Assets and Compliance/Device Collections, create a new collection named Client Activity: Inactive. Edit the collection and make a note of the Collection ID. Then select Membership Rules.
My collection ID is GC10025E
Create a new query and paste the following in as the query statement:
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_CH_ClientSummary on SMS_G_System_CH_ClientSummary.ResourceId = SMS_R_System.ResourceId where SMS_G_System_CH_ClientSummary.ClientActiveStatus = 0
This query simple checks to see if the Client Activity Status is equal to zero.
After the collection membership updates, you should have a list of every inactive client within your organization.
Exporting to Active Directory
Most SCCM admins might initiate a client push to take care of any on-line but inactive clients. I prefer to automate things a bit. This process will assume that you deploy the SCCM client with Group Policy and that you have that GPO scope to a specific security group.
Within the SCCM console, select the down arrow (top right of console). Then select Connect via Windows PowerShell.
Connect via Windows PowerShell
Once PowerShell launches, you will need to import the Quest AD Management cmdlets (or modify this script to use the Active Directory cmdlets).
Copy the script below. You will need to modify the collectionID and modify the Add-QADGroupMember line to reflect your security group.
$CollectionMembers = Get-CMDevice -CollectionId GC10025E | Select -Property Name | Sort-Object Name
foreach ($CollectionMember in $CollectionMembers){
Add-QADGroupMember -Identity "APP_SCCM 2012 SP1 Client" -Member $CollectionMember.name
}
After running the script, you should now have a Security Group that contains all of your inactive clients. This group is scoped within a GPO that installs/reinstalls the SCCM client. The only step remaining is to remove the client from the group after the GPO has processed once.
Because you are likely using Group Policy scripts for installation, add a second script that contains the following:
Set objADSysInfo = CreateObject("ADSystemInfo")
Set objGroup = GetObject("LDAP://CN=APP_SCCM 2012 SP1 Client,OU=Software Distribution,DC=Test,DC=local")
objGroup.Remove("LDAP://" & objADSysInfo.ComputerName)
Be sure to modify the GetObject command to match your group location. You will also need to delegate the ability for SELF to remove itself from the group. This will allow the computer to automatically un-scope itself after the GPO applies once. The end result will be a repaired client.
$CollectionMembers = Get-CMDevice -CollectionId GC10025E | Select -Property Name | Sort-Object Nameforeach ($CollectionMember in $CollectionMembers){Add-QADGroupMember -Identity "APP_SCCM 2012 SP1 Client" -Member $CollectionMember.name}
You could if you wanted to keep this all in SCCM. This could be advantageous if you don’t have access to AD.
I need to find if a specific task is running on computer in a specific OU in SCCM. Can you please provide a query?
That is a really broad query, Will. By task – do you mean Scheduled Task? SCCM client tasks? A process in general?
Yes, a scheduled task on a local computer.
Great post ..thanks
Reg heartbeat – if it is set to 7 days and the DDR record is created today then even if the machine goes out of the network till 18th the client activity is retained till Sep 18th in the console ? Or after DDR the hardware inventory needs to run once today itself ?
Also we have client push disabled at the moment. Can i set the GPO to a particular OU which in turn will be based on AD group which will contain the machines needing the reinstall ?
I believe that only the heartbeat is required for the client to remain active. You can – just link that GPO only to that OU.
thanks for the reply
Also the client could also be inactive if the machine goes out of the network after a week of sending the heartbeat right ? Then if none of the four policies trigger it wil stay inactive depeding on the setting “Retain client status history for numder of days” .Say we have it set for 30 days and the client is back within 15 days of going out of the network. Then no action is needed right ?
That is also correct – you may have already seen this but if not, read this technet article: https://technet.microsoft.com/en-us/library/hh338432.aspx
This worked great for me to gather all my inactive clients. But now, I am stuck on how to get these back into working active form so I can see an active count in my reports. Where do I go from here.
Hi Eddie – you can either clear the client install flag on in SCCM or use your exported list to apply a startup script to the machines (in Group Policy). I prefer the Group Policy route.
Hi Joseph,
I need to know about Security group creation, shall I simply give any new group name(colored as pink in script) in the powershell command?
Or I need to create a security group in AD first and then name it in powershell command which you gave??
$CollectionMembers = Get-CMDevice -CollectionId GC10025E | Select -Property Name | Sort-Object Name foreach ($CollectionMember in $CollectionMembers){ Add-QADGroupMember -Identity "APP_SCCM 2012 SP1 Client" -Member $CollectionMember.name }Create the group in AD first and then put that name into your PowerShell script.
Hi Joseph
this is a great post. Problem is i am not sure if it is a solution to the problem i am having. I have posted the issue in another forum but got no response.
Basically, i see many clients are inactive say 20 out of 80 desktops and laptops. my goal is to make them active again. recently, i found one desktop client is inactive which was active just 2 weeks ago. i found no errors in the ccm logs on that client. pushed client again manually from wizard checking the uninstall existing client, but still inactive.
only thing i recall i did in last 2 weeks is i changed the client from one AD computer group to another AD group under same OU.
Following your article, i have already created a group in sccm 2012 for all inactive computers.
