Endpoint Protection

Hi People,

I'm curious and confuse as to why my client got listed multiple times in the SEPM database ?

the way I know it is by querying using the following SQL script:

SELECT computer_name, 

        Dateadd(s, CONVERT(BIGINT, [time_stamp]) / 1000, '01-01-1970 00:00:00') 

        AS 

        [Time Stamp], 

        Cast((CASE WHEN ip_addr1 < 0 THEN 0xFFFFFFFF + ip_addr1 ELSE ip_addr1 END 

        / 256 / 256 / 256) & 0xFF AS VARCHAR) 

        + '.' + Cast((CASE WHEN ip_addr1 < 0 THEN 0xFFFFFFFF + ip_addr1 ELSE 

        ip_addr1 

        END / 256 / 256) & 0xFF AS VARCHAR) 

        + '.' + Cast((CASE WHEN ip_addr1 < 0 THEN 0xFFFFFFFF + ip_addr1 ELSE 

        ip_addr1 

        END / 256) & 0xFF AS VARCHAR) + '.' 

        + Cast( CASE WHEN ip_addr1 < 0 THEN 0xFFFFFFFF + ip_addr1 ELSE ip_addr1 

        END & 

        0xFF AS VARCHAR) 

        AS LOCAL_IP_ADDRESS 

 FROM   sem_computer 

 WHERE  computer_name IN (SELECT computer_name 

                          FROM   sem_computer 

                          GROUP  BY computer_name 

                          HAVING ( Count(computer_name) > 1 )) 

 ORDER BY computer_name ASC

What should I do to rectify this issue ?

The computername is the same but the time stamp got different result

on other occasion the timestamp and the IP address is different due to the workstation has been reformatted into another purpose.

Hello,

This would not clear history of the present clients which are reporting to SEPM.

 Remove duplicated SEP client on SEPM console

Configure SEPM to remove clients which have not connected within a specific number of days.

1. Open SEPM and select the Admin panel.
2. Click on Servers
3. Right click on the Site where your management servers are located and choose Edit Properties
4. Check "Delete Clients that have not connected for __ Days"
5. Enter a value for Days.
6. Click OK.

SEP 11

http://www.symantec.com/docs/TECH93732

SEP 12.1

http://www.symantec.com/docs/TECH176400

Hello,

Check these Article:

Duplicate SEP clients appear in the Symantec Endpoint Protection Manager console

https://www-secure.symantec.com/connect/articles/duplicate-sep-clients-appear-symantec-endpoint-protection-manager-console

Hope that helps!!

well, from the SQL query result, it seems that the duplicated client got two entries, one entry which is recent as at today and the other entry is more than one month.

and also by default I believe that the SEPM policy is 30 days.

No,Default policy Means you can delete 30 days old sep which are ofline

Currently i think you are not apply this policy,

You can set default days as per your requirement.

This policy applied purpose Automatic delete your duplicate client are not connect your sepm last 30 days.

you can reduce the number from 30 as it suits you.

Are these any specific machines and are numerous in number? It is known to happen when you image SEP clients without removing the HWID.

Hi,

Root cause is clone image, check following description for more details.

When you deploy multiple Windows computers, virtual or physical, by cloning a base hard drive image that includes Symantec Endpoint Protection 12.1, and now you have duplicate client IDs in the Symantec Endpoint Protection Manager's database.

The cloned computers are reporting as the same client to the Endpoint Protection Manager & results into duplicate hardware ids.

Yes that does make sense Chetan, so in this case there is no other way to delete it to reduce the number of licensing count in the SEPM v 12.1 console ?

this duplicated entry is counted towards the license usage :-|

Yes ,

You can enable Automatic Delete SEP client feature,After this feature you can save your license.

When we deploy any image HWD id are same and computername is different,But In your case Computername is same.

How to prepare a Symantec Endpoint Protection 12.1 client for cloning (image)

http://www.symantec.com/business/support/index?page=content&id=HOWTO54706

Check my "Download Image Installation System Problem "for Sep 11

https://www-secure.symantec.com/connect/downloads/image-installation-system-problem

reduce the number of days the client hasnt reported to SEPM for a day, then a day after db sweeping you can reset it back to 30 days.

this will make the license count come down becuase duplicate computers will be deleted.

Pete,

What happens if someone is not in the office for 4 weeks and SEPM deletes their record (non contactable for 30 days). Will SEP re-scan and install AV updates once the machine connects to the network (when the person returns to work) ?

• When communication mode is set to Pull, the SEP client will check in again at the next heartbeat interval.
• When communication mode is set to Push, the SEP client does not fully disconnect, which allows any policy changes made in SEPM to occur immediately on the SEP client.

http://www.symantec.com/connect/articles/symantec-endpoint-protection-heartbeat-process

Next heartbeat interval you sep client showing in sepm console.

Many thanks people !

Most Welcome 

OK, rather than doing this regedit manually in every duplicated system, can I just push upgrade the SEP client v 12.1 RU1 ?

this duplicate was caused by SEP client is installed in the based image and then cloned or deployed multiple times.

Yes, This Caused by installing based on clone image.