Endpoint Protection

How is a UNIQUE ID for a client generated?

I have 3 machines...
And each one keeps registering within SEPM with the same Unique ID.
So, basically, machine1 is there, and than changes to machine2 and than machine3.

They are NOT imaged machines.
I did the following in this order.
I removed them from the Domain AND changed their names.
I ran clean wipe on all 3 machines, completely removed SEP client. I ran NEWSID, and changed their Unique IDs from Windows. They are not the same, I checked.
Renamed them as to what their names should be.
Re-added them to the Domain. Re-installed SEP client.
Now only 2 machines are having this behavior.
DNS information is correct as well as WINS information.
MAC addresses on each machine is unique. I checked to make sure.

So, how are the UNIQUE IDs generated by SEP to SEPM and how can I force a change??

Thanks.

Are all the 3 machines installed with the Same Image?

Configuring Symantec Endpoint Protection client for deployment as part of a drive image

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/d84071c5137d6d318825738a00663b8d?OpenDocument

Try this once
How to fix RU5 (and later) clients that have been misconfigured and already rolled out to production (For each client:)

1. Delete %programfiles%\Common Files\Symantec Shared\HWID\sephwid.xml
2. Open the registry and navigate to HKLM\Software\Symantec\Symantec Endpoint Protection\SMC\Sylink\Sylnk
3. Edit the "HardwareID" value data to be blank
4. Restart the Symantec Management Client (SMC) service in the services snap-in.

NOTE:
Clients are XP x64
SEP is 11.06 MP1

* * * *
1. File does not Exist.
2. Found Key
3. Keys on both Machines are exactly the same.

Removed both keys from both machines and in the process of rebooting.

Will let you know in a few minutes.
************
UPDATE
************

After a Reboot of the System, the exact same Hardware ID came back in both machines in the Registry.

The exact path for step 1 which Vikram posted for a 64bit machine should be:

C:\Program Files (x86)\Common Files\Symantec Share\HWID\sephwid.xml

Without clearing out that file (sephwid.xml) it would not generate a new Hardware ID.

In SEPM go to Clients-->corresponding group,delete both PCs from there.
In the client
Delete %programfiles%\Common Files\Symantec Shared\HWID\sephwid.xml
Open the registry and navigate to HKLM\Software\Symantec\Symantec Endpoint Protection\SMC\Sylink\Sylnk
Edit the "HardwareID" value data to be blank
Restart the Symantec Management Client (SMC) service in the services snap-in.


Note:this procedure is applicable to RU5 or above.If this is not the case pls post...

This Unique ID is the CLIENT_ID from the SEM_Client data table in the database.  This value is the GUID of that client record. It is the Primary Key of that table and so it must be unique.

So you need to do 2 things to resolve the issue
 
 
1: This already mentioned in my first post
 
How to fix RU5 (and later) clients that have been misconfigured and already rolled out to production (For each client:)

1. 
   Delete %programfiles%\Common Files\Symantec Shared\HWID\sephwid.xml
2. Open the registry and navigate to HKLM\Software\Symantec\Symantec Endpoint Protection\SMC\Sylink\Sylnk
3. Edit the "HardwareID" value data to be blank
4. Restart the Symantec Management Client (SMC) service in the services snap-in.

Clients should now generate unique HardwareID's and sephwid.xml's.
 
 
2: Configure SEPM to remove clients which have not connected within a specific number of days.
Open SEPM and select the Admin panel.
Click on Servers
Right click on the Site where your management servers are located and choose Edit Properties
Check "Delete Clients that have not connected for __ Days"
Enter a value for Days.
Click OK.

The machines are NOT imaged.

Have done exactly as stated above.  Removed the file:
- %programfiles%\Common Files\Symantec Shared\HWID\sephwid.xml
- Cleared the registry entry: Open the registry and navigate to HKLM\Software\Symantec\Symantec Endpoint Protection\SMC\Sylink\Sylnk\HardwareID

* * * * * *
The second part is more complicated.

The clients, machine2 and machine3. 
They alternate every say 45 minutes.  SEPM will see one machine and than an hour or so later will see the other machine.

