Virtual Computer Resources Merging Unexpectedly Due to Duplicate TPM Identifiers (tpmid) in ITMS 8.7.1 and Later

search cancel

Virtual Computer Resources Merging Unexpectedly Due to Duplicate TPM Identifiers (tpmid) in ITMS 8.7.1 and Later

book

Article ID: 275252

calendar_today

Updated On:

Products

Client Management Suite

Issue/Introduction

After upgrading to ITMS 8.7.1 or later, administrators may notice that multiple distinct virtual computers (or physical machines as well) are being represented by a single resource record in the Symantec Management Platform (SMP) Console. This "merging" behavior causes inventory data to flip-flop between different machines and can result in tasks being sent to the wrong physical endpoints.

Environment

ITMS 8.7.1 and later

Cause

Starting with ITMS 8.7.1, the resource identity logic was enhanced to include additional hardware identifiers to improve accuracy in modern environments. We are now also using TPM encryption key for resource key's on computers.
We use machine TPM 2.0 encryption keys to generate one of our unique IDs. This ID is named "tpmid".
However, if an environment contains duplicated TPM IDs (tpmid)—often caused by cloning virtual machines or deploying images from non-generalized templates—the SMP Server will treat these different machines as the same resource.

                <key name="cloudid" value="xxxxxxxxxxxxxxxx-0f64b6755421.xxxxxxxxxxxxx-9a96723e0680"/>
                <key name="fqdn" value="computer.example.com"/>
                <key name="name.domain" value="computer.example"/>
                <key name="name.domain" value="computer.example.com"/>
                <key name="tpmid" value="xxxxxxxxxxxxxxxxxxxxxxxxx+6qbwaY="/>
                <key name="uniqueid" value="123456789JdBovg=="/>
                <key name="uniqueid" value="987654321KLBxoydnabw=="/>
                <key name="wmdm_device_id" value="xxxxxxxxxxxxxxC26C37B9AB"/>

TPM EK (used to populate "tpmid" entry showed above) is one of TMP's RSA encryption keys.
TPM encryption key is supposed to be unique, but what we have seen when VM's are being cloned the same key is being utilized for the cloned VM as the source. Thus in Merge table of ITMS database you will see merge key will be "tpmid" value

The primary root cause is the presence of duplicate TPM identifiers across multiple endpoints.

In version 8.7.1, the tpmid was added as a high-priority resource key. If two machines report the same tpmid, the SMP database merges them into a single Resource GUID to prevent perceived duplication.

Assumption: This typically occurs in virtualized environments where "Trusted Platform Module" settings are copied during a VM clone without being reset.
Top Probable Causes:
1. VM Templates not being properly generalized (Sysprep) before deployment.
2. Manual cloning of Virtual Machines with "vTPM" enabled.

Note on Cloud ID: While this article focuses on tpmid, duplicate Cloud IDs (cloudid) can cause identical symptoms. For specific guidance on cloud-based identifier merging, refer to Client Machines are sending same UniqueID during Basic Inventory.

Resolution

Diagnostics: Identifying the Duplicate Key
Actionable Steps

Diagnostics: Identifying the Duplicate Key

To confirm if tpmid is the cause of the merge, check the SMP Logs and the database.

Log Analysis:

Search the NS logs (C:\ProgramData\Symantec\SMP\Logs\aXX.log) for entries related to resource merging.

With the Trace verbosity turned on (refer to KB Configuring logging on the Notification Server and an Altiris Agent computer), you should see an entry like:

Expected Log Entries:

