Endpoint Protection

Good Afternoon,

I am having a problem with my managed clients showing up in my SEPM.  I work for the government and we have pre-configured images that we must deploy to clients.  The image has been updated to include the SEP Client package that was exported from the SEPM and installed on the image.  So that when the image is deployed and the system is joined to the domain, it will automatically report to the new SEPM.

Over the past two weeks, I have deployed 9 new clients with the image that has the pre-installed SEP Client.  They seem to be getting their content updated from the SEPM, but when I go into the SEPM and view the client listing for my Vista 32-bit machines, I do not see them listed. 

I have tried a couple other things to get the client to show up in the client listing on my SEPM.  I have tried:

1.  Remotely logging onto the system and runing the setup.exe file for the package that was created

2.  In the SEPM, going to Clients, Fine Unmanaged Computers, finding the computers, setting the parameters for the installation and doing the install.

3.  Run the Deployment wizard, select the system to deploy the packager to

All of these methods run with no errors, and still my client does not show up in the client list.

I was reading in the book I got with the SEP class I took, in the section on Making Unmanaged Clients Managed.  I followed the steps to export the communication settings from the group I wanted and saved the file.  Then went to the client machine, opened the SEP Client, went to Help & Support, Troubleshooting and it shows that the client is being managed by my SEPM and shows the server name.

So since it is clear that the clients are being managed by my SEPM, why can't I see them in the list of clients on the SEPM.  I have attached a snapshot of the management screen for one of the cllients that is not showing up in the SEPM list of clients.  It shows the server, the group assignment and some other settings.

If anyone has any idea why my clients are not showing up when they are being managed, I would appreciate any and all input.

Thanks
Lawrin

See this KB for a possible solution - http://www.symantec.com/business/support/index?page=content&id=TECH102815&actp=search&viewlocale=en_US&searchid=1286484981028

Thanks for the information.  I took a look at the solution and was able to do everything except stop and restart the Symantec Management Client.  When I went into the Services Snap-in and right-clicked on the service to stop it, the Start Stop, Pause, Resume and Restart options were all grayed out.  So I restarted the PC to see if it would assign it a new ID number and report to the server correctly.

Will let you know if that worked.

Thanks again for the prompt response. I am crossing my fingers

 the clients might be in user mode or in different domain within SEPM

1) to enable client mode

open sepm

click on clients

click on filter select user mode and also computer mode

2) to see if u have mutltiple domain

admin

domains

click on domains; do u see 2 domains; if yes then ; right click on the second one and select administer now go to the clients groups and check if u can see the client

To stop the SMC service: Start > Run > smc -stop

To restart: Start > Run > smc -start

sandra

Hi all,

This thread is included in the Security Solutions Contest.  Simply solve this thread, or any thread included in the contest, and you could be crowned "King of the week" and win a weekly prize.  Learn more here: https://www-secure.symantec.com/connect/blogs/security-solutions-contest-be-king-week

Good luck everyone!

Eric

If your SEPM is a Windows Server 2008 and you are not using NTP, make sure there's a port exception for 8014.  Windows firewall is enabled by default on Server 2008 and may prevent inbound communication from the clients.

sandra

The reason you might be having problems is the clients are using the same SID.

See this KB for info:

http://www.symantec.com/business/support/index?page=content&id=TECH97626&locale=en_US

Hope that helps!

Heelo,

When you install a SEP client it generates an ID and registers the client to the SEP manager with that ID. If you duplicate the same computer without cleaning the ID then you'll have a confusion in place.

So before you take the image of the computer and duplicate it follow these steps on the model computer:

1. Stop SMC on both of the affected client computers by clicking Start > Run, type smc -stop then click OK.
2. On the SEPM console, delete the client entry that the two computers have been sharing. This will prevent the client duplication that would otherwise occur due to the following steps.
3. On each of the affected computers, go to registry location:
   HKLM\Software\Symantec\Symantec Endpoint Protection\SMC\Sylink\Sylink
4. Clear the value for "HardwareID." (make it blank)
5. On each of the affected computers, navigate to the following directory location:
   C:\Program Files\Common Files\Symantec Shared\HWID
6. Find file "sephwid.xml". Rename it to "sephwid.xml.bak".

Leave the smc service off. Then take the image.

When you duplicate the image and start the SEP service, it will regenerate those IDs.

Cycletech's link already explains duplicate SIDs.  I believe Lawrin has already tried this.  It also doesn't sound like any clients are showing as reporting in.

sandra

lwalker1958 Lets starts with some basics here :-

Please confirm the OS version where you have SEPM installed. The version of SEPM and the version of SEP 11 installed on clients. (Weather the SEPM was upgraded from any previous build and clients are still being deployed with the older version).

You have mentioned that the "  So that when the image is deployed and the system is joined to the domain, it will automatically report to the new SEPM."

