Endpoint Protection

I have wrote a tool to modify domainID and preferredGroup in the Sylink file, before running the msi file. Sylink is changed, and SEP client is installed in the correct domainID, but the group stays always in the default group. I can't find why this is happening. Checking the registry keys for Sylink, current group is defualt group and preferred group is the group I configured.

Any idea how to get around this?!

Hi,

Which Version of SEP you are using?

Does any directory integrated with SEPM?

How many clients you are facing the same issue ?

Regards

Ajin

SEP12.1 RU2, no OU integrated. And it occurs on all installations.

Have you tried exporting the Sylink file from the domain and group you want the client to drop into and comparing the differences between this and the one resulting from your modification tool?

It just sounds to me like a typo in your tool or a missed field somewhere, or perhaps you forgot to set PreferredMode="1" in your changes...

Hi,

Export a New communication setting where you need to be reported and replace the sylink on clients.

Or you can compare the two sylink files to get RCA

Regards

Ajin

The two sylinks are matching each other. But still, preferred group won't be the current group

Check this document

 

http://www.symantec.com/business/support/index?page=content&id=TECH106108&locale=en_US

and verify the group communication settings

 

 

During a normal SEP client install, there is a registry key created:

\HkeyLocalMachine\SOFTWARE\SYmantec\Symantec Endpoint Protection\SMC\SYLINK\Sylink\
And a Value Name is created in that key named PreferredGroup. That value designates what Client Group the client tells the SEPM it should go into when it heartbeats in for the first time.

When the Location-specific Settings are NOT set to Use Group Communication Settings when the SEP client install package is created, the client install package does not create the PreferredGroup registry value in the registry key. When the Client checks in with the SEPM for the first time, it cannot tell the SEPM what Client Group it is supposed to be in, so the SEPM places it in Default Group.

Hi,

Restart the machine and check.

Can you confirm if you are using this on new machines or machines that have otherwise had their HWIDs removed?

The Preferred Group will get ignored if the client links to an existing client record within the SEP DB (whether this be by HWID or because of AD Syncing).

Rafeeq, I know this KB and tried everything possible. checking the registry key will lead to the correct preferred group, but the current is defualt group

 

SMLatCST, it is new machine. Never had any SEP installed before.

 

Restart is applied always.

I dont know why you want to change the prefered group inside Sylink and why cant export a package with the preferred group. Might be your project requirement.

How do you install the package? is it via SEPM or through gpo.?

thow things from my end to try for

1) right click on preferred group in sepm and check if Block new clients is enabled.

 -> hightlight your preferred group. policies on right hand side, general settings, uncheck require cert for communicate. check if that shows up.

2) Export a package from sepm then install on the client, does it show up in the correct group?

3)Enable the Sylink log , we need to check the client registration.

 

Hi Raafiq, To answer your question. When having over 100.000 Clients and 800 Groups, the only Way to get the Clients in the right Place, is editing the Sylink.xml before Installation. If this doesn't work anymore you have to Place the Clients manually in the correct Folder. I'm Running Sep 11RU7MP2 and it works like a charm. I guess i need to do some testing on 12.1.2, before Migration. Kind regards

Bartman knows what I am talking about. I have multiple domains and couple of groups. Why would I export mulitple groups, where I can export only one.

 

Tried blocking before, the client became unmanaged

I can't disable certificate

I can't enable Sylink as it is doesn't exist before SEP installation

the installation is via cmd with the tool

xxx.exe "DomainID" "GroupName"

works perfectly with chaing the "Domain ID"

 

I have made a GUI version to connect to SQL and get all domains and their groups and works with changing Domain and Group. Can't figure out why not working with cmd exe.

 

As these clients are reponding to group changes from the SEPM (just not adherring to the preferred group in the sylink file) have you considered looking at the moveclient utility instead?

Assuming the criteria options available within MoveClient meets your requirements, you could then just get it to run as a scheduled task on your SEPM.

Hi Yahya,

 

Sorry to say that but as long as you're trying to fix that by working on Sylink.xml file or on the SEP client machine side, you will definitely waste your time

SMLatCST is absolutely right. SEPM Database information primes over everything else.

Once a SEP client is registred, the information is stored on the SEPM Database and by design SEPM Database has the priority over the information on SEP Client side.

Which means whatever you do on the client machine, as long as this machine is still known on your SEPM Database, it will register and come up based from the information contained on your SEPM Database.

Clearly explained on this very nice and old kb below.

Symantec Endpoint Protection Client Registration Flow

=> http://www.symantec.com/business/support/index?page=content&id=TECH9158

So at the end, the recommendation SMLatCST may work but I'm not sure as I personnally never had the occasion to use the famous MoveClient tool on any 12.1 versions but at least you can try and see if it's still work on our earlier versions.

Another alternative solution will be to force your SEP client to be offline and to change the default value of Domain options on your SEPM Console.

Change the Sylink.xml but please do not use your method, I can't believe it works great as sylink.xml is using a very specific hash and signature. Editing it with a non trusted third party tool or software sounds very dodgy and it has an high probability to turn it as corrupt file indeed.

Just turn your SEP client to Unmanaged client so it will not try to contact your SEPM server anymore.

Then go on your SEPM Console on Administrators and Domain sub-menu, you can go to "Edit domain properties" and change the default value of the option "Delete client that didn't contact the SEPM for 30 days" to a lower value.

Let's say 3 days for example.

Let your SEP client as unmanaged for 4 days to ensure the information on SEPM Database related to this SEP client will be purged then deploy a new Sylink.xml file from the OU you wish this client will come up by using the new feature dedicated to it on SEPM 12.1 RU2.

=> http://www.symantec.com/docs/TECH199124

And see if it works.

This is probably the most safest way.

There is another way but it's definitely the most risky one, by running a command directly on the SEPM Database but that's not recommended unless you know what you're doing and you have a working Database backup available.

 

Kind Regards,

A. Wesker

The tool is used ONLY on NEWLY build servers. No records or HWID have been created before in SEPM's DB.

put all the clients in default group.

use this tool to move clients between groups.

http://www.symantec.com/business/support/index?page=content&id=TECH157429

Perhaps you could check if the below entry is configured within the SetAid.ini file of the install package:

KeepPreviousSetting=0

This really shouldn't make a difference to a completely fresh install, but might be worth a try and could affect machines build from an image.  You could also check out the below reg key before the SEP install attempt, to see if there's anything there?

HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink

You could also verify if the PreferredGroup string value located in the above key is getting correctly updated after SEP is installed.

Yet another avenue of investigation is to enable sylink logging after the SEP install but before the client has had a chance to talk to the SEPM (install it with the NIC disabled, enable logging, then enable the NIC).

I'm sure syou've probably seen this article on the Preferred Group field, but just in case (i'm assuming you've already checked/tested for typos, case sensitivity, the handling of spaces in the group name, etc):
http://www.symantec.com/docs/HOWTO27006