Duplicate resource found (Duplicate): 'Computer10050' (1d94f159-ac0a-40b6-8fbd-a23b4b0b202c),
71523b58-18ce-48f0-99b1-49f5a42d3da2 (493435f7-3b17-4c4c-b07f-c23e7ab7781f, Base);
[cloudid]=[8F27D539-xxxx-xxxx-xxxx-xxxxxxxxxxxx.xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx5D]
[fqdn]=[Computer10050.AD.EXAMPLE.COM]
[name.domain]=[Computer10050.AD]
[name.domain]=[Computer10050.AD.EXAMPLE.COM]
[tpmid]=[MHUTxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxPPP/6K=]
[uniqueid]=[MHBxxxxxxxxxxxxUG==]
[uniqueid]=[PFLOxxxxxxxxxxx0A==]
[wmdm_device_id]=[58xxxxxxxxxxxxxxxxxxxx315]
-----------------------------------------------------------------------------------------------------
Date: 3/21/2026 1:56:59 PM, Tick Count: 49840093 (13:50:40.0930000), Size: 792 B
Process: w3wp (5352), Thread ID: 602, Module: Altiris.NS.dll
Priority: 16, Source: Resource.DetectDuplicateItems

Followed by:

Entry 1:
Found duplicates for: 'Computer10050' (1d94f159-ac0a-40b6-8fbd-a23b4b0b202c), type=2c3cb3bb-fee9-48df-804f-90856198b600,
duplicates: 71523b58-18ce-48f0-99b1-49f5a42d3da2
-----------------------------------------------------------------------------------------------------
Date: 3/21/2026 1:56:59 PM, Tick Count: 49840093 (13:50:40.0930000), Size: 402 B
Process: w3wp (5352), Thread ID: 602, Module: Altiris.NS.dll
Priority: 8, Source: Resource.HandleDuplicateItems
Entry 2:
Preprocessing resource merge: 'Computer10050' (1d94f159-ac0a-40b6-8fbd-a23b4b0b202c), from=71523b58-18ce-48f0-99b1-49f5a42d3da2
-----------------------------------------------------------------------------------------------------
Date: 3/21/2026 1:56:59 PM, Tick Count: 49840109 (13:50:40.1090000), Size: 393 B
Process: w3wp (5352), Thread ID: 602, Module: Altiris.TaskManagement.dll
Priority: 16, Source: ProcessResourceMergeMessages.OnBeforeResourceMerge
Entry 3
Attempting to merge duplicate resources:
resource (to): 1d94f159-ac0a-40b6-8fbd-a23b4b0b202c, duplicate (from): 71523b58-18ce-48f0-99b1-49f5a42d3da2, type: 2c3cb3bb-fee9-48df-804f-90856198b600, allowRename: False, existingTarget: True
-----------------------------------------------------------------------------------------------------
Date: 3/21/2026 1:56:59 PM, Tick Count: 49840109 (13:50:40.1090000), Size: 460 B
Process: w3wp (5352), Thread ID: 602, Module: Altiris.NS.dll
Priority: 4, Source: Resource.PerformMerge
Entry 4:
Duplicate resources merge succeeded, resource(to): 'Computer10050' (1d94f159-ac0a-40b6-8fbd-a23b4b0b202c), duplicate(from): 71523b58-18ce-48f0-99b1-49f5a42d3da2, type: 2c3cb3bb-fee9-48df-804f-90856198b600, total time=00:00:00.3765276
-----------------------------------------------------------------------------------------------------
Date: 3/21/2026 1:57:00 PM, Tick Count: 49840500 (13:50:40.5000000), Size: 457 B
Process: w3wp (5352), Thread ID: 602, Module: Altiris.NS.dll
Priority: 4, Source: Resource.PerformMerge

Database Query:

Run the following SQL to identify if multiple names share a tpmid:

SELECT 
    i.Name AS [ComputerName], 
    rk.ResourceGuid, 
    rk.KeyName, 
    rk.KeyValue
FROM vItem i
JOIN ResourceKey rk ON i.Guid = rk.ResourceGuid
WHERE rk.KeyValue IN (
    SELECT KeyValue 
    FROM ResourceKey 
    WHERE KeyName = 'tpmid' 
    GROUP BY KeyValue 
    HAVING COUNT(*) > 1
)
ORDER BY rk.KeyValue, i.Name

Evidence Interpretation Table

Use the results from this query to build your "Cleanup" list:

Column	Description	Troubleshooting Action
ComputerName	The name of the machine as seen in the Console.	If two different names appear for one `KeyValue`, these resources are merging.
ResourceGuid	The unique internal ID for that record.	Use this to verify if the GUIDs flip-flop during inventory updates.
KeyValue	The specific TPM ID causing the conflict.	This value should be investigated on the physical/virtual hardware.

