Endpoint Protection

Hi Guys,

Before any of the moderators growl at me for a double post I want to offer a explanation. This is not really a double post, but the same problem revisited. I have a script to reset the Symantec Endpoint Protection 11 HardwareID. I have had 2 or 3 scripts very similiar to the one posted below. Can you tell me if what I have posted will not work and why it won't work. If it won't work can you offer tweaks to the script?

net stop "Symantec AntiVirus"
start /wait smc -stop
Reg Add "HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink" /V HardwareID /T REG_SZ /D "" /F
Del "c:\program files\Common Files\Symantec Shared\HWID\sephwid.xml"
net start "Symantec AntiVirus"
start smc -start

The first thing that comes to my mind is are there any additional services that should be stopped such as the Symantec Event Manager (ccEvtMgr) or by stopping the main service "Symantec AntiVirus" should shut down everything?? On a typical computer with SEP 11 installed everything is active. That includes Antivirus/Antispyware, Proactive Threat Protection, and Network Threat Protection.

Thank you for taking time to read this and hopefully respond to my posting.

sounds fine. you have posted simillar thread earlier, didn't it helped?

https://www-secure.symantec.com/connect/forums/script-reset-hardwareid

Hi.

Your script looks fine. It should get the job done. Remember that SMC.exe is located in "C:\Program Files\Symantec\Symantec Endpoint Protection" by default. That means, your script either is run from that folder or you use:

 start /wait "C:\Program Files\Symantec\Symantec Endpoint Protection\smc.exe" -stop

That being said, what are you trying to achieve? What problem have you got? Why are you revisiting this concept? Your most recent posts all relate to finding and cleaning up Hardware IDs. Remember that deleting the hw ID on the client does not touch the database in anyway. You will manually find & delete the duplicate computer object from the console.

The KB articles previously linked to do not mention other services that need to be stopped. Even the "Symantec Antivirus" service actually does not need to be stopped. Only SmcService, using smc -stop, needs to be stopped to replace the hw ID.

PS Another reason, if your script does not work, is because a password is required to stop the SmcService. Have you tried running the script locally and analyzing the output?

The end goal is all endpoint clients have unique hardware Id's. That is what Symantec support told me I needed to do. We did not blank out the HardwareID prior to doing a Sysprep for our W7 image. I wasn't sure of the interaction between the client and the console. I have been chasing them down as they appear in the console and then deleting the duplicate. One thing that has been bugging me is what if they don't show up in the console?? If Symantec support better explained this then perhaps I wouldn't be searching for a answer. That is on both them and me. Them for not better explaining themselves and me for not better understanding this. Trust me I don't wish to create a problem that can be managed or one that don't exist. Perhaps it is time to get this escalated with Symantec support. This is aggravating.

There are many ways to find duplicate computers. Waiting for them to appear in the console (or not) is not ideal.

Have a look at this: https://www-secure.symantec.com/connect/forums/sql-querys-database#comment-6577391 That will very quickly show you which computers are affected. This admittedly assumes you have access to the backend database and know how to work with SQL Management Studio. If you have a DBA, he could help you with that. Alternatively, use Excel and create a new ODBC / data connection to the database and past that code into the query window.

Then target your script at those machines. It does look like your script will get the job done.

PS Hope by now you've resolved the root cause of your images containing the hw id.

Does anyone have an artice on how HardwareID work in SEP 12.1? it seemed to me there are some changes in SEP 12.1.