Video Screencast Help

Client Reporting Issue in SEP V12.1

Created: 01 Dec 2011 • Updated: 05 Dec 2011 | 6 comments
This issue has been solved. See solution.

Good Afternoon,

I am having a major dilema with SEP V12.1 clients properly reporting to the SEPM V12.1 server after they are upgraded to Windows 7, 64-Bit OS.  Our organization upgrades client PCs with pre-configured disk images.  I had a problem similar to this when we deployed the disk image for Vista with SEP 11x in that all of the deployed image had the same SEPHWID.  Several wonderful people who review and read this forum provided me with a solution on how to remove the SEPHWID from the image before it is deployed so that when it is deployed it will check in and get a unique HWID from SEPM.  This worked great and I thank you.

Well now we are deploying Windows 7, 64-Bit OS on a pre-configured disk image.  Similar issues were occurring, in that the clients all had the same HWID.  I thought that I could just followed the steps that I received for fixing the SEP V11 clients, however the SEPHWID.xml file is not stored in the same location that it was stored in under Vista 32-Bit OS.  With SEP V11 on Vista/32, SEPHWID.xml was stored under C:\Program Files\Common Files\Symantec Shared\HWID, but when I looked at this location on Windows 7/64 (actually it is in Program Files (x86), that folder was empty.  After much searching, I found the location of the sephwid.xml under C:\ProgramData\Symantec\Symantec Endpoint Protection\PersistedData.  So on my pre-configured image, I removed the sephwid.xml file and removed the Hardware ID data value from the Hardware ID data item in the registry located at  HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\Sylink.  Then I syspreped my image for deployment.  When the image is deployed, I did check a few of the clients and they all had different HWID's, but on some I had to remove the file and the value from the registry and then stop and restart the SMC service to fix it.  But this doesn't always work either.

Well I thought that everything was working and for many of the deployed clients it is working OK.  But I have approximately 22 recently deployed clients that initially report to the server and show the small computer icon with the green dot meaning that it is actively reporting and up to date, then a few minutes later it will how as offline and the Antvirus Status disabled.  I checked each one of these clients and they all have different HWID's.  So I contact the client to let me log onto their machine so I can check the configuration and when I log on with my Admin account, the status of the client goes back to being online and active and everything looks OK.  Then sometimes another strange thing is occurring in that the name of the logged on user is not the correct user for that specific machine.  For example, machine Sue_PC is assigned to user Sue Jones, but the client list show that George Smith is the logged on user but George Smith's machine is George_PC.

At this time the ONLY way I know to how to fix this is to log onto the client machine and go into Programs/Features and uninstall the SEP client.  However when I do this, halfway through the uninstall it pops up a box stating that it can't find the Sep64.msi.  When this appears I browse to my network drive to the location where I initially downloaded the program to do the initial deployment.  Then the uninstall continues and I restart the PC.  Once the PC is restarted, I go into SEPM Home and choose the option to Install protection client to computers.  I say I want to do a New Package Deployment, set my install features, select Remote Push, map to the machine and push the package to the client.  Once it installs, the client then reports to the SEPM correctly and doesn't loose its settings.

Sorry for the long explanation, but I wanted to outline what was happeing and what I have tried to resolve this issue.  Having said all of that, is there something I am doing wrong to remove the IDs on the pre-configured image so that the client reports properly when the image is deployed?  And when the client does not report properly, is there quicker way to fix the problem without having to remove and reinstall the client?

Thanks you very much in advance for any help anyone can provide.

Lawrin Walker

Comments 6 CommentsJump to latest comment

pete_4u2002's picture

you should be checking this article for imaged SEP client with SEP 12.1

How to repair duplicate IDs on cloned Symantec Endpoint Protection 12.1 clients

lwalker1958's picture

Thanks you very much for the post.  I will check it out and post back the results!

lwalker1958's picture

I just wanted to thank you so so much for the link to his article.  This was a tremendous help and now I have all of my clients reporting correctly

Chetan Savade's picture


SEP 12.1 makes life easy, you have tool to remove duplicate hardward id's

How to prepare a Symantec Endpoint Protection 12.1 client for cloning

How to repair duplicate IDs on cloned Symantec Endpoint Protection 12.1 clients

I hope it will help you !!!

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

lwalker1958's picture

Thank you so much for the links.  I will check them out, try the solutions and report back the results.

lwalker1958's picture

It certainly does.  Thank you so so much for the link to these articles.  This was a tremendous help and now I have all of my clients reporting correctly and I have fixed my image so hopefully any new clients that are deployed will report correctly.