Extending LANDesk Inventory for Bitlocker (Part 1)

The LANDesk Inventory engine is easy to extend with custom scripts.

The basic process:

  1. Create a script to gather powershell data in a landesk-compatible format.
  2. Create a batch file to run the powershell script if the system has powershell installed.
  3. Modify the LANDesk Inventory Scanner’s ini file ( LDSCNHLP.INI ).
  4. Force a full system scan.
  5. Modify the database settings to allow unknown items.

Step 1 – PowerShell Bitlocker Script

BitLocker provides WMI classes to query for BDE information. In my previous post, a script is available.
  1. Download the script from my previous post ( See: BitLocker Info with PowerShell ) by clicking ‘view source’, then copy\pasting into your favorite text editor.
  2. Then, save the file as bitlocker-info.ps1 in your LDClient folder (by default %programfiles(x86)%\LANDesk\LDClient).

Step 2 – Batch File PS Launcher

It’s possible to launch PowerShell without a batch file, but I wanted to add some logic in case the script was inadvertently pushed to an XP system without PowerShell installed.
  1. Download the following batch file.
  2. Name it as ‘bitlocker-info.cmd’.
  3. Put it in your LDClient folder.
@ECHO OFF
REM Check Windows Version
REM reference: http://www.grimadmin.com/article.php/batchfile-easy-way-to-detect-os-version
ver | findstr /i "5\.0\." > nul
IF %ERRORLEVEL% EQU 0 goto warn_OSOld
ver | findstr /i "5\.1\." > nul
IF %ERRORLEVEL% EQU 0 goto warn_OSOld
ver | findstr /i "5\.2\." > nul
IF %ERRORLEVEL% EQU 0 goto warn_OSOld

cd %SystemRoot%\system32\WindowsPowerShell\v1.0
powershell Set-ExecutionPolicy Unrestricted
powershell C:\PROGRA~2\LANDesk\LDClient\Bitlocker-Info.ps1
goto end

:warn_OSOld
IF EXIST "%programfiles(x86)%\LANDesk\LDClient\bitlocker.dat" DEL /F /Q "%programfiles(x86)%\LANDesk\LDClient\bitlocker.dat"
echo Bitlocker Info - Bitlocker Rollup = N\A for this OS > "%programfiles(x86)%\LANDesk\LDClient\bitlocker.dat"

:end
cd %programfiles(x86)%\Landesk\ldclient

Step 3 – LANDesk LDSCNHLP.INI File

The heart of the LANDesk scanning extension happens in the ‘ldscnhlp.ini’ file. Edit your file so that it matches mine. For now, ignore the fact that this will fail to run the script on a x32 Vista\Win7 system. That will be addressed in the next post.

[EXECUTE WIN16]

[EXECUTE WIN32]
LAUNCH1=C:\progra~2\landesk\ldclient\bitlocker-info.cmd
TIMEOUT1=600

[DATA FILES]
DATA1=%programfiles%\landesk\ldclient\bitlocker.dat
DATA2=%programfiles(x86)%\landesk\ldclient\bitlocker.dat

Step 4 – Force a Full Scan

By default, LANDesk will run a ‘full scan’ once per day. The BitLocker script will not run unless you force a full scan. Here is the easiest way:

  1. On the client, edit your inventory scanner program files shortcut and append “/F /SYNC” to the end of the ‘target’ field.
  2. Run a scan with the program files shortcut.
  3. Check your LDClient directory for a newly created bitlocker.dat file, written by the ps1 script.

Step 5 – Configure LANDesk Database

  1. On your LANDesk core, run ‘Configure Services’ from the Start Menu.
  2. Click the ‘Inventory’ tab.
  3. Click ‘Unknown Items’
  4. You should see the custom bitlocker data; click each item and choose ‘allow’.

References

Troubleshooting

  • I had to reboot my landesk core several times to get the scan working. I’m not sure why. Also, I had to run the scan twice to get the custom data to appear in the ‘unknown items’ tab, and again to get the inventory populated after the items were approved.

Limitations and Taking it Farther

In its current form, this process will not work uniformly on x86 and x64 machines. I haven’t found a way to use environment variables in the LDSCNHLP.ini file, which is the only restriction. However, it’s possible to edit your agent configuration package to make this happen. That will be the focus of part 2.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s