Endpoint Protection

We regularly need to clone several identical stations starting from an image of reference.
This image of reference contains client SEP.
The image of reference was prepared with these parameters :
http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/d84071c5137d6d318825738a00663b8d?OpenDocument
We use Ghost in multicast.
From the upgrade of our server in RU5, each time, the stations concerned are duplicated in console SEPM.
How to specify to the server that the duplicated stations in console are the same station?

Thanx for your help...

delete those keys then take image, then deploy.

or delete the duplicate in the console.

For MU5 you need to follow this document

Preparing a Symantec Endpoint Protection Release Update 5 Client for Image redistribution

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/7c87b2b11e0d18c48025765000518741?OpenDocument

to remove the duplicate entries in the SEPM database:
http://127.0.0.1:9090/servlet/ConsoleServlet?ActionType=ConfigServer&action=CleanClients


ref:https://www-secure.symantec.com/connect/forums/sep-and-ad#comment-2965551

Hi,

thanx for your response.

I ran these insctructions, but duplicated clients in console are still there.

Hi,

thanx for your response.

I ran these instructions, but duplicated clients in console are still there.

I ran the command below in the browser on the SEPM server :

http://127.0.0.1:9090/servlet/ConsoleServlet?ActionType=ConfigServer&action=CleanClients

It displayed the following, but duplicates are still there.  I'm running V.11.0.5002.333 (French version)

<?xml version="1.0" encoding="UTF-8" ?>
<Response ResponseCode="0" />

the command is to get out duplicate clients if you have AD integrated, how many duplicate clients you have?
delete them manually if they are small in number.
click on clients tab
select display filter
select offline clients
your duplicate clients will be offline so delete it here 
for future deployments with MU5 use the above document.

We have about 250 stations.

Each time we clone x stations, x duplicated appear.

Whether you are created your master image is as per the guidelines which is present in the above doc suggested by refeeq?

the deployment in MU5 is different please check the deployment document what is pasted on first discussion are you following that doc?

We delete :
- the Registry Key HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink\HardwareID
- the file C:\Program Files\Fichiers Communs\Symantec Shared\HWID\sephwid.xml

And we create our master image.

When we deploy this image on our clients (who have already SEP installed, and thus a hardwareid), those are again added in the SEPM console.

All stations concerned are the same hardware model, just their name are differents (and some hardware like mac adress !)

By the time of re imaging any possibility of contacting the SEPM and master image?
Because there will be recreated at the moment when it is getting connected with SEPM..

It seems that only the hardwareid parameter is checked.

Same mac adress, ip, name are ignored.

After 3 different clones of the station "ema99" :

Do you Checked this possibility?

admin
servers
local site
in the logs, you have option delete clients which are offline for x number of days, make it to lower value
the offline clients should get deleted in next db sweep

Hum...Some stations can be offline without being a duplicated one...

Do you checked the possibility which  i told earlier?(https://www-secure.symantec.com/connect/forums/regular-clone-identical-stations#comment-3747381)

in that case they wil always come online during the next heartbeat 
only the deadones wont respond

We ghost in multicast and deploy the image at the same time on x stations...

I think you can do this activity on another network which thy cannot contact SEPm and after the process you can move to the original network..
Or

Create a script for deleting the reg key and file and for restarting smc service.Run it immediately after the imaging ....

Priyer to RU5 the uniqe identification ID was getting created on based on MAC address.In RU5 they chaged the design.So I think this is only the workaround now or you are not required any new feature of RU5 roll back to MR4MP2 ,it will be very difficult task..

So.. bad news for us...

Hi,
Looking at the picture above, I think there is a little confusion.
You are saying you have 'duplicates' because there are multiple machines with the same host name listed in the Symantec Console. Although this is, of course, a 'duplicate', normally what I think when someone says duplicates is they have two different computers that look the same.

In your case, you have a single computer that has been reimaged and it now has a 'duplicate', as in two or more entries in the console.
Is this correct?

In MR4 and earlier Hardware ID was based on the MAC address so this wouldn't happen. RU5 changed the process, but it still has a solution.
If you want the re-imaged computer to show up as the same entry (as in, the existing entry, without creating a  new 'duplicate entry), do the following.

1. If this is an MR4 or earlier client
2. Copy out the hardware ID registry key before you image the client (You can also get the HW ID out of the SEPM console if you've already wiped the drive).
3. Reimage the system, but don't let it connect to SEPM.
4. Install the RU5 (or later) SEP client if it has not been installed already. (i.e. it was not part of the ghost image)
5. Stop the SEP client ( Run: smc -stop )
   Delete the hardware ID registry key and the sephwid.xml file if they exists.
6. Restore the old registry key that you copied out in step 1.
7. Start the client.

The client should now use the old HW ID key as it's HW ID. This allows the client to connect to the same entry in the SEPM console. Thus, no duplicates.

An alternate to the above is, if the sephwid.xml file has been created, just delete the registry hardware ID key and then replace the HWID value found in the sephwid.xml with the old HWID value.

If you are reimaging clients that already have RU5 or later installed, you can use the same steps, but these may be a little simpler:
 

1. Copy the sephwid.xml file off the client before you wipe the drive.
2. Image the drive. Do not let the client connect to SEPM.
3. Install SEP RU5 or later if it is not already installed or part of the image.
4. Stop the SEP client.
5. Place the sephwid.xml file from step 1 back onto the client (overwrite the current sephwid.xml if one exists)
6. Start the client.

Note, when I say, "Do not let the client connect to SEPM", if you prevent the client from starting, this would fulfill the same purpose.

I hope that helps!

-Jesse