Thursday, November 28, 2013

Managing inactive clients in SCCM 2012

One of the unfortunate aspects of being an SCCM administrator is client maintenance. When deploying applications, monitoring installations, and performing inventories, having up to date client records is very important.

Inactive clients in SCCM
Inactive clients in SCCM
When a client is no longer communicating with SCCM, you have a couple of options. But first, let’s learn why our clients become inactive and how to find them.

Why are my SCCM clients inactive?

The easiest way to explain this is to understand how a client remains active. A client remains active if it is discoverable and if it communicates with your SCCM servers. Communication can include:
  • Heartbeats
  • System Discovery
  • Network Discovery
So a client can be marked as inactive if it fails to update SCCM due to issues such as loss of connection, restrictive firewall settings, and client corruption. We are going to tackle this last problem in a bit.
When dealing with inactive clients, you might run across false positives. These are Active Directory computer accounts that have gone stale (no longer linked to a physical computer). When the System Discovery process runs, these objects are imported into SCCM. To avoid this issue, it is important to regularly clean stale computer accounts.

How can I clean up stale records in SCCM?

Two Site Maintenance tasks control stale record deletion in SCCM. Within the Configuration Manager console, these can be accessed under Administration/Site Configuration/Sites – Site Maintenance.
Site Maintenance is located within the top toolbar
Site Maintenance is located within the top toolbar
Within Site Maintenance, you will see two tasks named: Delete Aged Discovery Data and Delete Inactive Client Discovery Data. Both of these tasks should be enabled for inactive client data deletion.
Site Maintenance
Site Maintenance
While you can edit the scheduled run time, be sure to keep the task run-time greater than the heartbeat discovery time. By default, the heartbeat discovery runs once every 7 days. Failure to do so will result in zero clients and make client management very boring…

Creating a stale client Collection

Because the SCCM client can occasionally mess up, it is important to have a method for reinstallation. Step 1 in this process is building a stale client collection.
Under Assets and Compliance/Device Collections, create a new collection named Client Activity: Inactive. Edit the collection and make a note of the Collection ID. Then select Membership Rules.
My collection ID is GC10025E
My collection ID is GC10025E
Create a new query and paste the following in as the query statement:
This query simple checks to see if the Client Activity Status is equal to zero
This query simple checks to see if the Client Activity Status is equal to zero.
After the collection membership updates, you should have a list of every inactive client within your organization.

Exporting to Active Directory

Most SCCM admins might initiate a client push to take care of any on-line but inactive clients. I prefer to automate things a bit. This process will assume that you deploy the SCCM client with Group Policy and that you have that GPO scope to a specific security group.
Within the SCCM console, select the down arrow (top right of console). Then select Connect via Windows PowerShell.
Connect via Windows PowerShell
Connect via Windows PowerShell
Once PowerShell launches, you will need to import the Quest AD Management cmdlets (or modify this script to use the Active Directory cmdlets).
Copy the script below. You will need to modify the collectionID and modify the Add-QADGroupMember line to reflect your security group.
After running the script, you should now have a Security Group that contains all of your inactive clients. This group is scoped within a GPO that installs/reinstalls the SCCM client. The only step remaining is to remove the client from the group after the GPO has processed once.
Because you are likely using Group Policy scripts for installation, add a second script that contains the following:
Be sure to modify the GetObject command to match your group location. You will also need to delegate the ability for SELF to remove itself from the group. This will allow the computer to automatically un-scope itself after the GPO applies once. The end result will be a repaired client.
$CollectionMembers = Get-CMDevice -CollectionId GC10025E | Select -Property Name | Sort-Object Nameforeach ($CollectionMember in $CollectionMembers){Add-QADGroupMember -Identity “APP_SCCM 2012 SP1 Client” -Member $}

No comments:

Post a Comment