Solved: Duplicate GUID

kodyrubida · ‎09-05-2023

We are having an issue where AMP has given multiple computers the same GUID ID. We have tried deleting the local.xml and local.xml.old files and restarting the service with no luck. I just saw that the v3 of the API has the ability to uninstall the connector service in which we cannot stop, this would cause a lot of issues as a GUID is needed to uninstall the connector service. Is there anything else we can try to fix this?

Matthew Franks · ‎09-06-2023

If you have Connector Protection in place, you need to stop the service via the command line with the -k flag. Check the command line switch document I linked before. If all of that doesn't work for you, please open a TAC case so they can assist but the easiest option will likely be to fix the golden image and redeploy.

-Matt

View solution in original post

Matthew Franks · ‎09-05-2023

It sounds like you have an issue with deploying from a golden image. This is typically due to the local.xml being populated in the golden image before being deployed as a new endpoint. If that is the case, each endpoint would be given the same guid. Here is the guide for golden image deployment.

Thanks,

-Matt

kodyrubida · ‎09-05-2023

So what would be the best case scenario in terms of getting some of these fixed without reimaging the computers?

Matthew Franks · ‎09-06-2023

Typically you could use the reregister command line switch, but with Identity Persistence enabled it doesn't work the same. You can attempt removing the local.xml (with the service stopped) and deleting the registry entries before running reregister but it will likely pick up the same UUID based on the Mac or Hostname (depending on what you have set in Identity Persistence).

-Matt

kodyrubida · ‎09-06-2023

I am unable to stop the connector service, I tried stopping the Secure endpoint then deleting local files then restarting the service/reinstalling a newer version of amp, with no luck getting a new guid. I believe the connector service is the piece I am missing on how to stop as it won't let me stop it even with admin rights.

Matthew Franks · ‎09-06-2023

If you have Connector Protection in place, you need to stop the service via the command line with the -k flag. Check the command line switch document I linked before. If all of that doesn't work for you, please open a TAC case so they can assist but the easiest option will likely be to fix the golden image and redeploy.

-Matt

Roman Valenta · ‎09-06-2023

Hi, I would also like to pitch in with this guide that can give you lots of information about Identity Persistence and how it works, including some hints and most common issues that we seen with this type of deployment.

https://www.cisco.com/c/en/us/support/docs/security/secure-endpoint/217557-cisco-secure-endpoint-guide-to-identity.html

kodyrubida · ‎09-07-2023

Thank you both!

chickenriceandbeans · ‎04-01-2025

@Matthew Franks

Hi

So, in an Intune environment, if a computer comes back as a duplicate after being wiped, what should be done?

Matthew Franks · ‎04-01-2025

@chickenriceandbeans it depends on how you have Identity Persistence configured. If something isn't working as expected, I'd suggest opening a TAC case for assistance and possible explanation since they'll be able to see details of the deployment.