Duplicate clients are appearing in Symantec Endpoint Protection Manager (SEPM) console.
Symantec Endpoint Protection 11.x and 12.1
SQL Server 2005 and 2008
Windows Server OS
There are two causes for this issue:
Current Theory: The first possible cause for this is when an Endpoint has been re-imaged (whether in a virtual machine or on a physical system).
Things we know: Each installation of Symantec Endpoint Protection (SEP) randomly creates a "Unique Identifier" for the client. So if this changes and the re-imaged system checks in, it is recognized as a new client.
Example: The IP and computer name are the same, yet the database still shows a different Unique ID.
The second cause for this is related to an issue with moving clients to a different OU in Active Directory.
There are 2 solutions for this issue as it relates to systems or sessions that have been re-imaged/reloaded.
Solution 1: Remove the client from SEPM if it is going to be rebuilt or re-imaged.
- If you know in advance that a group of systems are going to be re-imaged, you can remove those clients from the console ahead of time.
- If you have clients that are strictly running on virtual machines which are reloaded or re-imaged on a regular basis, create a separate client group for those clients. When it comes time to re-image them, they will be easier to locate when placed in their own group.
More Info in the Articles below:
1) How to prepare a Symantec Endpoint Protection 12.1 client for cloning (image)
2) How to repair duplicate IDs on cloned Symantec Endpoint Protection 12.1
Solution 2: Configure SEPM to remove clients which have not connected within a specific number of days.
- Open SEPM and select the Admin panel.
- Click on Servers
- Right click on the Site where your management servers are located and choose Edit Properties
- Check "Delete Clients that have not connected for __ Days"
- Enter a value for Days.
- Click OK.
NOTE: In version 12.1 of the SEPM, the location for adjusting the setting to delete clients which have not connected for X number of days has moved:
- In the SEPM, go to the Admin page.
- Select Domains.
- Under Tasks, select Edit Domain Properties.
- In the Edit Domain Properties window, on the default General tab, note the option to "Delete clients that have not connected for specified time."
Configuring a low value for this setting would clear up the duplicates more quickly.
It is important to consider clients that are offline over the weekend. Setting this value to 1 or 2 will likely cause all your clients to be removed after a weekend.
A recommended value for large enterprise environments would be 7 to 14 days.