After fighting with duplicate hardware IDs in Symantec Endpoint Protection not that long ago, it was surprising to find the problem back again. Were these left over from the original problem, or was this a return engagement. And if it was a problem cropping up again, was it caused by someone forgetting to do the ghost load correctly or something else?
Symantec Endpoint Encryption uses a hardware ID as a GUID to differentiate clients. If a GUID is cloned to multiple computers your reporting and policies are affected. We tend not to find these problems until we move a client to a new group and find other computers showing up in the new group instead.
It turns out the old SEP 11 instructions for preparing to clone a image don’t quite work with 12.1. With SEP12.1 on Windows 7 64 bit, we found an additional copy of sephwid.xml in C:\ProgramData\Symantec\Symantec Endpoint Protection\PersistedData\sephwid.xml. It wasn’t mentioned in the SEP11 instructions, and every machine from the image ended up with the same hardware ID. If you are manually fixing duplicate GUIDs keep that in mind.
It turns out there are instructions specifically for SEP12.1.
How to prepare a Symantec Endpoint Protection 12.1 client for cloning – http://www.symantec.com/docs/HOWTO54706
How to repair duplicate IDs on cloned Symantec Endpoint Protection 12.1 clients – http://www.symantec.com/docs/TECH163349
They don’t give manual instructions (at the time of this writing) on removing the hardware ID in 12.1, but they do provide a executable for the job. I haven’t tested this exe out, but one thing bothers me. The instructions say if you use tamper protection you must disable this. If you require a password to stop the smc service you must disable that. We don’t use tamper protection, but we do require a password to stop the smc service using the smc -stop command. I wish they would allow me to provide the password at the command line as the sylink dropper tool can do. The good news is that by setting up a separate policy for these clients in order to disable the password requirement to stop the SMC, you can then identify the remnant accounts based on the duplicate hardware ID that could be deleted.