Under this circumstances, what should i do? i would like to work on just this one or couple inactive client first and then the rest if successful.
please help
shah
Hi, this is a great post. I have a simple question, if I delete all inactive clients only in SCCM 2012R2 and the clients still have the agent on them, if they come back online on the network, will these clients come back in the database or do they need to be reinstalled? I currently am not using GPO to install clients, they are installed via the discovery methods like AD discovery. Will the discovery method reinstall the client as it see’s the client is not in the database?
Thank You!
Thnks man, help me a lot!!
How to delete duplicate host objects from sccm.
Hi,
I have followed the steps until collection member updates. And the inactive client activity status were disappeared . But why the clients turn from Yes to No?
Does anybody know how should I get the Yes back.
Please help me cause I really new in this SCCM
How would i get pass this expressions error?
PS BW1:\> $CollectionMember = $CollectionMembers | $CollectionMembers = Get-CMDevice -CollectionId BP1001FB | Select -Pr
operty Name | Sort-Object Name | Foreach-Object { Get-QADComputer $_.name | Add-QADGroupMember -Identity “SCCM_AD_Group” }
At line:1 char:42
+ $CollectionMember = $CollectionMembers | $CollectionMembers = Get-CMD …
+ ~~~~~~~~~~~~~~~~~~
Expressions are only allowed as the first element of a pipeline.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : ExpressionsMustBeFirstInPipeline
@ComputerGeek
You doubled a part of the code. Probably a copy/paste error…
And therefore you added a second equal ( = ) sign where it is not allowed.
$CollectionMember = $CollectionMembers | $CollectionMembers = Get-CMDevice -CollectionId BP1001FB | Select -Property Name | Sort-Object Name | Foreach-Object { Get-QADComputer $_.name | Add-QADGroupMember -Identity "SCCM_AD_Group" }
I guess this would work better:
$CollectionMember = $CollectionMembers | Get-CMDevice -CollectionId BP1001FB | Select -Property Name | Sort-Object Name | Foreach-Object { Get-QADComputer $_.name | Add-QADGroupMember -Identity "SCCM_AD_Group" }Thanks. So I figured out an alternative (Clean One-Liner) but there's only one problem. It works inside SCCM's Console Powershell console, but when i try it outside I get an AD Error.
So again works perfectly from SCCM powershell prompt inside Console, but when i call in the modules and connect in, It tells me it cant find the identity.
I even tried to substitute Distinguished name, and still got the same error.
(Get-CMDevice -CollectionName "SCCMDeviceCollectionHere").name |ForEach-Object{Add-ADGroupMember "ADGROUPNAMEHERE" -Members $_$ } Add-ADGroupMember : Cannot find an object with identity: '$' under: 'DC=bwi,DC=bestwestern,DC=com'. At C:UsersLamarCOneDrive - Best Western Hotels and ResortsSCCM-ADD-ADGroupMember2.ps1:11 char:83 + ... Each-Object{Add-ADGroupMember "SCCM_Intl_Home_Worker_PCI_Subnet" -Mem ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: ($:ADPrincipal) [Add-ADGroupMember], ADIdentityNotFoundException + FullyQualifiedErrorId : SetADGroupMember.ValidateMembersParameter,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember@ComputerGeek
You get the error because at the end of your command line $_$ means nothing for PowerShell.
Try $_ instead…
Here is what i get with that below. It's missing a parameter to validate the argument. Still not sure what it's looking for here.
Add-ADGroupMember : Cannot validate argument on parameter 'Members'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again. At C:\SCCM-ADD-ADGroupMember2.ps1:11 char:145 + ... ct{Add-ADGroupMember "ADDGROUPNAMEHERE" -Members $_ } + ~~ + CategoryInfo : InvalidData: (:) [Add-ADGroupMember], ParameterBindingValidationException + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember</pre @ComputerGeek
This means that the following code returns nothing
Thus, when you pipe a null result to the Add-ADGroupMember cmdlet it says "The argument is null or empty"
What would be the proper way to grab all devices inside the collection name and then add them to the security group?
I tried both methods above using QAD and regular AD. That does not work.
Any ideas?
@ComputerGeek
Is the collection name valid?
Does it appear in the collection list?
@Luc Fullenwarth
The collection name is valid. Remember I was able to get this working but only in the SCCM Powershell Window, launching it from the console. When i try to run the script inside Powershell ISE i get the error.
This one-liner below does pull the collection and add the computers to the Security Group successfully. The only problem is it doesnt work in Powershell ISE. Gets stuck on an error.
(Get-CMDevice -CollectionName "Intl Home Worker PCI Subnet").name | ForEach-Object{Add-ADGroupMember "SCCM_Intl_Home_Worker_PCI_Subnet" -Members $_$}@Luc Fullenwarth
Figured it out. No distinguished Names or SamAccount required. Also didnt need the QAD commandlets. The Key was the expand Property. This helps because if you need to update AD Security Groups and you dont want to manually update it, you can automate it. Script works perfectly below:
Get-CMDevice -CollectionName "DEVICECOLLECTIONNAMEHERE" |
Select -ExpandProperty Name |
ForEach-Object{ Add-ADGroupMember -Identity "ADGROUPNAMEHERE" -Members $_$ }
Hi,
I am new SCCM learner
I want to check Inactive SCCM client reason & Troubleshooting steps, also
how to deploy SCCM client on more than 300 systems.