SCCM 2012: Exclude inactive machines being Discovered

  • Article

Background

We have created the OU for the quarantine machines and moved all of unwanted entries in the AD to the group and deny all the permission for the SCCM server and applied to its descent objects as well but these machines are shown up on the console and we wondered why its not removed in the next discovery cycle then the below idea has sorted it out for us.

Even after deny permission for the quarantine **OU and all its descent objects in AD and choosing only the required OU in discovery,**the machines are still being discovered and shown in the console,Even though we have the automated tasks delete aged discovery data enabled for 90 days and delete inactive clients enabled for discovery data.

The inactive machines recorded on AD to until recent days are shown in the console but it shouldn't have at-least any data older than 90 days(was also my assumption but here it's just sccm client inactive status matters, the client inactive status on the AD inventory is not relevant for sccm ) but that's not the case either as maintenance task are also not deleting the data properly, then we come to know that it's due to the client's discovery though ,

Solution

A quarantine machines still reported to the sccm server because of the client activity, if we delete those machines from console then it would get still re-appear and possibly because of the DDR record, may be by mistake few active machines are moved into the Quarantine in AD in my case but still they are discovered and managed that a nice thing if only they have a working SCCM Agent ( not sure 100% but it's worked for me so mentioned here if  tested and proven wrong correct the article which i wrote here). 

If you want to exclude an active machines then uninstall the agent and move them to the quarantine OU, It would never get discovered and managed in SCCM.

Conclusion

So the final conclusion is the machines give deny permission on the OU and delete those machines by creating a collection to add them and manually just delete it and wait for few days see whether it's rediscovered before concluding for a better compliance, In my case it did worked and no machines from the OU were reported back.