SEP Doesn't use the Windows SID, but its own proprietry hardware ID for client management. I'd suggest at least walking through my linked article on a test client to see if this is your issue.
This resolves the issues on machines that were built from an image that had SEP included in it, and is not related to duplicate client records.
Duplicates is what happens if SEP clients fail to remember their hardware ID and generate a new one regularly. So it's similar in that it is hardware ID related, but rather the opposute effect and cause of what you seem to be experiencing.
Like I say, test out the article I linked and see how you go.