Computers in a production environment are commonly rebuilt or go offline. This may result in orphaned records in the Forefront Client Security (FCS) database. Client Security TechNet documentation describes steps for permanently removing computers and discovery rules from the database, but these steps cannot be done in bulk for a large number of computers. Removing a large numbers of computers incurs administrative overhead.
The Forefront Client Security Offline Asset Removal Tool utility described and available through this article is designed to automate the bulk remove of computers and discovery rules from the Client Security database.
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft website:
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
There are no prerequisites for installing this hotfix.
You do not have to restart the computer after you apply this hotfix.
To use the hotfix in this package, you do not have to make any changes to the registry.
The English version of this update version has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Client computers go offline for many reasons, including decommission, re-tasking, and re-imaging. After a day, these computers are shown in the "Not Reporting" section of the Client Security console. After 30 days, these computers are removed from the statistics in the Client Security console, but will still be visible in the Connectivity report as well as in the Operations Manager Administrators console.
The Forefront Client Security Offline Asset Removal Tool is a supported command line utility used to remove both MOM computer objects and the discovery rules for those computers. The utility must be run on the FCS Collection server (MOM 2005 Server) because it uses the MOM data access service (DAS) configuration to locate the OnePoint database. It has the following usage:
/RemoveOlderThanDate <date>: parses the date provided and removes all computers with a last contact date prior to that value
/RemoveOlderThanDays <#of days>: removes all computers with a last contact date prior that number of days previous to today
/RemoveOrphanDiscoveryRules [/RunDiscovery]: removes discovery rules without an associated computer object. The RunDiscovery switch is optional, if you would like to initiate computer discovery after removal
/InputFile <filepath>: locates the file passed and uses it for input. The file can be of the format exported from the MOM Admin console or a list of computers on each line
/LogFile <filepath>: full file path where logging information should be stored. If the switch is not present, logging information will be written to the local directory. If the specified file exists it will be appended to, if it does not exist it will be created.
/DoRemove : actually deletes the MOM computers or rules from the database, without this switch the computers to be removed are simply listed
The /DoRemove switch enables a report-only mode so that you can see what the application will delete without it actually doing so. If removal is performed, offline computers removed will continue to appear in historical reporting for the duration of the reporting retention interval.
The /InputFile switch consumes the export from the MOM Administrators console or a file containing computer names on each line, or a computer and then domain name separated by a tab or space.
The /RemoveOlderThanDays switch was designed to be easily used in a scheduled task created by an administrator to regularly remove offline systems. For this reason, most of the output of the utility is written to the output log file and not to the console.
When computers are removed from the FCS database but their associated discovery rules are not, Client Security administrators see the offline computers return with a 'Pending Install' action in the MOM Administrators console. Using the /RemoveOrphanDiscoveryRules deletes the discovery rules associated with these removed computers and eliminates the 'Pending Install' status during the next time computer discovery runs. There is an optional /RunDiscovery switch which is used to trigger computer discovery immediately after these rules are removed, and eliminates the 'Pending Install' status more quickly. The /RemoveOrphanDiscoveryRules switch also operates in a report-only mode unless the /DoRemove switch is also used.
The utility is designed for use with the Microsoft Operations Manager 2005 database used with Forefront Client Security. The utility will not operate when used in an environment without FCS, including an Operations Manager 2005 installation used for computer health monitoring. The utility must be executed as a user who has permission to invoke the MOM DAS libraries, typically a member of the MOM Admins or Administrators group.
Microsoft has the following additional recommendations:
Test the application thoroughly in a non-production environment prior to production use, and use the report-only mode described above where appropriate.
Backup your OnePoint database prior to running the application.
Use extreme caution when using the application with input files and dates which are less than 30 days to ensure that all computers in scope should be deleted.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.