Can you also check if you have any other SEPM ? Does any SEP 11 clients reports to Vista PCs (32-bit) group. If yes, then confirm the os versions (Windows XP, Win 2k/Win2k3 - Trying to isolate if its only something specific with Vista clients now showing up)

Lets try out the following steps on any one of the Vista client

Disable the "File Sharing Wizard."
Enable Network Discovery by using the "Network and Sharing center."
Set the "Remote Registry Service" to Automatic Startup.
Enable the built-in Administrator account and assign it a password.
Verify that the account has "elevated" privileges.

Refer to http://www.symantec.com/business/support/index?page=content&id=TECH102442&locale=en_US

After this lets capture the sylink monitor / watcher logs depending upon the client version

http://www.symantec.com/business/support/index?page=content&id=TECH103369&locale=en_US

Get the logs and we will proceed further..

After you gather the sylink logs, you might wanna take a look at this link

http://www.symantec.com/business/support/index?page=content&id=TECH104926&locale=en_US

We've seen this exact same problem and this resolved it for us:

How to fix RU5 (and later) clients that have been misconfigured and already rolled out to production (For each client:)

1. Delete %programfiles%\Common Files\Symantec Shared\HWID\sephwid.xml
2. Open the registry and navigate to HKLM\Software\Symantec\Symantec Endpoint Protection\SMC\Sylink\Sylnk
3. Edit the "HardwareID" value data to be blank
4. Restart the Symantec Management Client (SMC) service in the services snap-in.

i had such issue not so long time ago,

the green light on symantec icon was appearing and it seemed that everything was fine... but when you wanted for example to see where was this client, it showed exact group for client in SEPM console. but when i was entering on that group this client was absent....

i was solving this problem with Sylinkdrop or Sylink Replacer tool...

after running this tool client was appearing in console.

Anytime this happens in my environment, the solution is what Cycletech and everyone else is suggesting... recreating the Unique ID by deleting the sephwid.xml and clearing the HardwareID value in the registry, then restarting the SMC service.

If you have active in your SEP client the option (Network Threat Protection) For verfica that Windows Firewall is turned off in your Windows Vista.
See Microsoft link
http://windows.microsoft.com/en-US/windows-vista/Turn-Windows-Firewall-on-or-off

If the machines cloned then yes it will create same hid try the above mentioned suggestion for removing hid & then check also check if port 8014 is set as exception on sep manager machine under windows firewall

I tried this and it did not seem to do anything.  I tried this on my machine where I have admin rights.  I opened Computer Management and opened the Services Applet so I could see it on my one screen.  Then I clicked Start, Run, and typed smc - stop.  I saw the spinning circle on my vista machine for a few seconds, and then did a refresh on Services, and the Symantec Management Client service was not stopped.  On my machine, that is running SEP Client, I have the following Symantec Services running:

Symantec Endpoint Protection - I have the ability to start and stop this service
Symantec Event Manager - I have the ability to start and stop this service
Symantec Management Client - I don't have the ability to start and stop this service.  Options are grayed out
Symantec Settings Manager - I have the ability to start and stop this service
 

Why is the option to stop and start the SMC service grayed out?

Lawrin

Only one domain, and filter is set to "Show all Users and Computers"

My SEPM is running on Windows Server 2008.  What is NTP?  Not sure how to set except8ions on Ports.  I checked Windows Firewall on the server and the service is NOT currently running.

NTP means network Threat protection.It is a component of SEP.If you install NTP it will disable windows firewall .It is normal...

SMC services is geting grayed out is normal.For stopping it you have to provide the command as smc<space>-stop.....

All,

First of all thank you to everyone who has responded to my plee for help.  All of the posts that refer to the duplicate ID is my problem.  When I created the image, I was logged into the domain and pushed the client to the image.  This created the ID.  Then I syspreped the image and it was cloned with that ID.  I did a check of all of the cllients I deployed that image to, and they all have the same ID.   So I followed the steps to remove the ID from one of the clients, only problem was that I was not able to stop and restart the SMC service because the option was grayed out.  So I restarted the client machine, and after it was restarted, it showed up on my SEPM under the correct group.

So this is my problem, I just don't know how I am going to effectively stop and restart the SMC service.  I can't right-click on the service to stop it because the option is grayed out.  I tried Start, Run, smc - stop and smc -start, and that did not seem to work either.  So my only option is to have the user restart their machine once I have cleared the ID.

Thanks,
Lawrin

Thanks.  I swear, not five minutes ago, I issued the command on the Run line "smc -stop" and then opened Comptuer Management and checked the services and the SMC service was still showing as started.  Just now I tried it again and it did indeed stop the service.  Thanks.  Let me work on clearing the unique IDs from the clients that I have deployed so far and then respond back to everyone if I have success.

You need to admin rights to stop and start services. Regular users won't be able to do that.

All,

Thank you all so much for your responses.  Thank you to CYCLETECH and all of the other users who sent me the link or instructions for how to "How to fix RU5 (and later) clients that have been misconfigured and already rolled out to production (For each client:)."  This was the solution that ultimately resolved my issue.  Thanks also to all of the users who responded to how to successfully stop and start the SMC service.

I have posted several questions to this forum and my questions are always answered quickly and with responses that ultimately help to resolve my issues.  So THANK YOU all once again.

Lawrin