Endpoint Protection

Hi All.

We are currently running MR2 MP1 both Workstations and Management Servers and discovered this problem while testing MR4 MP1a. We are seeing a unusual problem where some clients Windows XP SP2 and 3 (laptops and desktops) are moving from a workstation location to a server location, this appears to be happening at ramdom with no common user, physical or logical link evident we have all but ruled out human intervention. We are seeing this on both MR2 MP1 clients and we have noticed that it also occurs once MR4 MP1a is installed.

When I look at the sylink.xml the RegisterClient PreferredGroup="Global\Clients\Workstations\Desktops" for desktops and <RegisterClient PreferredGroup="Global\Clients\Workstations\Laptops" PreferredMode="1" /> which the correct location group for these workstations.

Also the registry keys have this information;

[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink] "PreferredGroup"="Global\\Clients\\Workstations\\Desktops"

Can anyone advise what would be overriding the client settings and forcing these workstations into the incorrect location groups?

hi,

Right-click on the client group in th SEPM and click "Export Communication"  to export a sylink.xml , then put that into the intended installation package. Then use that installation package to install to check if that client  happens to fall in the right intended group..

RUn the sylink monitor till the client moves from one forup to another (wrong group) and paste it here may be experts will pin point the issue.

Pete!

Your Sylink.xml files appear to be correct, but try pete's suggestion on replacing these files just to be sure. Also, for the computers in question, have you built these fresh or from images like Ghost, RIS, WDS, WDC, etc? If you built them from images, especially where SEP was installed prior to taking the image, see this document: http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/d84071c5137d6d318825738a00663b8d?OpenDocument

Hi,

       When a client is moved manually (or with the SylinkDrop or SylinkReplacer tools), it must first be deleted from Symantec Endpoint Protection Manager. After the client has been deleted, use the SylinkDrop or SylinkReplacer tool to apply the new Sylink.xml.

The database still has a reference for the client belonging to the original group, so when it checks in, the database places it into the group where last knew the client to exist.

Another way of interpreting this is that clients cannot dictate what group they belong to, instead, the manager determines group membership as it is based off a record in the database. That record must be expunged before a new group assignment can be applied.

To resolve this try the following : -

Delete the client from the Symantec Endpoint Protection Manager and then drop the new sylink.xml file.
-------------------------------------------------------------------------------------------------------------------------------------------
For detailed instructions see How to move Symantec Endpoint Protection clients to a different group...

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008020615383348

Thanks for the ideas and tips I will look into them. RickJDS to answer your questions, we build from a RIS image with SEP11 being installed after the XP image. Initially we saw this problem on new builds but has since discovered that it is affecting workstations that where built as early as 2005 with the earlier workstations having SEP11 installed via MS SMS prior to December 2008.

This has affected around 160 of a 7000 workstation fleet so far, also we have noticed the workstations are showing in user mode not computer mode.

sandip_sali, that is some useful information and I will look into the tools mentioned.

Thanks
jamit