Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Duplicate serial numbers reports? SEPM 11.0.6

Created: 11 Feb 2014 • Updated: 12 Feb 2014 | 35 comments
This issue has been solved. See solution.

Is there a report that I can run to find machines that have duplicate serial numbers?

The guys that do our computer images, have re-imaged machines and sent them out to the field without removing the old ones from SEPM. So, I have let's say 4 machines named MJMJM50 and it's created 4 unique SEPM ID's in the console.

I'd like to remove all the duplicates and just leave the ones that are currently checking in, in the console.

Thanks

Operating Systems:

Comments 35 CommentsJump to latest comment

.Brian's picture

Best report you can run is the Computer Status report, export it, drop into Excel and filter based on what you need.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Rafeeq's picture

Clients that do not connect to the SEPM will be removed (purged) from the database according to the settings configured in database properties.

Admin => Servers => Localhost => Edit Database Properties => General
Delete clients that have not connected for XX days.
set this value to 1 day, it would delete all the clients which are not connected to SEPM.
Only the valid machines which are connecting with SEPM will be displayed. 
James007's picture

See Ian_C. Comments

This query will find entries in the database that have duplicate computer names (based on finding duplicate HW IDs from above.)

DECLARE @TimeZoneDiff int   
SELECT @TimeZoneDiff = datediff(minute, getutcdate(), getdate())

SELECT UPPER([COMPUTER_NAME])
   , [COMPUTER_ID]
   , [HARDWARE_KEY]
   ,[CURRENT_LOGIN_USER]
   , dateadd(minute, @TimeZoneDiff, dateadd(second, [TIME_STAMP]/1000, '01/01/1970')) as [Time Stamp]
   ,[IP_ADDR1_TEXT]
FROM [V_SEM_COMPUTER]
WHERE [COMPUTER_NAME] in
   (
      SELECT [COMPUTER_NAME]
      FROM [V_SEM_COMPUTER]
      WHERE [DELETED] = 0
      GROUP BY [COMPUTER_NAME]
      HAVING COUNT([COMPUTER_NAME]) >1
   )
ORDER BY [COMPUTER_NAME]
   , [Time Stamp] DESC

This will list the machine with the most recent contact at the top.

https://www-secure.symantec.com/connect/forums/sql-querys-database#comment-6757241

BJHughey's picture

james007,

Thank you for the query. I cannot get that to execute properly though. Is there a parameter I need to change in order to make that resolve?

James007's picture

Does you have received any error ?What database are you using ?

If you are using Embedded database please find below query

http://www.symantec.com/connect/articles/how-find-duplicated-hardware-ids-database

SMLatCST's picture

Sooo, if I understand correctly.  Your machine serial numbers are used as their computer names, and when these imaged machines checked into the SEPM they each created a new record in your SEP Console, is this correct?

If that is the case, then do all these records show as online as well?  Because, if they are all showing as online, then deleting them from the SEP Console wont really help, as the next time they check in, they'll just reappear again.

Again, assuming the above scenario is accurate, you should be able to just rename each of the machines (locally in Windows) so that their names accurately reflect their serial numbers, and the client records within SEP will automatically update to match the change (after the next heartbeat).

Rafeeq's picture

Tried this query 

https://www-secure.symantec.com/connect/articles/how-find-duplicated-hardware-ids-database

P.S:If you want to check your database agains duplicated hwids, connect to your Sybase DB by running %ProgramFiles%\Symantec\Symantec Endpoint Protection Manager\ASA\win32\dbisqlc.exe and login to the database (you can use your existing ODBC settings). The logins will be: dba. Use your password you created during the installation of Symantec Endpoint Protection Manager.

BJHughey's picture

Let me know if I'm doing this wrong, or in the wrong place.

In the Altiris console, I create a new SQL report. I input your query into the parameterised query portion, and then I check to make sure the query resolves. It's typically how I create most of my one off reports.

When I click on "Resolved Query" I get the following error:

"Raw Sql Query cannot be resolved:

The ReawSqwlDatasource ran but one or more Database objects were not present."

By what database am I using....are you asking what version of SQL server we're running? SQL Server 2008

James007's picture

This SQL query related For SEPM database not Altiris SQL server.

That information you can't find for Altiris

BJHughey's picture

James,

How can I run a SQL reports within SEPM? I've never done this before. I appreciate your response, and help.

James007's picture

What Database are you using in SEPM server ?

