Video Screencast Help

Managed workstation has several objects in SEPM

Created: 06 Feb 2013 | 5 comments

Hello,

My company is using SEP 12.1.  I noticed that a specific host exists 6 times under "Clients".  Why would a host appear multiple names under Clients?  Could it be the result of uninstalling and reinstalling the client?  Will the out of date objects eventually disappear?  I noticed the multiple instances of the same host when I was looking at the Virus Definition Distribution section of the SEP Daily Status Report.  I was surprised because some of the instances say the host has a definition from August, because our policy is to remove objects that don't check in after 30 days.

 

Bob 

Comments 5 CommentsJump to latest comment

Ashish-Sharma's picture

HI,

Check this artical

Duplicate Hardware IDs result in only one client showing up in the Symantec Endpoint Protection Manager for multiple systems

 

Article:TECH97626 | Created: 2009-01-20 | Updated: 2012-09-03 | Article URL http://www.symantec.com/docs/TECH97626

 In version 12.1 of the SEPM, the location for adjusting the setting to delete clients which have not connected for X number of days has moved:

  1. In the SEPM, go to the Admin page.
  2. Select Domains.
  3. Under Tasks, select Edit Domain Properties.
  4. In the Edit Domain Properties window, on the default General tab, note the option to "Delete clients that have not connected for specified time."

https://www-secure.symantec.com/connect/articles/duplicate-sep-clients-appear-symantec-endpoint-protection-manager-console

Thanks In Advance

Ashish Sharma

 

 

.Brian's picture

Were you using an image?

Try this

  1. Stop SMC on both of the affected client computers by clicking Start Run, type smc -stop then click OK.
  2. On the SEPM console, delete the client entry that the two computers have been sharing. This will prevent the client duplication that would otherwise occur due to the following steps.
  3. On each of the affected computers, go to registry location: 
    • HKLM\Software\Symantec\Symantec Endpoint Protection\SMC\Sylink\Sylink
  4. Clear the value for "Hardware ID." (make it blank)
  5. Disable Tamper Protection if you are unable to edit the value.
  6. On each of the affected computers, navigate to the following directory location:
    • SEP 11 Location:  
      • C:\Program Files\Common Files\Symantec Shared\HWID
    • SEP 12.1 Location: 
      • Windows XP/2003: C:\Documents and Settings\All Users\Application Data\Symantec\Persisted Data
      • Windows Vista/7/2008: C:\Program Data\Symantec\Symantec Endpoint Protection\Persisted Data
  7. Find file "sephwid.xml". Rename it to "sephwid.xml.bak".
  8. Start SMC on each computer by clicking Start Run, type smc -start then click OK.
  9. Check the SEPM console for the new SEP client 
    • When the clients check in they should have unique hardware IDs.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SMLatCST's picture

Yeah, this can happen due to removing/reinstalling SEP sometimes.

SEP Clients identify themselves to the SEPM using what's called a Hardware ID, which is a SEP Specific ID code.  If the reinstall results in a new Hardware ID being generated, then a new client record will be created in the SEPM.

The redundant entries in the SEPM's records will eventually drop off after 30 days by default.

 

#EDIT#

Regarding the results of your report.  Is it possible that the client was reinstalled mulitple times within the last 30days in quick succession?

Typically, SEP install packages contain a set of defs.  It sounds to me like SEP was installed (with August defs), it reported in and created a record on the SEPM, and something caused a change in the Hardware ID (reinstalled perhaps?) generating yet another client record, but leaving the old record with a recent check-in time (but old defs).

SebastianZ's picture

Some recommendations for imaging with SEP installed:

Configuring Symantec Endpoint Protection 11.x client for deployment as part of a drive image

http://www.symantec.com/docs/TECH102815

 

How to prepare a Symantec Endpoint Protection 12.1 client for cloning

http://www.symantec.com/docs/HOWTO54706

Mithun Sanghavi's picture

Hello,

What version of SEP 12.1 are you running?

Is the SEP client installed in "User Mode"?

Check these Articles:

Upgrading a Symantec Endpoint Protection 11 client to 12.1 or repairing a SEP 12.1 client may result in duplicate client entries in the SEPM console

http://www.symantec.com/docs/TECH165111

Duplicate SEP clients appear in the Symantec Endpoint Protection Manager console

https://www-secure.symantec.com/connect/articles/duplicate-sep-clients-appear-symantec-endpoint-protection-manager-console

OR

Are these cloned / imaged clients machines?

Check this Articles:

How to prepare a Symantec Endpoint Protection 12.1 client for cloning

http://www.symantec.com/docs/HOWTO54706

How to repair duplicate IDs on cloned Symantec Endpoint Protection 12.1 clients

http://www.symantec.com/docs/TECH163349

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.