Problem:
Duplicate clients are appearing in Symantec Endpoint Protection Manager (SEPM) console.
Environment:
Symantec Endpoint Protection 11.x and 12.1
SQL Server 2005 and 2008
Windows Server OS
Cause:
There are two causes for this issue:
Current Theory: The first possible cause for this is when an Endpoint has been re-imaged (whether in a virtual machine or on a physical system).
Things we know: Each installation of Symantec Endpoint Protection (SEP) randomly creates a "Unique Identifier" for the client. So if this changes and the re-imaged system checks in, it is recognized as a new client.
Example: The IP and computer name are the same, yet the database still shows a different Unique ID.
The second cause for this is related to an issue with moving clients to a different OU in Active Directory.
Solution
There are 2 solutions for this issue as it relates to systems or sessions that have been re-imaged/reloaded.
Solution 1: Remove the client from SEPM if it is going to be rebuilt or re-imaged.
- If you know in advance that a group of systems are going to be re-imaged, you can remove those clients from the console ahead of time.
- If you have clients that are strictly running on virtual machines which are reloaded or re-imaged on a regular basis, create a separate client group for those clients. When it comes time to re-image them, they will be easier to locate when placed in their own group.
More Info in the Articles below:
1) How to prepare a Symantec Endpoint Protection 12.1 client for cloning (image)
http://www.symantec.com/docs/HOWTO54706
2) How to repair duplicate IDs on cloned Symantec Endpoint Protection 12.1
http://www.symantec.com/docs/TECH163349
Solution 2: Configure SEPM to remove clients which have not connected within a specific number of days.
- Open SEPM and select the Admin panel.
- Click on Servers
- Right click on the Site where your management servers are located and choose Edit Properties
- Check "Delete Clients that have not connected for __ Days"
- Enter a value for Days.
- Click OK.
NOTE: In version 12.1 of the SEPM, the location for adjusting the setting to delete clients which have not connected for X number of days has moved:
- In the SEPM, go to the Admin page.
- Select Domains.
- Under Tasks, select Edit Domain Properties.
- In the Edit Domain Properties window, on the default General tab, note the option to "Delete clients that have not connected for specified time."
Configuring a low value for this setting would clear up the duplicates more quickly.
It is important to consider clients that are offline over the weekend. Setting this value to 1 or 2 will likely cause all your clients to be removed after a weekend.
A recommended value for large enterprise environments would be 7 to 14 days.