Endpoint Protection

Hi,

We have 6000 licenses purchased for our SEPM however as part of Migration and aquisition of few companies the over deployed licenses have increased the client count. Which is 20,000 currently. 

when we try to deploy SEP clients from an image / even few existing SEP clients cannot come online and register themselves into SEPM.

Hence i did secars test and it was fine. However i collected Sylink debug and found few entries below:- (Which may or may not help)

InternetCallback> HttpOpenRequest; Internet status: 60; CtrlBlk: 083114E0
04/18 15:04:25.357 [3312] 15:4:25=>Send HTTP REQUEST
04/18 15:04:25.513 [3236] <InternetCallback> HttpSendRequestEx; Internet status: 100; CtrlBlk: 083114E0
04/18 15:04:25.513 [3312] AH: (InetWaiting) bFinished is TRUE on CtrlBlk: 083114E0
04/18 15:04:25.700 [3236] <InternetCallback> HttpEndRequest; Internet status: 100; CtrlBlk: 083114E0
04/18 15:04:25.731 [3312] 15:4:25=>HTTP REQUEST sent
04/18 15:04:25.731 [3312] 15:4:25=>QUERY return code
04/18 15:04:25.731 [3312] 15:4:25=>QUERY return code completed
04/18 15:04:25.731 [3312] <SendRegistrationRequest:>SMS return=500
04/18 15:04:25.731 [3312] <ParseHTTPStatusCode:>500=>500 INTERNAL SERVER ERROR
04/18 15:04:25.731 [3312] <SendRegistrationRequest:>Content Lenght => 531
04/18 15:04:25.731 [3312] <mfn_ReadDataFromServer>Content Lenght => 531
04/18 15:04:25.731 [3312] <mfn_ReadDataFromServer>Got data from server, read bytes=531
04/18 15:04:25.731 [3312] HTTP returns status code=500
04/18 15:04:25.731 [3312] <SendRegistrationRequest:>RECEIVE STAGE COMPLETED
04/18 15:04:25.731 [3312] <SendRegistrationRequest:>COMPLETED, returned 5
04/18 15:04:25.747 [3312] HEARTBEAT: Check Point 5.1
04/18 15:04:25.747 [3312] NextProxySetting: Cycled through all proxy settings.
04/18 15:04:25.747 [3312] <RegHeartbeatProc>switch to another server
04/18 15:04:25.747 [3312] HEARTBEAT: Check Point 9
04/18 15:04:25.747 [3312] ResetProxySetting: Will now use proxy setting 1
04/18 15:04:25.747 [3312] HEARTBEAT: Check Point 8
04/18 15:04:25.747 [3312] <PostEvent> going to post event=EVENT_SERVER_DISCONNECTED
04/18 15:04:25.747 [3312] <PostEvent> done post event=EVENT_SERVER_DISCONNECTED, return=0
04/18 15:04:26.261 [3312] HEARTBEAT: Check Point 1
04/18 15:04:26.261 [3312] HEARTBEAT: Check Point 2
04/18 15:04:26.261 [3312] <PostEvent> going to post event=EVENT_SERVER_CONNECTING

But the same client where i tried few troubleshooting steps didnt resolve, they came online itself after office hours. Does it has really something to do about concurrent connections or licenses ???

Could any one answer this please ? 

Even if you go over the license count, clients will still communicate in. What is the exact version you're using? can you run the symdiag on an affected client to see what it shows?

@HackGeek2411,

You actually answered the solution too, the problem is with duplicate hardware ID which are in the images.

these two links should help you.

Duplicate Hardware IDs result in only one client showing up in the Symantec Endpoint Protection Manager for multiple machines

https://support.symantec.com/en_US/article.TECH97626.html

https://support.symantec.com/en_US/article.TECH163349.html

Thank you Rafeeq.. Yes.. the image created was done without following the Best practices. 

@ Brian, As of now the clients are in MP6 - RU6.

What do you want me to look for in Symdiag ? 

Is the machine online in SEPM after deleting the hardware id?

Hi, 

I believe i was the one made a Mistake.. As i checked the option to BLOCK new clients to default group which does not allow the new SEP clients to register. 

As the packages imaged for SCCM deployment is all set for default group initially. 

However i also tried with Sylink files for different groups, but it could not register for other groups as well.

What could be the possible reason ?? 

If i block for default group , will it block for all the groups ???

No, it wont do that, when the package is exported it will have preferred group ( for ex default) if you block it, they wont get registered.

but they would try to get reg in a different group.

If you have deployed using SCCM , they will get connected to group mentioned in the sylink.xml.

Did you delete duplicate hardware IDs and see if they communicate with SEPM?

Whats the exact problem you are facing after installing the client? they get installed but do not show up in SEPM?

They don't show up but stil green do on them?

Can you post sylink.log on from one client who is not showing up in SEPM?

Thank you for your response Rafeeq,

The package what they have exporeted to push from SCCM was pointed to default group, however when the clients could not register.

I tried using Sylink from other groups as well, still they could not register. But when i removed the Block new clients for Default group they were able to register and come online.

The exact situation was when these OS images are deployed the clients show up offline but when the local IT tried a repair on them or replace the Sylink file, they show the Server name for a while and go offline however they come online and go back to offlie state in few seconds.

Replacing the Sylink or reinstallation also wouldnt help.