This document addresses the following two situations:
The Symantec Endpoint Protection 11.x (SEP) client needs to be installed on a system image meant for deploying client computers.
A misconfigured drive image containing SEP build RU5 (11.0.5002.333) was deployed to the environment and needs to be fixed.
One symptom of a misconfigured drive image for a SEP client running 11 RU5 or later is that in spite of deploying the image to multiple machines, only one record is displayed in the Symantec Endpoint Protection Manager (SEPM) when the expectation is that one record will be created for each machine deployed to. This one record will periodically change the hostname or username associated with it.
Please see the How to fix RU5 (and later) clients that have been misconfigured and already rolled out to production of the Solution section of this document if this is the symptom you are witnessing.
Proper configuration of SEP 11 client as part of a disk or drive image:
Releases prior to RU5 required that the HardwareID be deleted by following the instructions below,
NOTE: Failure to follow these directions may have adverse effects on client communication and registration.
Please ensure that the Symantec Endpoint Protection (SEP) client does not communicate with the Symantec Endpoint Protection Manager (SEPM) prior to and while creating the image.
If the SEP client has checked in and registered with the SEPM, the following registry values must be deleted prior to creating the image.
NOTE: The registry value HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink\SySoftk must also need to be deleted if present.
Once the image is applied to a new system, the client will generate a unique id value, check in with its SEPM, and register. During the registration process, the SEPM will register all necessary client information into the database.
This value will regenerate the next time the client loads.
Releases RU5 and later work differently.
With this new design, the Hardware Key is now stored in %ProgramFiles%\Common Files\Symantec Shared\HWID\sephwid.xml. This allows for easier remediation in the following situations:
1) A client is generating new Hardware Keys on startup which could potentially conflict with another SEP client or for preparing a machine a. Move, rename, or remove the Hardware Key config XML file found in the Symantec common area. b. Remove the “HardwareID” registry value located in HKLM\Software\Symantec\Symantec Endpoint Protection\SMC\Sylink\Sylink\ c. Restart the client.. New Hardware Key information will be generated in this case.
2) When SEP is installed the client on a clean VM or Ghost image using the same hardware, the Hardware Key is different. a. Since the new algorithm generates random IDs, any install on a clean machine will result in a new ID being generated. However, if the client is uninstalled and reinstalled, the ID should not change, since it is persisted in an XML file located in the Symantec Common area. i.e. "%ProgramFiles%\Common Files\Symantec Shared".
In order to maintain the same ID when an image is restored, the customer should install SEP first before creating the image.
Alternatively, a saved sephwid.xml file and force that Hardware Key to be used by setting
HKLM\Software\Symantec\Symantec Endpoint Protection\SMC\Sylink\Sylink\ForceHardwareKey in the registry to 1 (true).
How to fix RU5 (and later) clients that have been misconfigured and already rolled out to production:
The following steps must be performed on each client which has a duplicate hardware ID.
Stop the Symantec Management Client (SMC) service. This can by accomplished by clicking Start > Run and entering the command: smc -stop