I’ve noticed that many assets in our environment that have been decommissioned are showing compliance numbers as if they reported to SCA during the import. Some of the assets have a “Last Seen” value of 3 months. One asset even have “2 years” since it was last seen.
What is the best course in cleaning this up? While it may not be a big change in compliance percentages given the size of our environment, I don’t want to try to put in a fix for machines that just don’t exist.
After doing some digging around, it looks like the “deleted” flag in the database is not being applied properly. Here’s my theory:
Since we use the BESComputerRemoval tool to remove duplicates and computers from the console AND the database that haven’t reported in 30 days, I can only assume that after the tool runs, SCA cannot pull the deleted flag from the database to successfully remove it from SCA database because the entry no longer exists including the deleted flag. Hence we get computers that appear to be updating that don’t exist.
Is BESComputerRemoval the hard deletion tool?
In general, hard deletion of data from IEM doesn’t play nice with SCA (because from SCA’s perspective it just looks like reports stopped coming in, it is not aware of any deletions). Your assumption is more or less correct. I recommend staying away from hard deleting data in the future.
I am currently in this situation of orphaned records in SCA due to hard deletion of records in BigFix. Is there a way to set the ‘deleted’ flag manually? SQL Query???
The latest version (1.7.38) added a Remediation Import function that attempts to do some cleanup, it’s located on the Server Settings page. If you’re on that version you can see if it helps.
Alternatively, you might be able to correct it by dropping the raw tables and resetting the datasource sequences, but it really depends on what thing exactly is orphaned.
Either way, perform a DB backup prior to attempting anything, since it would be a large/destructive operation.