Views:
If your Server & Workload Protection deployment has a large number of offline computers not communicating with Server & Workload Protection, first try using a connector (see Add a Microsoft Azure account to Server & Workload Protection, or Add a Google Cloud Platform account). When you use a connector, the complete life cycle of your computers is managed automatically, meaning that computers deleted from your cloud accounts are also automatically removed from Server & Workload Protection. If you can't use a connector in your environment, you can automate the removal of inactive computers using inactive agent cleanup. Inactive agent cleanup will check hourly for computers that have been offline and inactive for a specified period of time (from 2 weeks to 12 months) and remove them.
Note
Note
Inactive agent cleanup will remove a maximum of 1000 offline computers at each hourly check. If there are more offline computers than this, 1000 will be removed at each consecutive check until all of the offline computers have been removed.
After enabling inactive agent cleanup, you can also
Note
Note
Inactive agent cleanup does not remove offline computers that have been added by a cloud connector.

Enable inactive agent cleanup Parent topic

Procedure

  1. Go to the Administration page.
  2. Under System Settings Agents Inactive Agent Cleanup, select Delete Agents that have been inactive for.
  3. From the list, select the period that a computer must be inactive before being removed.
  4. Ensure that active offline computers can reconnect to Server & Workload Protection (optional but recommended).
  5. Click Save.

What to do next

Ensure computers that are offline for extended periods of time remain protected with Server & Workload Protection Parent topic

If you have offline computers that are active but communicate irregularly with Server & Workload Protection, inactive agent cleanup will remove them if they don't communicate within the period of inactivity you defined. To ensure that these computers reconnect to Server & Workload Protection, we recommend enabling both Agent-Initiated Activation and Reactivate unknown Agents. To do so, under System Settings Agents Agent Initiated Activation, first select Allow Agent-Initiated Activation and then select Reactivate Unknown Agents.
Note
Note
When a removed computer reconnects, it will not have a policy, and will be added as a new computer. Any direct links to the computer will be removed from the Server & Workload Protection event data.
Tip
Tip
You can automatically assign a policy assigned to a computer upon agent-initiated activation with an event-based task.

Set an override to prevent specific computers from being removed Parent topic

You can set an override at the computer or policy level to explicitly prevent computers from being removed by inactive agent cleanup.
To set an override

Procedure

  1. Open the Computer or Policy editor for the computer or policy you want to set an override on.
  2. Go to Settings General.
  3. Under Inactive Agent Cleanup Override, select Yes.
  4. Click Save.

What to do next

Check the audit trail for computers removed by an inactive cleanup job Parent topic

When an inactive agent cleanup job runs, system events will be generated that you can use to track removed computers.
You'll need to check the following system events:

Search system events Parent topic

To view the system events generated by an inactive agent cleanup job, you need to create a search that filters for them:

Procedure

  1. Go to the Events and Reports page.
  2. In the top-right corner, click the Search field list and select Open Advanced Search.
    advanced-search-filter=ac646ea4-ecbd-4b9f-8a3c-acbd51da1662.png
  3. For the Period, select Custom Range from the list.
  4. For From, enter the date and time just before the inactive agent cleanup job was first run. For To, enter the date and time just after the cleanup job finished.
  5. For the Search, select Event ID and In, and then enter 2953, 251. You can optionally enter 716 and any of the event IDs (130, 790, 350, 250) associated with computer reactivation.

What to do next

This will display all the system events generated by an inactive agent cleanup job. You can sort the events by time, event ID or event name by clicking on the corresponding column. You can then double-click an event to get more information about it, as detailed below.

System event details Parent topic

2953 - Inactive Agent Cleanup Completed Successfully Parent topic

This event is generated when the inactive agent cleanup job runs and successfully removes computers. The description for this event will tell you how many computers were removed.
Note
Note
If more than one check is needed to remove all computers, a separate system event will be generated for each check.

251 - Computer Deleted Parent topic

In addition to the 'Inactive Agent Cleanup Completed Successfully' event, a separate 'Computer Deleted' event is generated for each computer that was removed.

716 - Reactivation Attempted by Unknown Agent Parent topic

If Reactivate Unknown Agents is enabled, this event will be generated for an activated computer that was removed when it attempts to reconnect to Server & Workload Protection. Each reactivated computer will also generate the following system events:
  • 130 - Credentials Generated
  • 790 - Agent-Initiated Activation Requested
  • 350 - Policy Created (if you've enabled an event-based task that assigns a policy)
  • 250 - Computer Created or 252 - Computer Updated