search cancel

Azure AD Device ID causes Symantec Endpoint Security endpoints to reuse existing Integrated Cyber Defense Manager Device IDs

book

Article ID: 215874

calendar_today

Updated On:

Products

Endpoint Security

Issue/Introduction

If device IDs within Integrated Cyber Defense Manager (ICDM) have already associated with an Azure AD device ID, but not a Symantec Endpoint Security (SES) Machine ID (MID), and that Azure AD device ID has been replicated across many machines, then as endpoints with a duplicate Azure AD device ID first register with the cloud they will be assigned the existing ICDM device ID. This will cause these endpoints where the Azure AD device ID is replicated to send operational state data that is then attributed to a single ICDM device ID record. This gives the appearance of incorrect client details, inaccurate associated agent events, and the appearance of missing endpoints.

Although similar in behavior, this is not the same as the issue detailed here - Non Persistent VDI cloned machines report a single device ID.

Environment

Release : 14.3.*

Component :

Cause

SES agent MID and Azure AD device ID can be used to identify endpoints when registering with the cloud. If the SES agent MID is not already associated with the ICDM device ID, the secondary source of identification will be the Azure AD device ID. ICDM can integrate with Azure AD and as such SES agents gather the Azure AD Device ID as part of gathering and reporting operational state data located in the registry here - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CloudDomainJoin\JoinInfo\

If not properly setup during image creation per Microsoft best practices, the Azure AD device ID located in the above registry location can be replicated to many machines. Refer to Microsoft best practices here - Device identity and desktop virtualization


For reference, the SES agent MID and ICDM device ID are located in these registry keys- HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\Identifiers
Subkey MID - Machine ID
Subkey epmp-device-id - ICDM device ID


As long as the MID is unique and the Azure AD device ID is unique or non-existent, the device should register properly when first registering to your ICDM tenant. If you are experiencing this issue of identical ICDM device ID across many machines, but are not using Azure AD or do not have populated Azure AD device ID information present in the registry, and are using images for non persistent VDI clients, please refer to the above linked document regarding NPVDI.

Resolution

This is by design.