Repair duplicate client IDs on cloned Endpoint Protection clients

book

Article ID: 154527

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

There are duplicate Hardware IDs in the Symantec Endpoint Protection Manager (SEPM) database. This occurs after deploying multiple Windows computers, virtual or physical, by cloning a base hard drive image that includes a Symantec Endpoint Protection (SEP) client.

SEPM reports may also show threats from multiple computers under a single client name. This may lead to the perception that there are more detections than shown in local client logs.

Cause

Duplicate Hardware IDs occur if the base image was not prepared for cloning. For more information, see How to prepare an Endpoint Protection client for cloning.

Environment

Microsoft Windows

Resolution

SEPM and Windows clients version 14.0 MP1 and later can automatically correct duplicate hardware IDs when using optional conf.properties parameters.

Note: These steps do not work for SEP 14.2 and 14.2 MP1 clients and SEPM. A change in the client registration logic prevents the repair described below.

The issue with SEP 14.2 and 14.2 MP1 has been resolved in 14.2 RU1.

Add an appropriate line in conf.properties file

  1. Stop the SEPM service.
  2. Go to this location:
    • C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\etc
  3. Edit the file "conf.properties".
  4. Add these lines to the file:
    • scm.duplicatedhwkey.fix.enabled=true
    • scm.duplicatedhwkey.fix.client.csnreset.count=3
    • scm.duplicatedhwkey.fix.client.csnreset.time.range=86400000
  5. Close and save the conf.properties file
  6. Start the SEPM service.

Additional information

The duplicate hardware ID (HWID) detection mechanism in SEP 14.0 MP1 and newer is enabled by adding "scm.duplicatedhwkey.fix.enabled=true" to conf.properties at the SEPM. The defaults are count=3 and range=86400000 (24 hours in milliseconds) -- i.e. if a SEPM response code 468 is triggered 3 times within 24 hours for a specific client, then that client would be considered a duplicate and would be sent a 470 response code. Upon receiving a 470 response code, the client (if version 14 MP1 and newer) would automatically regenerate its ID before re-attempting registration with the SEPM.

Note: This setting is intended for temporary use while duplicates are being resolved and the base image issues corrected. See Excessive duplicate clients appear in Endpoint Protection Manager for potential side-effects. This feature does not presently work for macOS or Linux clients.

SEP 12.1.x and 14.0 RTM

In older versions of SEP there are three high-level steps to repair duplicate client IDs (the steps below are unnecessary in SEP 14.0 MP1 and newer, as described above):

  1. Identify the clients
  2. Repair the clients
  3. Clean up the client view in Symantec Endpoint Protection Manager‚Äč

Step 1: Identify the clients

If you already know the IP addresses or names of the systems affected by this issue you can skip to Step 2. If you have multiple SEPMs, disable any replication relationships between them and perform the steps below on each SEPM. You should do this process on all servers before re-enabling replication.

  1. Stop the Symantec Endpoint Protection Manager service and the Symantec Endpoint Protection Manager Webserver service. When these services are stopped, backup and then delete the client connection log file: Symantec Endpoint Protection Manager install folder\data\inbox\log\ersecreg.log
    • Note: In 14.2, and newer, ersecreg.log has been renamed to ersecreg-a.log. Subsequent logs will have a -1 appended, as such ersecreg-a-1.log.
    • The SEPMRepairTool_v3 includes instructions to update the batch script to accomdate this change.
  2. Restart the services after the log file has been deleted.
  3. Wait one heartbeat period so clients can reconnect to the SEPM. If your communication settings have a 30 minute heartbeat, then wait for at least 30 minutes. In the Symantec Endpoint Protection Manager, the heartbeat settings are under Clients > Policies > Communication settings.
  4. Run the SEPM Repair Tool using the instructions provided in ReadMe.txt (see Attachments for both). The output file from the SEPM Repair Tool is the list of clients affected by the duplicate ID issue. Save this file.

Step 2: Repair the clients

In the first steps below, you disable SMC password protection for the affected clients. If you do not have SMC password protection enabled, skip to step 4 of this section.

  1. Using the output list from the SEPM Repair Tool, find the affected clients in Symantec Endpoint Protection Manager and move them to a new temporary group.
  2. Disable the clients SMC password protection.
    1. In Clients > Policies > General Settings > Security Settings, uncheck Require a password to stop the client service (SEP 12.1 RU4 MP1 and earlier SEPM)
    2. In Clients > Policies > Password Settings, uncheck Require a password to stop the client service (SEP 12.1 RU5 and later SEPM)
  3. Wait for one heartbeat interval to make sure the policy is updated for each client.
  4. Copy RepairClonedImage.exe to the computer that runs the SEPM.
  5. Rename RepairClonedImage.exe to Setup.exe.
  6. In the Client Deployment Wizard, deploy the renamed tool to the affected computers, using the output file from the SEPM Repair Tool as the list of clients.

    If you do not want to use the Client Deployment Wizard, you may use any software deployment method of your choice, or you can run the tool manually on the target computers. If you do not use the Client Deployment Wizard, administrator rights will be required when running the tool.

    By default, the RepairClonedImage tool will run silently, with no response to the user for success or failure. You may specify the -v command line option to show notification on success or failure.
  7. After the tool has been deployed, the clients should show up as online in the SEPM console.

    If you moved the clients to a temporary group, you may now move all of the online clients from the temporary group back to their original group.

Step 3: Clean up the client view in Symantec Endpoint Protection Manager

Resetting the client IDs will result in invalid offline clients being left in the client view in the SEPM. This could affect licensing and reporting. There are two options for removing the clients:

  1. Let the clients time out according to the SEPM site's aging criteria. This is 30 days by default.
  2. Manually delete the offline clients from the Client view page.

Attachments

SEPMRepairTool_v3.zip get_app
RepairClonedImage.zip get_app
ReadMe.txt get_app
DuplicateHwIDFix.bat.txt get_app