There are duplicate client IDs in the Symantec Endpoint Protection Manager (SEPM) database. This occurs after deploying multiple Windows computers, virtual or physical, by cloning a base hard drive image that includes a Symantec Endpoint Protection (SEP) client.
SEPM reports may also show threats from multiple computers under a single client name. This may lead to the perception that there are more detections than shown in local client logs.
Duplicate client IDs occur if the base image was not prepared for cloning. For more information, see How to prepare an Endpoint Protection client for cloning.
This issue is fixed in Symantec Endpoint Protection 14.2 RU1. For information on how to obtain the latest build of Symantec Endpoint Protection, see Download the latest version of Symantec Endpoint Protection.
SEPM and Windows clients version 14.0 MP1 and later can automatically correct duplicate client IDs using optional conf.properties parameters:
Note: These steps do not work for SEP 14.2 clients and SEPM. A change in the client registration logic prevents the repair described below.
C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\etc
The duplicate hardware ID (HWID) detection mechanism in SEP 14.0 MP1 and newer is enabled by adding "scm.duplicatedhwkey.fix.enabled=true" to conf.properties at the SEPM. The defaults are count=3 and range=86400000 (24 hours in milliseconds) -- i.e. if a SEPM response code 468 is triggered 3 times within 24 hours for a specific client, then that client would be considered a duplicate and would be sent a 470 response code. Upon receiving a 470 response code, the client (if version 14 MP1 and newer) would automatically regenerate its ID before re-attempting registration with the SEPM.
Note: This setting is intended for temporary use while duplicates are being resolved and the base image issues corrected. See Excessive duplicate clients appear in Endpoint Protection Manager for potential side-effects. This feature does not presently work for macOS or Linux clients.
In older versions of SEP there are three high-level steps to repair duplicate client IDs (the steps below are unnecessary in SEP 14.0 MP1 and newer, as described above):
If you already know the IP addresses or names of the systems affected by this issue you can skip to Step 2. If you have multiple SEPMs, disable any replication relationships between them and perform the steps below on each SEPM. You should do this process on all servers before re-enabling replication.
In the first steps below, you disable SMC password protection for the affected clients. If you do not have SMC password protection enabled, skip to step 4 of this section.
Resetting the client IDs will result in invalid offline clients being left in the client view in the SEPM. This could affect licensing and reporting. There are two options for removing the clients:
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
This will clear the history and restart the chat.