Actionable Steps

To prevent unintended resource merges caused by duplicate TPM identifiers (tpmid), follow the recommendations below.

Recommendation 1 – Identify and Correct VM Template Configuration

Review your virtual machine deployment process and confirm that templates do not contain pre-generated or static TPM identifiers.

Cloning a virtual machine duplicates the entire system, including the vTPM and its associated secrets, which are used to establish system identity.

If your virtualization platform supports TPM regeneration (for example, VMware vSphere), ensure that new TPM secrets are generated during cloning or at first boot.

For VMware environments, refer to:

Clone an Encrypted Virtual Machine (vmware.com)

VMware info on vTPM devices

When cloning, configure the VM to "Replace TPM (TPM Provision Policy)" to ensure a unique TPM identity is created.

Recommendation 2 – Generalize the Operating System

Always use Sysprep (or an equivalent generalization method) before capturing or deploying images.

This ensures that cloned systems generate unique hardware and system identifiers upon first boot.

Recommendation 3 – Prevent Resource Merging Based on TPMID (Temporary Mitigation)

What can be done before been able to remove duplicate tmpid entries:
If duplicate tpmid values already exist in the environment, configure IT Management Suite to prevent merging based on this key.

Option A – Use Resource Type Keys (Recommended)

For ITMS versions that include the Resource Type Keys configuration page:

Navigate to:

Console > Settings > Resource and Data Class Settings > Resource Type Keys

1. Locate Resource Type: Computer
2. Find the key tpmid
3. Edit the key
4. Set Merge Resources = No
5. Click OK

This prevents resources from being merged based on the tpmid value.

Note:
The Resource Type Keys page controls which keys are allowed to trigger resource merging.
Disabling merging for a key does not prevent the key from being used during resource lookup.

Option B – Use Core Settings (Legacy or Advanced Control)

If additional control is required, or the UI option is not available, configure the following Core Settings (Updating Core Settings in ITMS 8.5 and later):

- ComputerResourceMergeSettings = 2
  Prevents certain resource merge methods from being used
- ComputerResourceKeyFilter = tpmid
  Prevents the tpmid key from being used during resource lookup operations

Note:
The ComputerResourceKeyFilter Core Setting affects how resources are identified during data processing (for example, NSE ingestion or API operations).
When a key is filtered, it is excluded from resource lookup and matching logic.

Disabling merging based on the tpmid key should be considered a temporary workaround, not a long-term solution. The root cause (duplicate TPM identifiers from cloning) must be corrected at the virtualization or imaging level.
If duplicate tpmid values exist in a virtual environment—especially when using encryption or security solutions that rely on TPM keys—this may introduce a potential security risk. In such cases, data encrypted on one virtual machine could potentially be accessible or decrypted on another, which should be carefully evaluated and remediated.

Understand Resource Lookup and Merge Behavior

When processing incoming data (such as NSEs or API calls), behavior depends on whether a resource is found and whether a GUID is provided:

If no GUID is provided and no matching keys are found → A new resource is created
If no GUID is provided but another key matches → The existing resource is updated
If a GUID is provided and matches an existing resource → The resource is updated
If a GUID is provided but a different resource is found by another key → Resources are merged (if merging is allowed)

Filtering tpmid ensures that this key is not used during the lookup phase, reducing the likelihood of incorrect matches.

Apply the Same Approach to Other Keys (If Required)

The same configuration can be applied to any resource key:

Use the Resource Type Keys UI to control merge behavior per key
Use ComputerResourceKeyFilter to exclude keys from lookup operations

More information under KB Understanding ComputerResourceMergeSettings and ComputerResourceKeyFilter in ITMS

Additional Information

Client Machines are sending same UniqueID during Basic Inventory

Feedback

thumb_up Yes

thumb_down No