Views:
Server & Workload Protection allows you to configure automated removal of offline computers. Offline computers are those with inactive agents or which have not communicated with Server & Workload Protection recently. Server & Workload Protection checks for offline computers every hour. Use the following steps to enable and manage offline computer removal.
Important
Important
Virtual machines added to Server & Workload Protection when connecting a cloud account are automatically removed when you delete them from your cloud environment. For more information about connecting and managing cloud accounts in Trend Vision One, see Cloud Accounts.
Inactive agent cleanup removes a maximum of 1000 offline computers at each hourly check. If there are more than 1000 offline computers, 1000 are removed at each consecutive check until all offline computers are removed.
After enabling inactive agent cleanup, you can also
Note
Note
Inactive agent cleanup does not remove offline computers that have been added by a cloud connector.
Related information

Enable inactive agent cleanup Parent topic

Procedure

  1. Go to the Administration page.
  2. Under System Settings Agents Inactive Agent Cleanup, select Delete Agents that have been inactive for.
  3. From the list, select the period that a computer must be inactive before being removed.
  4. Ensure that active offline computers can reconnect to Server & Workload Protection (optional but recommended).
  5. Click Save.

What to do next

Ensure computers that are offline for extended periods of time remain protected with Server & Workload Protection Parent topic

If you have offline computers that are active but communicate irregularly with Server & Workload Protection, inactive agent cleanup will remove them if they don't communicate within the period of inactivity you defined. To ensure that these computers reconnect to Server & Workload Protection, we recommend enabling both Agent-Initiated Activation and Reactivate unknown Agents. To do so, under System Settings Agents Agent Initiated Activation, first select Allow Agent-Initiated Activation and then select Reactivate Unknown Agents.
Note
Note
When a removed computer reconnects, it will not have a policy, and will be added as a new computer. Any direct links to the computer will be removed from the Server & Workload Protection event data.
Tip
Tip
You can automatically assign a policy assigned to a computer upon agent-initiated activation with an event-based task.

Set an override to prevent specific computers from being removed Parent topic

You can set an override at the computer or policy level to explicitly prevent computers from being removed by inactive agent cleanup.
To set an override

Procedure

  1. Open the Computer or Policy editor for the computer or policy you want to set an override on.
  2. Go to Settings General.
  3. Under Inactive Agent Cleanup Override, select Yes.
  4. Click Save.

What to do next

Check the audit trail for computers removed by an inactive cleanup job Parent topic

When an inactive agent cleanup job runs, system events will be generated that you can use to track removed computers.
You'll need to check the following system events:

Search system events Parent topic

To view the system events generated by an inactive agent cleanup job, you need to create a search that filters for them:

Procedure

  1. Go to the Events and Reports page.
  2. In the top-right corner, click the Search field list and select Open Advanced Search.
    advanced-search-filter=ac646ea4-ecbd-4b9f-8a3c-acbd51da1662.png
  3. For the Period, select Custom Range from the list.
  4. For From, enter the date and time just before the inactive agent cleanup job was first run. For To, enter the date and time just after the cleanup job finished.
  5. For the Search, select Event ID and In, and then enter 2953, 251. You can optionally enter 716 and any of the event IDs (130, 790, 350, 250) associated with computer reactivation.

What to do next

This will display all the system events generated by an inactive agent cleanup job. You can sort the events by time, event ID or event name by clicking on the corresponding column. You can then double-click an event to get more information about it, as detailed below.

System event details Parent topic

2953 - Inactive Agent Cleanup Completed Successfully Parent topic

This event is generated when the inactive agent cleanup job runs and successfully removes computers. The description for this event will tell you how many computers were removed.
Note
Note
If more than one check is needed to remove all computers, a separate system event will be generated for each check.

251 - Computer Deleted Parent topic

In addition to the 'Inactive Agent Cleanup Completed Successfully' event, a separate 'Computer Deleted' event is generated for each computer that was removed.

716 - Reactivation Attempted by Unknown Agent Parent topic

If Reactivate Unknown Agents is enabled, this event will be generated for an activated computer that was removed when it attempts to reconnect to Server & Workload Protection. Each reactivated computer will also generate the following system events:
  • 130 - Credentials Generated
  • 790 - Agent-Initiated Activation Requested
  • 350 - Policy Created (if you've enabled an event-based task that assigns a policy)
  • 250 - Computer Created or 252 - Computer Updated