9 Replies Latest reply on Apr 17, 2013 9:58 AM by JoeBidgood

    Duplicate GUIDs still - EPO 4.6.2

    kjhurni

      Brand new EPO 4.6.2 server (build #234)

       

      Now, I'm 99% sure that the helpdesk made the image and deleted the AGENTGUID registry key before "creating" the image.

       

      However, still getting duplicate GUIDs in EPO server.

       

      Is there any chance (ie, bug or something) that if the AgentGUID key is deleted, that you can still get a duplicate GUID?

       

      I have this happen all the time in my old EPO server, so I figured it was just a bug.

        • 1. Re: Duplicate GUIDs still - EPO 4.6.2
          PhilR

          Very slim chance, I'd have thought.

           

          You need to stop the framework service, delete the GUID from the registry, and then turn the machine off and turn it into an image / vm template.

           

          Did they forget to stop the framework service?

           

          Cheers,

           

          Phil

          • 2. Re: Duplicate GUIDs still - EPO 4.6.2
            Attila Polinger

            Hi,

             

            could you please enable Duplicate GUID server task (the one that puts the agent GUID on a blacklist and deletes the node) and make sure the agent version deployed (=imaged) supports the automatic GUID regeneration? (the two are meaningful to be used jointly).

             

            This way you'd fix this problem, which could be due to a number of reasons (including agent first cheking in via a VPN connection), for which you can find numerous resolutions in the McAfee KB.

             

            Thanks. Please keep us posted on your progress and results.

             

            Attila

             

            Message was edited by: apoling on 17/04/13 08:35:27 CEST
            1 of 1 people found this helpful
            • 3. Re: Duplicate GUIDs still - EPO 4.6.2
              kjhurni

              PhilR wrote:

               

              Very slim chance, I'd have thought.

               

              You need to stop the framework service, delete the GUID from the registry, and then turn the machine off and turn it into an image / vm template.

               

              Did they forget to stop the framework service?

               

              Cheers,

               

              Phil

               

              The McAfee Agent documentation and KB don't say you have to stop the framework service:

               

              From the docs:

              "

              The agent can be installed on an image that is subsequently deployed to multiple systems. You must

              take precautions to make sure the agent functions properly in this scenario.

              When you include the McAfee Agent on an image, you must remove its GUID from the registry. This

              allows subsequently installed agent images to generate their own GUID at their first agent-server

              communication.

              Tasks

              • Removing an agent GUID from the Windows registry on page 36

              When installing an agent on an image, you must remove its GUID from the registry to

              avoid duplicating GUIDs in the future."

               

              From the KB:

              https://kc.mcafee.com/corporate/index?page=content&id=KB56086

               

              (all the KB says is to fix it you restart the framework service AFTER deleting the registry key to force it to regenerate).

               

              --Kevin

              • 4. Re: Duplicate GUIDs still - EPO 4.6.2
                kjhurni

                Attila Polinger wrote:

                 

                Hi,

                 

                could you please enable Duplicate GUID server task (the one that puts the agent GUID on a blacklist and deletes the node) and make sure the agent version deployed (=imaged) supports the automatic GUID regeneration? (the two are meaningful to be used jointly).

                 

                This way you'd fix this problem, which could be due to a number of reasons (including agent first cheking in via a VPN connection), for which you can find numerous resolutions in the McAfee KB.

                 

                Thanks. Please keep us posted on your progress and results.

                 

                Attila

                 

                Message was edited by: apoling on 17/04/13 08:35:27 CEST

                Hi Attila,

                 

                We're using MA Agent 4.6.1, so I'm pretty sure that 4.5.x and higher (maybe even earlier) all hat the agent regeneration code in it.

                 

                I double-checked and the new EPO server did not have the:

                Duplicate Agent GUID - REmove systems with potentially duplicated GUIDs

                task enabled

                 

                I have enabled it.

                 

                However, that doesn't really explain why the agent got a duplicate GUID anyway.  The reason why I say I'm 99% certain that the image did NOT have the AgentGUID in it:

                 

                We had about 30 machines with that image and I did not have 30 duplicate GUIDs.

                 

                Now, what's interesting is THIS article here (not written by McAfee):

                 

                http://thegr8thurston.wordpress.com/2010/04/16/duplicate-mcafee-agent-guids/

                 

                Which seems to imply that you ALSO need to delete the MAC address reg key as well.

                • 5. Re: Duplicate GUIDs still - EPO 4.6.2
                  awsomaha

                  Also, I have found deleteing the MAC helps as well.  Sometimes that will create duplicate entries.

                  • 6. Re: Duplicate GUIDs still - EPO 4.6.2
                    JoeBidgood

                    Strictly speaking you don't need to stop the framework service before removing the AgentGUID value, but it can't hurt, and I can think of a couple of edge cases where it might help - but they are pretty unlikely.

                     

                    If you suspect you've got a duplicate GUID problem, the first thing to do before anything else is confirm it: check the agentGUID registry value on a couple of affected machines and see if they contain the same data. Alternatively build two new machines from the image and compare the AgentGUID data.  Are they the same?  If so the image contains a GUID and needs to be fixed as soon as possible.

                     

                    HTH -

                     

                    Joe

                    • 7. Re: Duplicate GUIDs still - EPO 4.6.2
                      JoeBidgood

                      You don't need to remove the MAC address - it is not involved in determining whether the agent creates a new GUID or not. The only thing that does that is the absence of an AgentGUID value when the framework starts (or of course a command from ePO to regenerate the GUID, assuming you're running later versions of MA and ePO.)

                       

                      HTH -

                       

                      Joe

                      • 8. Re: Duplicate GUIDs still - EPO 4.6.2
                        PhilR

                        Other thing to be aware of is this:

                         

                        "Unknown User (displayed during preboot authentication after running the ePO 'Duplicate Agent GUID' task)"

                         

                        https://kc.mcafee.com/corporate/index?page=content&id=KB75669&pmv=print&viewloca le=en_US

                         

                        Be careful if you're using Endpoint Encryption 6.x or later.

                         

                        Cheers,

                         

                        Phil

                        • 9. Re: Duplicate GUIDs still - EPO 4.6.2
                          JoeBidgood

                          Very good point, thanks

                          As the article says, please contact Support if this scenario applies to you.

                           

                          Joe