Endpoint Protection

Hi everyone. How are you. I have SEP 14 installed but I am facing a weird issue. When we export a package from SEPM and check the group where we want to move the client after installation, it is exported fine. When we install it on the endpoint then instead of reporting to the group which was checked during the installation, client is reporting randomly to the other group but not to the group which was checked as the package was exported. I exported the package as an msi instead of a single exe. When I verified the sylink.xml file I find out that it contains the correct group entry which was checked as the package exported but after the installation client is reporting to some other random group.

Actually previously these machines were running Windows 7 x32 BIT, so they formatted it and installed Windows 7 x64 BIT. The cloned image they used contains SEP client being installed along with the business applications. As soon as the image is deployed they turn on the computer, before joining it to the network they uninstall existing SEP client and install the new SEP client as exported above, once done then they join the client to the network.

so when I search for the client with its name by using search client on SEPM. I see two entries for the same host-name. x32 BIT is appearing offline and x64 is online but reporting to a different group not to the actual one which was selected during the package export.

Do you think this could be caused because of the clone image as they are reporting to some other random group instead of the actual group?

 

Sylink.xml file is attached.

Did you verify that it is/is not a duplicate HWID issue?

As per the below tech note

https://support.symantec.com/en_US/article.TECH163349.html

Do I need to Run the SEPM Repair Tool using the instructions provided in ReadMe.txt (see Attachments for both). The output file from the SEPM Repair Tool is the list of clients affected by the duplicate ID issue. Save this file.?

Create a new package with the client setting remove all previous logs and reset client server communication, you can set to delete not connected clients to a lower value to remove older entries

You can review Symantec Endpoint Protection Manager install folder\data\inbox\log\ersecreg.log and search for the hostname to see if it appears more than once.

Rafeeq already did that but did not made any difference.

One more intresting thing, lets say I am using the same problematic package on another site where the desktops were not being re-imaged from x32 to x64

these desktops were already having SEP, I uninstall SEP agent and install it again using the above problematic package. Once installed the clients in this site report to the correct group which was checked as the package was exported.

 

When re-installing the HWID will change. And you didn't change the hostname, correct? If you delete the 'old' host from SEPM, does it continue to re-appear?

Yes when they re-image they use the same hostname.

 

Actually as soon as they uninstall the Old SEP Client which is part of the clone image and install the new SEP client freshly exported. After install SEP client reports to same othe random group not to the actual group which was checked as the new package was exported.

Any more suggestions guys?

It still seems like a duplicate HWID.

In the SEPM click on Admin, then on Install Packages. Then choose to Add client Install Settings. Give this a name such as remove all old symantec with install. Then choose Remove existing Symantec Endpoint Protection client software that cannot be uninstalled. Also under Upgrade settings, choose Remove all previous logs and policies, and reset the client-server communicaiton settings. On restart tab, choose your options. Then click OK.

 

Now go to the Clients tab and find your group. Click on Install a client. Choose new package deployment. choose the group, and choose the install settings. This is where you choose the remove all old symantec with install that you created. Then click next. Then do a remote push, then click next.

 

Choose Search network. Choose by ip range or name or ip. Then enter credentials and it will push out the package.