How can I remove duplicate client entries from the Symantec Endpoint Protection Manager (SEPM) 11.0 console?

Client-side hardware changes may in certain circumstances cause duplicate clients to be registered to the Default Group in SEPM.

In Symantec Endpoint Protection (SEP) 11.0 MR4MP2 and newer, deleting duplicate clients from all non-Active Directory (AD) sync'ed groups can be accomplished by issuing the following command in a browser on the computer running the Symantec Endpoint Protection Manager.

http://127.0.0.1:9090/servlet/ConsoleServlet?ActionType=ConfigServer&action=CleanClients

Entering the URL runs a program that deletes all duplicate clients and sets the hardware keys of the clients in the OU group to NULL so they automatically re-register to their former Active Directory groups.