It is impossible for me to delete both from the server at the same time.  As deleting one, it detects the other and so forth.

Doing as stated above, the system simply regenerates the SAME Unique ID.  Over and over again. 

Which once again, leads me to the first question. 

How is the Unique ID generated?

If it's by MAC address or System Configuration, I will simply change the build un the system.  Add or change the Network Card from an Intel to a 3Com.  Or somthing similar to that effect. 

If so I can give you some steps, via SQL commands, that will nuke the clients from the DB.

It's not clear to me from your post above, are you running SEP RU6 MP1 on the SEPM and ALL the clients in question?

Some of the suggestions above are only for RU5 or greater, for MR4 clients, other steps have to be taken.

-Mike

Hi,

Can you post the recerg logs from sepm\tomcat\logs folder?

Also, please post the sylinkmonitor logs from the machine2 as well as machine3.

Aniket

Yes, SEPM and all clients are running RU6 MP1.

Are you running an MS SQL DB?

If so, are you willing and able to directly edit the DB (not supported by Symantec) to remove the offending clients?

-Mike

Unfortunately.

I thought about trying to manipulate the Data directly... 

Still considering it.

There is nothing I can find named: "recerg"?
I let Sylinkmonito run for a little while and nothing comes up.  Stays completely blank all the time...
However, clients are receving updates, I can see them coming in and watched the definitions date change while waiting for something to appear in Sylinkmonitor.

*************************

Can I manually change the Unique ID in both places mentionned?  Registry and XML file?
Can I increment by 1.

So xxxxxxxxxxxxxxxxxxxxxxxxxa to xxxxxxxxxxxxxxxxxxxxxxxxxb ??

...but I use http://www.dbsolo.com/ to edit my embedded Symantec SEPM DB's. Cumbersome to accomplish the same processes, but doable nonetheless.

-Mike

I think it was a typo from Aniket , he was referring to Ersecreg.log  located at \Program Files\Symantec\Symantec Endpoint Protection Manager\data\inbox
 

Hay Prachand,

Thanks for the prompt correction.

Appreciate it.

Aniket

See moved post below...

-Mike

Jason, I have asked this before and unless one of the developers (the right one) peruse the forums, you will probably never get an answer to this.

I have delt with the Duplicate Client_ID and/or Computer_ID for awhile and for the most part, the above methods should work. At times when they don't, because we Sync our SEPM to AD, I have to go in and manually edit the DB to un-munge the client.

I wrote a program to do the steps above automatically. Because of the way I code, I added an extra step or two:

1) Stop SMC Service (either via cmd line (smc -stop) or in services.msc - if tamper protect is on, disable it first.
2) Find the sephwid.xml file and delete it from these locations (you must do this step):

• %HomeDrive%\Program Files (x86)\Common Files\Symantec Shared\HWID\sephwid.xml
• %HomeDrive%\Program Files\Common Files\Symantec Shared\HWID\sephwid.xml

3) Open the registry and BLANK (remove the data value), not delete, the HardwareID key from these locations: (take note of the HardwareID and the ComputerID first...)

• HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink
• HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink

I don't have an XP 64bit OS to test with, so the second reg key above may not be a valid path.

4) quit out of regedit
5) Restart the SMC Service (either via cmd line (smc -start) or in services.msc

Now go back into the registry and see if the ComputerID and or the HardwareID have changed.

For grins...and just as something else easy to try...go into Add/Remove Programs and try a Repair.

If none of the above seems to work, then editing the DB directly is the only way I know to resolve similar issues.

-Mike

Hello,

I belive it uses the Mac Address to generate Hardware ID and the hardware ID inturn is used to generate the unique ID.

Can you please make sure if all the three clients have a different Mac address. or can you try to change the ethernet card for them?

 

So. Basically, delete both machines from SEPM console, and the hardware ID's, as well as the sephwid.xml files on the clients.
.

Outstanding, had this issue for a while now!

Thanks guys and sorry for the late update!

Finally got this one cleared up.

**EDIT**

Try this once How to fix RU5