Endpoint Protection

I am having issues with duplicate VM images ...

Using the following document I have cleaned up my duplicate HW ID's.  https://support.symantec.com/en_US/article.TECH163349.html

I ran the batch file again this morning and the text file shows no new duplicates.  I copied the list of clients and pasted the information in a spreadsheet and am watching the management console and started noticing one of two things (2 to 3 will show up per hour) ...

1. A second client would appear with and older definition set
2. An existing name suddenly has an older definition set

This is very odd behavior especially since just yesterday I ran the repairclonedimage on all of the clients that were listed in the text file created from the createduphwidips.bat file.  I ran that batch file today, and there are no duplicates.  "No duplicate Hardware Key or Known Client Id(HostGUID) found."

I am running MS Server 2012 with a SQL backend.  Please let me know if you have ever heard of this behavior and/or if you have and suggestions.

Thanks!

These are all good machines ... in fact, I even deleted them and let them reestablish themselves at the heatbeat.

Could it be because it hasn't been purged, therefore you're seeing the old clients listed?

Meaning I didn't delete them from the console?  I deleted everything this morning "everything" and they reestablished themselves.  Am I misunderstanding what you mean by Purged?

If you check the esecreg log, does the duplicate hardware IDs show up in there?
 

In the case, the hardware ID still exists somewhere... have you looked at the logs?

The bacth tool that helps find the affected clients looks for the affected client in the ersecreg.log file in the inbox folder of the SEPM installation folder. The tool will find the affected client depending  upon the amount of imformation that is available in this file.

This file grows up to a max of 20 MB and then resets. So you have to make sire that you run the bacth file when the file is atleast 18 MB so that it will have some information and hence will find more affected machines. However, you will have to run this periodically (for a few days or weeks) to identify all the affected clients.

Gradually, as you fix the already identified clients, the number of affected client can be brought to nil.

I will attach on that just showed up and this is what I found in the esecreg.log ... see attached

Attachment(s)

esecreg.txt   708 B 1 version

And this client was fixed?

This log contacing the information about the communication between SEPM and 2 clinets. and 2 those 2 client may or may not be affected by duplicate hardware ID issue. If you rrun the batch file with only this information in the the ersecreg log, the tool will definitely say that there are no affected client found.

So, keep an eye on the size of the log file. wait for it to grow (preferably 18 MB) and then run the batch file.

Note: please do not post such logs in the forum. This will expose the details of the machine in your network and the details of the IP addresses that you use in your network.

Yes ... it was one of the ones that was fixed.  Sorry, I had to find my spreadsheet.

The file is about 13 MB right now ... I will keep an eye on it.  I was careful to strip out everything to the left of the line that contained the domain and ipaddress.

I have now upgraded all of my VM base images to SEP 12.1 RU6 MP4 as of Friday, April 22nd

Ran the Client Side Prep Tool (last step before recomposing pools)

All clients connected to the SEPM and all definitions updated

Today I copied two of my larger pools to a spreadsheet because I was seeing some old def dates show up in the SEPM.

I am seeing vm client definitions in the SEPM reverting back to the definitions that were originally on the base during the recompose (but no duplicate machines).  I am glad I made the spreadsheet so I could tell if one was just connecting for some reason or if the def date was infact changing.  It is changing.  What am I missing?  

I ran the batch file to see if I had duplicates and there are none.  My ersecreg is still very small (on the 8th I mistakenly said it was 13mb ... the file I backed up before I deleted the old ersecreg was only 7mb to begin with).  

This is very frustrating ... any ideas about what is happening now?

I guess I will open a support case ...

Upon further discussion, I found that a decisions was made to revert our VM's back to their current snapshot after each use (log off - log on) so each time they come online, there will be a different hwID and they come up with the definition set from that snapshot.  That threw a kink in everything.  This was decided for security reasons.