cancel
Showing results for 
Search instead for 
Did you mean: 
kjhurni
Level 9
Report Inappropriate Content
Message 1 of 10

Duplicate GUIDs still - EPO 4.6.2

Brand new EPO 4.6.2 server (build #234)

Now, I'm 99% sure that the helpdesk made the image and deleted the AGENTGUID registry key before "creating" the image.

However, still getting duplicate GUIDs in EPO server.

Is there any chance (ie, bug or something) that if the AgentGUID key is deleted, that you can still get a duplicate GUID?

I have this happen all the time in my old EPO server, so I figured it was just a bug.

9 Replies
PhilR
Level 12
Report Inappropriate Content
Message 2 of 10

Re: Duplicate GUIDs still - EPO 4.6.2

Very slim chance, I'd have thought.

You need to stop the framework service, delete the GUID from the registry, and then turn the machine off and turn it into an image / vm template.

Did they forget to stop the framework service?

Cheers,

Phil

Highlighted
kjhurni
Level 9
Report Inappropriate Content
Message 3 of 10

Re: Duplicate GUIDs still - EPO 4.6.2

PhilR wrote:

Very slim chance, I'd have thought.

You need to stop the framework service, delete the GUID from the registry, and then turn the machine off and turn it into an image / vm template.

Did they forget to stop the framework service?

Cheers,

Phil

The McAfee Agent documentation and KB don't say you have to stop the framework service:

From the docs:

"

The agent can be installed on an image that is subsequently deployed to multiple systems. You must

take precautions to make sure the agent functions properly in this scenario.

When you include the McAfee Agent on an image, you must remove its GUID from the registry. This

allows subsequently installed agent images to generate their own GUID at their first agent-server

communication.

Tasks

• Removing an agent GUID from the Windows registry on page 36

When installing an agent on an image, you must remove its GUID from the registry to

avoid duplicating GUIDs in the future."

From the KB:

https://kc.mcafee.com/corporate/index?page=content&id=KB56086

(all the KB says is to fix it you restart the framework service AFTER deleting the registry key to force it to regenerate).

--Kevin

McAfee Employee JoeBidgood
McAfee Employee
Report Inappropriate Content
Message 4 of 10

Re: Duplicate GUIDs still - EPO 4.6.2

Strictly speaking you don't need to stop the framework service before removing the AgentGUID value, but it can't hurt, and I can think of a couple of edge cases where it might help - but they are pretty unlikely.

If you suspect you've got a duplicate GUID problem, the first thing to do before anything else is confirm it: check the agentGUID registry value on a couple of affected machines and see if they contain the same data. Alternatively build two new machines from the image and compare the AgentGUID data.  Are they the same?  If so the image contains a GUID and needs to be fixed as soon as possible.

HTH -

Joe

apoling
Level 14
Report Inappropriate Content
Message 5 of 10

Re: Duplicate GUIDs still - EPO 4.6.2

Hi,

could you please enable Duplicate GUID server task (the one that puts the agent GUID on a blacklist and deletes the node) and make sure the agent version deployed (=imaged) supports the automatic GUID regeneration? (the two are meaningful to be used jointly).

This way you'd fix this problem, which could be due to a number of reasons (including agent first cheking in via a VPN connection), for which you can find numerous resolutions in the McAfee KB.

Thanks. Please keep us posted on your progress and results.

Attila

Message was edited by: apoling on 17/04/13 08:35:27 CEST
kjhurni
Level 9
Report Inappropriate Content
Message 6 of 10

Re: Duplicate GUIDs still - EPO 4.6.2

Attila Polinger wrote:

Hi,

could you please enable Duplicate GUID server task (the one that puts the agent GUID on a blacklist and deletes the node) and make sure the agent version deployed (=imaged) supports the automatic GUID regeneration? (the two are meaningful to be used jointly).

This way you'd fix this problem, which could be due to a number of reasons (including agent first cheking in via a VPN connection), for which you can find numerous resolutions in the McAfee KB.

Thanks. Please keep us posted on your progress and results.

Attila

Message was edited by: apoling on 17/04/13 08:35:27 CEST

Hi Attila,

We're using MA Agent 4.6.1, so I'm pretty sure that 4.5.x and higher (maybe even earlier) all hat the agent regeneration code in it.

I double-checked and the new EPO server did not have the:

Duplicate Agent GUID - REmove systems with potentially duplicated GUIDs

task enabled

I have enabled it.

However, that doesn't really explain why the agent got a duplicate GUID anyway.  The reason why I say I'm 99% certain that the image did NOT have the AgentGUID in it:

We had about 30 machines with that image and I did not have 30 duplicate GUIDs.

Now, what's interesting is THIS article here (not written by McAfee):

http://thegr8thurston.wordpress.com/2010/04/16/duplicate-mcafee-agent-guids/

Which seems to imply that you ALSO need to delete the MAC address reg key as well.

McAfee Employee JoeBidgood
McAfee Employee
Report Inappropriate Content
Message 7 of 10

Re: Duplicate GUIDs still - EPO 4.6.2

You don't need to remove the MAC address - it is not involved in determining whether the agent creates a new GUID or not. The only thing that does that is the absence of an AgentGUID value when the framework starts (or of course a command from ePO to regenerate the GUID, assuming you're running later versions of MA and ePO.)

HTH -

Joe

PhilR
Level 12
Report Inappropriate Content
Message 8 of 10

Re: Duplicate GUIDs still - EPO 4.6.2

Other thing to be aware of is this:

"Unknown User (displayed during preboot authentication after running the ePO 'Duplicate Agent GUID' task)"

https://kc.mcafee.com/corporate/index?page=content&id=KB75669&pmv=print&viewlocale=en_US

Be careful if you're using Endpoint Encryption 6.x or later.

Cheers,

Phil

McAfee Employee JoeBidgood
McAfee Employee
Report Inappropriate Content
Message 9 of 10

Re: Duplicate GUIDs still - EPO 4.6.2

Very good point, thanks

As the article says, please contact Support if this scenario applies to you.

Joe

Re: Duplicate GUIDs still - EPO 4.6.2

Also, I have found deleteing the MAC helps as well.  Sometimes that will create duplicate entries.

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support

    • Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center