Symantec Endpoint Protection (SEP) clients are constantly generating duplicated entries into Symantec Endpoint Protection Manager (SEPM) console. Duplicates can be deleted but they keep coming back after a while.
Delete Hardware Key value from the registry did not help. SEP log analysis shows the client is triggering new Hardware Key on very regular basis.
In SMC debug log:
<HWID CSyLink::GetHardwareKey> Get Hardware ID => Start Hardware Key generation/retrieval process
<HWID HardDriveInfoCollector::getSystemInfo> Loaded ID from system: [...]
<HWID NetworkCardInfoCollector::getIPv4NICInfo> Loaded ID from system: [...]
<HWID SoftwareInfoCollector::getFQDN> Loaded ID from system: [...]
<HWID SoftwareInfoCollector::getOSVersion> Loaded ID from system: [...]
<HWID SoftwareInfoCollector::getCurrentHDVolumeSerial> Loaded ID from system: [...]
<HWID WMIInfoCollector::getMACInfo> Loaded ID from system: [...]
<HWID WMIInfoCollector::getBIOSInfo> Loaded ID from system: [...]
<HWID WMIInfoCollector::getMotherboardInfo> Loaded ID from system: [...]
<HWID HardwareKeyConfig::importFromSystem> Finished importing system IDs => Loading current system IDs
<HWID HardwareKeyConfig::importFromDm> Loaded hardware ID from file: [...]
<HWID HardwareKeyConfig::loadHardwareKeyFile> Successfully imported system IDs from the file => Loading IDs from C:\Program Files\Common Files\Symantec Shared\HWID\sephwid.xml
<HWID HardwareKeyConfig::mergeIDs> Merging IDs...
<HWID HardwareKeyConfig::mergeIDs> Finished merging IDs => Merging together XML file IDs and system IDs
<HWID HardwareKeyProvider::getHardwareKey> Getting the hardware key...
<HWID HardwareKeyProvider::getHardwareKey> Hardware config contained 7 IDs
<HWID DefaultChangeDetector::detectChanges> File Count: 4 System Count: 4 Number to Match: 2 Match Count: 1
<HWID HardwareKeyConfig::generateHardwareKey> A new hardware key has been generated: EBE40D95D2E07F19AC88DDCFC8F56B00 => Merging result: 2 matching values are required but only one is found, hence new Hardware Key is generated
<HWID HardwareKeyProvider::getHardwareKey> Saving hardware ID to the registry
<HWID HardwareKeyConfig::saveRegistryHardwareKey> Successfully saved hardware key to the registry => Saving new Hardware Key into registry
<HWID HardwareKeyProvider::getHardwareKey> Exporting hardware config to the file
Failed to open the file to export File name C:\Program Files\Common Files\Symantec Shared\HWID\sephwid.xml
<HWID HardwareKeyConfig::exportToFile> An error occurred while exporting hardware key data to a file => Saving new Hardware Key / IDs to XML file: fail because the file cannot be modified
Hardware Key is the criteria used to identify a SEP client during registration with SEPM. It is calculated based on different "IDs" (such as computer name, OS version, MAC addresses, etc.). SEP client is comparing current system IDs with the ones stored into %COMMON_FILES%\Symantec Shared\HWID\sephwid.xml. If there are too much differences, the product will consider a new Hardware Key is required (it will then update sephwid.xml accordingly). Hardware Key is the way to identify a client in SEPM: if a client is changing its Hardware Key 3 times, there will be 3 entries for this SEP client in the management console.
This issue occurred due to SEP client deployment not done as per Symantec documentation (sephwid.xml has not been removed, and still contains data about the machine used as cloning/image master). Moreover, sephwid.xml has been flagged as Hidden (not default setting). As a consequence of this, current system IDs / Hardware Key cannot be saved into this XML file, therefore sephwid.xml content and current system IDs will never match and a new Hardware Key will always be required by SEP client.
To fix the issue, you will either need:
- To force creation of a new sephwid.xml AND Hardware Key value as per our documentation. You would then have new Hardware Key generated, with matching IDs between sephwid.xml content and current system state
- To change sephwid.xml properties and remove Hidden flag. If you do so, the file should be modified next time to fit machine's current IDs values. Therefore, sephwid.xml content and current system IDs would match next time and no new Hardware Key will be required