I have a small collection of machines that show they are connected to our management server in the client. In fact the group name changes when I change the name of the group in the console. However every method I haev tried to locate the client in the console, I get no results. I have tried Computer_name, last IP address, & logged on user. 

I have direct access to the DB for Symantec, and even looking for hosts "where deleted = '1'" does not work for me. 

Anyone got any ideas?

This is only a small group of users, and they are all reporting into the same group according to the client.

But they do show up correctly in the SEPM? green dot showing in SEPM and on client?

What version of SEP/SEPM is this happening on?

they are not showing up at all in the console.

SEPM 12.1.2

shows green dot on the shield on the client.

Are these machine Cloned? try these steps and please update us with the results

1. Delete %programfiles%\Common Files\Symantec Shared\HWID\sephwid.xml
2. Open the registry and navigate to HKLM\Software\Symantec\Symantec Endpoint Protection\SMC\Sylink\Sylnk
3. Edit the "HardwareID" value data to be blank
4. Restart the Symantec Management Client (SMC) service in the services snap-in.

How to repair duplicate IDs on cloned Symantec Endpoint Protection 12.1 clients

http://www.symantec.com/business/support/index?page=content&id=TECH163349

I have seen this with SEP 11 in the case of a client installed to an unsupported OS, eg pre-RU5 on Windows 7. The client is effectively invisible in the console Clients view, but may be located under Monitors, Logs, Computer Status, Advanced Settings, Operating System Non-Windows.

@dgh -- Hadn't thought of trying to look there. Unfortunately they do not show up there either. All of these are windows 7 machines.

@RafeeqI will have to check with the local techs. I will try your steps and post the results back to the thread.

"Thumbs Up" to Rafeeq.

This is usually down to all those client machines being created from the same image that did not have the SEP HWID removed before the image was taken.  This results in the cloned machines sharing the same ID and linking to the same client record on the SEPM.

hmm. I have been assured by the local techs that they are not from a cloned image. THey are froma standard image that is deployed through our organization. I am only seeing this in a couple of locations, and not globally.

The best way to verify if these machines are sharing the same ID, is to follow the steps in Rafeeq's linked article on one problem machine.

Is this something you can test?  If it works, you should see a new client record pop up in the SEPM console for this machine.

I am waiting to hear from the local techs. They are in another part of the globe so as soon as I have a follow up, I will post to the thread.

What if the Tamper Protection has been enabled? Is there a way to edit these registry entires with that enabled? I am afraid they might not be able to adjust the registry entries with that enabled.

Also, would this still be an issue if the AV suite was uninstalled and reinstalled? WE haev tried that on a few hosts, and we are getting the same results still.

As I understand it, the repairclonetool is a symantec signed and trusted process that is allowed to run by tamper protection, so you shouldn't need to disable it.  You just need to ensure a password isn't required to stop the client service.

Generally speaking, the HWID doesn't change on the endpoint with an uninstall/reinstall as they can be left over in the files/registry.

The actual files and registry keys involved can be found in the below article:

http://www.symantec.com/docs/HOWTO54706

Try deleting those keys on any one host. We can then narrow down the issue.

WE have tried removing the registry keys on a few machines in one location with no success. I was going to have the techs try the "RepairClonedImage" tool next to see if that resolves the issue.

Hi

Whether they are imaged systems.

Regards

they are imaged systems.

I haev tried the "repairclonedImage" executable and the machiens are still not reproting into Symantec. We have tried the registry tweek, and the repair app and no luck with them. 

The weird thing, is one machine was reimaged and it is not reporting in, so It has to be something in the imaging process, but it is not affecting all of the machines in our company. It only seems to affect 10 to 20% of them.

So these are imaged machines ... :) 

1. Stop SMC on both of the affected client computers by clicking Start > Run, type smc -stop then click OK.

1. On each of the affected computers, go to registry location: 
   • HKLM\Software\Symantec\Symantec Endpoint Protection\SMC\Sylink\Sylink
2. Clear the value for "Hardware ID." (make it blank)
3. Disable Tamper Protection if you are unable to edit the value.
4. On each of the affected computers, navigate to the following directory location:
   • SEP 11 Location:  
     • C:\Program Files\Common Files\Symantec Shared\HWID
   • SEP 12.1 Location: 
     • Windows XP/2003: C:\Documents and Settings\All Users\Application Data\Symantec\Persisted Data
     • Windows Vista/7/2008: C:\Program Data\Symantec\Symantec Endpoint Protection\Persisted Data
5. Find file "sephwid.xml". Rename it to "sephwid.xml.bak".
6. Start SMC on each computer by clicking Start > Run, type smc -start then click OK.
7. Check the SEPM console for the new SEP client 
   • When the clients check in they should have unique hardware IDs.

8. check these and let me know please.

We are using tamper protection. I have a "needs repair" group where it is disabled, but if the client is not reporting into the SEP console how can I disable Tamper Prrotection? Is t here a way to do that on the client?
 

you wrote earlier " . In fact the group name changes when I change the name of the group in the console"  try it on that particular group. I'm aftraid on the client side it will be grayed out and you wont be able to change it

Any domains you have created in SEPM?

click on admin-domains. How many domains do you see?

only one domain, we haev not added any.

yes, all of the machines are reproting into 1 geo locatino group that we have. I renamed that group,a dn the clients are changing their group names, so my assumption is that they are reporting in. THey are just not showing up in the console.

I haev tried to deploy an install package to the machines in questions form the console. From what I can tell the installation goes well, but after the clients reboot they still do not show up.

Sure you can do that from client settings? But either way if the client is reporting in its gui connection to the group it will download as well the policy from SEPM - even if in the SEPM it is not visible.

Did you try the suggestiongs of Rafeeq above about resetting the hardware IDs on the clients? - duplicate entries are probably the cause of the issue here.

Hi

Please follow the steps suggested by Rafeeq

Regards

we have tried Rafeeq's steps and the hosts are still not reporting in.

Any other suggestions? This is being noticed on more and more hosts.

What kind of endpoints are these?

It almost sounds as if the machines are restoring the HWID, or reimaging themselves on reboot (VDI perhaps?).  Are you able to compare a copy of the HWID from both before and after you run the repairclonetool to verify if this is changing?  You can also check the client numbers for the group to see if this rises after the tool is run.

On an entirely different path of investigation, have you tried using the search function under the CLIENTS view?  I just want to confirm the client records aren't getting hidden away on another page somewhere...

These are all Windows 7 machines.

I was not able to compare the HARdwareID before/after. (I do not have access to the machines, and have to rely on local tech support to actually be in front of the machines.)

Yes, I have tried the serarch. I am starting at the top of my tree hierarchy, adn making sure to select search subgroups, before looking for the machine. Generally I do the "like" operator when searching. I have tried uppoer and lowercase searches, as I am not sur if that matters.

I went ahead and opened a support case with Symantec and they have asked us to put the client into debug mode and then run the SymHelp.exe tool to analyze the machine. 

Sometimes the clients will end up in user mode as well.

Export a computer status report of your entire group. search for the client.

I'm eager to know the resolution for this issue.