8 Replies Latest reply on Sep 6, 2016 7:06 PM by lukedefazio

    Enforce/Allocate AgentGUID for Device

    lukedefazio

      I have come to a dead end in my efforts to enforce an AgentGUID for a particular set of devices.

       

      When I set the AgentGuid registry key and start the masvc service, a new GUID is randomly generated and written over my entry.

      If I restart the service or modify the entry created by McAfee it always resets back to the GUID created at service start, which is expected.

       

      No matter what I try, when I edit the registry, the Agent refuses to use the registry entry I specified and will create its own.

       

      Is it even possible to specify your own GUID?

      The documentation indicates that a new GUID will be created only if there is no registry entry, every entry I have created a new GUID has replaced it.

       

      There is no matching object in the ePO console, it is not giving me the same GUID each time, it is a truly random GUID that is being generated.

      I am running McAfee Agent 5.0.2

       

      thanks.

        • 1. Re: Enforce/Allocate AgentGUID for Device
          taziegma

          Why are you trying to pick your own GUID? Each managed system is required to have its own GUID and the McAfee Agent will generate its own GUID.

          • 2. Re: Enforce/Allocate AgentGUID for Device
            lukedefazio

            Short Answer:

            - I am attempting to compensate for the inadequisess/incompetance of the team that mange the McAfee ePO environment.

             

            Long Answer:

            - The devices are streamed from a single Master image and receive a new GUID on startup

            - The devices are rebooted every week

            - The devices are generating duplicate entries in the McAfee ePO console with the newest entry ending up in lost & found

            - The devices are not getting the correct VSE exclusions and this is causing application errors and profile corruptions.

            - Using the Master imaging product I can specify a Unique GUID for every device and I can ensure that every device maintains their own unique GUID, this will stop the creation of duplicate entries and keep the devices in the correct folder in the ePO console.

             

            I'm only interested in the option to force the McAfee AGent to use a GUID I specify.

            Is this possible with the product?

             

            thanks.

            • 3. Re: Enforce/Allocate AgentGUID for Device
              taziegma

              You can't manually pick your GUID, no. It's not supported. For more about the AgentGUID key, see McAfee KnowledgeBase - How to reset the McAfee Agent GUID if computers are not displayed in the ePolicy Orchestrator dir… When you say streamed, are these VDI systems? There is a VDI switch that can be used when installing the agent that can help with non-persistent systems.

               

              For ensuring proper policy assignment, you can use policy assignment rules to apply policy based on tags and create tags that are automatically assigned when the agent checks in. You can also specify custom properties with the Agent that can also be used as criteria for policy assignment rules.

              • 4. Re: Enforce/Allocate AgentGUID for Device
                lukedefazio

                You say it is "not supported" however you could interpret the following document:

                McAfee KnowledgeBase - How to reset the McAfee Agent GUID if computers are not displayed in the ePolicy Orchestrator dir…

                The ePO agent GUID is created when the McAfee Agent services start with the AgentGUID value missing. Usually this happens during installation. Running SysPrep or changing the name of the client computer does not dynamically change this value. The information for including the ePO agent in an image is located in the "Include the agent on an image" section of the McAfee Agent 4.8 Product Guide (PD24333).

                 

                Before creating the final image, delete the AgentGUID value from the registry.

                 

                If I insert a registry key containg the AgentGUID information why does the Agent not make use of the value?

                • 5. Re: Enforce/Allocate AgentGUID for Device
                  taziegma

                  You don't want to put in your own GUID. As you've seen, it won't work. You want to let ePO and the Agent sort this out for themselves. The ePO server will reject agents it does not understand. By deleting the GUID key, ePO and the agent will communicate and agree on the GUID to be used for identification. There are other ways to ensure that your systems remain managed with the appropriate policies. Delete the AgentGUID from the master image. Use the hostname, IP address, or other criteria to identify and sort the systems into the appropriate system tree group, and apply policies against that tree subgroup, or use policy assignment rules and tags, and then it doesn't matter where in the tree the system is. Policy assignment rules take precedence over system tree assignments.

                  • 6. Re: Enforce/Allocate AgentGUID for Device
                    lukedefazio

                    Is it possible to have a Master image with no GUID and when a devices starts through the use of ePO policies the same GUID can be generated each time as long as the device maintains a consitent/stable piece of idientification.

                    i.e. Hostanme, IP, MAC Address, etc.

                     

                    Overall I don;t care if the device has a unique GUID after every reboot, my pirmary concern is that there is only one entry for each device in the ePO System Tree and that the entry is in the correct location as it relates to exclusions and other policies.

                     

                    thanks.

                    • 7. Re: Enforce/Allocate AgentGUID for Device
                      taziegma

                      No. Each device needs a unique GUID. I'd suggest trying installing the agent with the VDI mode switch, however, that won't solve the policy assignment. Your ePO admins need to use policy assignment rules and tags to protect against the wrong policies being assigned.

                      • 8. Re: Enforce/Allocate AgentGUID for Device
                        lukedefazio

                        I've given up trying to get McAfee working as desired.

                        The ePO administrators can mange the duplicate objects and scripting to move device to the correct locations in the system tree.

                         

                        Looks like the product has been designed with a static "non Master image" world in mind.

                        Perhaps future versions will embrace a 10 year old concept more fully.

                        A GUID may need to be unique, but that absolutley does not exclude it from being able to be user specified.

                         

                        thanks.