One or more of the following can be seen in Symantec Endpoint Protection Manager (SEPM):
ersecreg-*.log:
Duplicated Hardware Key was detected from request. Sent 470 duplicated response to client
Symantec Endpoint Protection 14.0 RU1, 14.0 RU1 MP1
When a client re-generates its ID, it may revert to a different group and policy based on cached data, and leave an offline copy of that client in the original group.
From Repair duplicate client IDs on cloned Endpoint Protection clients:
The duplicate hardware ID (HWID) detection mechanism in SEP 14.0 MP1 and newer is enabled by adding "scm.duplicatedhwkey.fix.enabled=true" to conf.properties at the SEPM. The defaults are count=3 and range=86400000 (24 hours in milliseconds) -- i.e. if a SEPM response code 468 is triggered 3 times within 24 hours for a specific client, then that client would be considered a duplicate and would be sent a 470 response code. Upon receiving a 470 response code, the client (if version 14 MP1 and newer) would automatically re-generate its ID before re-attempting registration with the SEPM.
Additionally, it has been observed that clients with a unique HWID may trigger multiple 468 responses during normal operation, if it does not increment the CSN after receiving a 468 response from the SEPM. In some cases this may unexpectedly trigger a hardware ID reset and potentially change the group and assigned policy.
The "scm.duplicatedhwkey.fix.enabled=true" setting is intended for temporary use while duplicate Hardware IDs (HWIDs) are being resolved and the originating base image issues corrected. Please use one of the following solutions to address the issue of duplicate client entries in the SEPM:
Note: See How to delete clients that have not connected to the Symantec Endpoint Protection Manager for a specified time for how to configure the number of days after which the SEPM will automatically delete offline clients.