If you are using Embedded database please find below query and SQL query i have already provided in my first comment.

http://www.symantec.com/connect/articles/how-find-duplicated-hardware-ids-database

Rafeeq's picture

This query is to query SEPM DB to get specific info

There are some predefined reports in SEPM, Login to symantec endpoint manager console

click on monitors - logs  to get reports, here are the list of reports available

http://www.symantec.com/business/support/index?page=content&id=TECH95538

However no report to find duplicate hardware ID, instead of querying for systems which have duplicate ID< you can configure SEPM to delete clients which are not connect to SEPM for specific day.

Make it 1 day, give it 24 hrs it would purge all the machines which are not connected. You will have only those which are checking with SEPM, same what I have posted in my first link.

BJHughey's picture

You all are truly a wealth of information.

I'm wary of deleting machines that aren't checked in after one day....how will I know what machines are checking in or not after that? I have the potential to delete machines that are on the network...but not connecting properly, correct?

Background:

I'm new to the entire Altiris/Symantec suite so, I"m learning here as I go. I get a report weekly of "Machines not checking in" and my original query was to remove all the machines that are duplicates so then I have a base of machines that may legitimately have an issue not checking in.

Again, my fear is that if I have them delete in 1 day...I'll have no way of knowing whats out there if they don't check in!

Our enviroment is 3500~ machines with 500~ of those being laptops.

James007's picture

You can find those duplicate machine and repair otherwise again sep client connected next heartbeat setting

https://www-secure.symantec.com/connect/forums/script-reset-hardwareid

Configuring Symantec Endpoint Protection 11.x client for deployment as part of a drive image

Article:TECH102815 | Created: 2007-01-05 | Updated: 2012-06-08 | Article URL http://www.symantec.com/docs/TECH96808
SMLatCST's picture

It's probaly worth noting then, that the SEPM will (by deafult) automatically delete clients that don't check in for over 30 days anyway.  If you're willing to wait that long, you'll eventually see a more accurate view.

Plus, Altiris has an optional plug-in called the SEP integration Component, which contains inbuilt tasks for inventorying AV.  Perhaps this would be of use to you if you wanted to keep an eye on which machines have what installed.

BJHughey's picture

My manager turned off the deletion portion of SEPM. The thought being...why aren't these machines checking in. It's not enough to just delete them from the system...if they're on our network, we need to know why they're not checking in properly.

I worked with support and they gave me the SYLINK replacer tool, and that was almost worthless. It may have fixed 20 machines out of the 200 I ran the replacer on.

We're looking to upgrade to 7.5 in the next couple months which is why I'm on this big push. I need all our machines checking in properly prior to upgrade so that our enviroment isn't starting off on the wrong foot.

James007's picture

In Image system you need to manually goes that particular system and delete Hardware ID of sep client.

How to fix RU5 (and later) clients that have been misconfigured and already rolled out to production:

The following steps must be performed on each client which has a duplicate hardware ID.

  1. Stop the Symantec Management Client (SMC) service. This can by accomplished by clicking Start > Run and entering the command: smc -stop
  2. Delete %ProgramFiles%\Common Files\Symantec Shared\HWID\sephwid.xml
  3. Open the registry and navigate to HKLM\Software\Symantec\Symantec Endpoint Protection\SMC\Sylink\Sylink
  4. Edit the HardwareID value data to be blank
  5. Start the Symantec Management Client (SMC).  This can by accomplished by clicking Start > Run and entering the command: smc -start

 When the client next communicates with the SEPM, it will generate unique HardwareID's and sephwid.xml's

SMLatCST's picture

In that case I reckon it'd be of benefit to clarify what needs working on.  As it stands, the latest version of SEP is v12.1RU4 (aka 12.1.4013.4013), whereas teh version number you've provided is the latest for Altiris.

It's possible to ensure full coverage of all endpoints by using Altiris to make sure SEP is installed to all managed machines.

It sounds to me like you might wanna contact Symantec for some training, or get some professional services in (from a partner such as ourselves) to help you co-ordinate the two products so that you get maximum benefit from having both present.  Like I say, there're intergration options between them, so I reckon its worth looking at.

Rafeeq's picture

from sepm ,monitors - logs - computer status, click on advanced ( blue link at the bottom) select the Online Status to Offline.

Export the log, save it as .xls, sort it,

Now you have all the duplicate machines.

Click on clients tab, Search computer

Computer name - Like - Duplicatename.

Do a search and delete from here.

For the rest run the sylink replacer, for a better results run with Domain admin account.

