Excessive duplicate clients appear in Endpoint Protection Manager
search cancel

Excessive duplicate clients appear in Endpoint Protection Manager

book

Article ID: 172660

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

One or more of the following can be seen in Symantec Endpoint Protection Manager (SEPM):

  • Clients are listed multiple times, showing offline, with a unique Hardware ID for each instance of the same client name.
  • The duplicate clients (offline or online) may show in groups other than the intended client group.
  • License usage counts continue to increase with no new clients installed.

ersecreg-*.log:
Duplicated Hardware Key was detected from request. Sent 470 duplicated response to client

Environment

Symantec Endpoint Protection 14.0 RU1, 14.0 RU1 MP1

Cause

When a client re-generates its ID, it may revert to a different group and policy based on cached data, and leave an offline copy of that client in the original group.

From Repair duplicate client IDs on cloned Endpoint Protection clients:
The duplicate hardware ID (HWID) detection mechanism in SEP 14.0 MP1 and newer is enabled by adding "scm.duplicatedhwkey.fix.enabled=true" to conf.properties at the SEPM. The defaults are count=3 and range=86400000 (24 hours in milliseconds) -- i.e. if a SEPM response code 468 is triggered 3 times within 24 hours for a specific client, then that client would be considered a duplicate and would be sent a 470 response code. Upon receiving a 470 response code, the client (if version 14 MP1 and newer) would automatically re-generate its ID before re-attempting registration with the SEPM.

Additionally, it has been observed that clients with a unique HWID may trigger multiple 468 responses during normal operation, if it does not increment the CSN after receiving a 468 response from the SEPM. In some cases this may unexpectedly trigger a hardware ID reset and potentially change the group and assigned policy.

Resolution

The "scm.duplicatedhwkey.fix.enabled=true" setting is intended for temporary use while duplicate Hardware IDs (HWIDs) are being resolved and the originating base image issues corrected. Please use one of the following solutions to address the issue of duplicate client entries in the SEPM:

  1. Increase "scm.duplicatedhwkey.fix.client.csnreset.count=3" to a higher count to help avoid triggering the threshold during normal client operation.
  2. Decrease "scm.duplicatedhwkey.fix.client.csnreset.time.range=86400000" to a shorter range to require the count threshold be met in less time.
  3. Disable the fix by configuring "scm.duplicatedhwkey.fix.enabled=false" as soon as possible after issues with duplicates HWIDs and the base image are corrected.

Note: See How to delete clients that have not connected to the Symantec Endpoint Protection Manager for a specified time for how to configure the number of days after which the SEPM will automatically delete offline clients.