BJHughey's picture

OK.

I can script that to run on those machines, once I find out which ones are duplicates.

I followed the path:

P.S:If you want to check your database agains duplicated hwids, connect to your Sybase DB by running %ProgramFiles%\Symantec\Symantec Endpoint Protection Manager\ASA\win32\dbisqlc.exe and login to the database (you can use your existing ODBC settings). The logins will be: dba. Use your password you created during the installation of Symantec Endpoint Protection Manager.

I cannot launch the dbisql.exe - the credentials are invalid is what I'm getting. My manager seems to believe there is another issue at play. Frustrating morning my friends!

Rafeeq's picture

That would work if you have Embedded DB , On SEPM server, open services.msc, Do you see Symantec embedded database service? 

Wanted to ask , Have you integrated active directory inside SEPM?

SMLatCST's picture

To be honest, if these machines are creating new client records in the SEPM each time, then it doesn't sound like the same HWID exists on them all.

If it was an issue with the same HWID existing on several machines, then what you'd see is a single client record in the SEPM that is constantly chanigng its reported computername as each client checks in and updates the record.

The fact that you gave an example saying you have several client records in the SEPM all with the computername "MJMJM50" suggests to me that it's not a duplicate HWID issue.

BJHughey's picture

@SMLatCST

The issue is that the reimaged machines are getting a UNIQUE ID when they're reimaged but it's creating a duplicate COMPUTER NAME.

Those caps are not intensified chatter but, to clarify! :)

So, MJMJM50 shows in SEPM 2 times because it has 2 UNIQUE ID's

Here's a screen shot, this should help everyone....

This machine was created and put into the field. It came back for one reason or another and was reimaged. Thus, the same computer name but two UNIQUE ID's.

SEPM_Duplicate.JPG

SMLatCST's picture

Woohoo!  That's what I surmised and what I asked you to confirm in my first post wink

Because the machines are checking in with a unique HWID in SEP, all you need to do is rename the computername of the machines in Windows, and they'll report the change to SEP when they next check in.

Obviously if they're already out in the field (I interpret this as out of your reach), then you'll need to wait for these to come back in to the office to do the remediation work (which, once again, the SEP Client should automatically detect and ping up to the SEPM).

BJHughey's picture

@SMLatCST

I do appreciate your patience with me. I didn't see your first post, I am on a bit of information overload at this point.

The machines aren't checking in under the old ID. I'll have one green dot for the new machine and three plain jane computer symbols. If I remove them and leave the current one, will they continue to show up?

Correct, these machines are already deployed. We have a 5 year roll-out process. So, if there are a 1000 machines that work perfectly and never come in (HA!) until their refresh date, that would take forever to clean up SEPM. I hope that makes sense*

BJHughey's picture

It's embedded. We don't have a separate SQL database connected to SEPM.

Rafeeq's picture

Good, we can definetly run that script to find the machines which have duplicate hardware ID, 

user name would be dba, password will be the password you used during the SEPM install. ( if you remember ) 

Or else

use this technique to find the dba password

https://www-secure.symantec.com/connect/articles/how-find-database-password-embedded-database

on 64 bit machine odbc will be here

C:\Windows\SysWOW64\odbcad32.exe

SOLUTION
BJHughey's picture

Rafeeq,

I followed those instructions to the letter, and there is nothing that shows the password.

I checked the temp logs as well, and I didn't see anything in there.

The reporting tool comes up but the error is about setting the time zone? I can screen capture if you'd like.

Rafeeq's picture

Please share the screen shot and also the home page after setting the php error to on

Rafeeq's picture

In the odbc  make the login type as  " Integrated", 

Login to SEPM,

Click on the home tab in SEPM, do you see the same error message?

================

BJHughey's picture

I receive the same message as screen capture 2. The console screen shot.

Rafeeq's picture

dont know what we are missing here, 

You can go to odbc and put the user name as dba , password first time sepm password supplied during the install. check the connection , if its success then the id and pass is correct, we can concentrate on the query part from dbsql.exe

==============

BJHughey's picture

My issue was multi-layered.

With Rafeeq's help, I was able to find the password, and finally get logged in.

Please note* That under the link to find that password...there are THREE options you have to turn on

     display_errors =

     display_startup_errors =

     track_errors =

And when you log into the console, you may have to hit refresh multiple times before the error finally shows.

Now that I have what I need, I can continue my quest to clean up my system.

Thank all of you for your help!