This article details the troubleshooting steps for LANDESK Device Control.
LANDESK Device control uses settings defined in .XML files called "behavior files", in the same way that Agent Behavior or Scan and Repair settings use behavior files.
LANDESK Device Control Installation
In order for LANDESK Device Control to be installed on a device, the following must occur.
1. Endpoint Security must be checked as a component in the Agent Configuration - Start - Agent Components to install section.
2. The proper Endpoint Security setting must be selected in the Agent Configuration - Security and Compliance - Endpoint Security - Machine Configuration section.
3. Within the selected Endpoint Security Setting, Device Control must be selected as one of the Security Policies to install.
Note: If the Agent was installed without Endpoint Security, Endpoint Security can be installed later by pushing an "Install/Update Security Configurations" task from the Security Configurations Tool "Create a Task" drop-down.
Important Files in LANDESK Device Control
Files within LDCLIENT\HIPS directory:
DCM.LOG : Device Control Manager Device Log file
DCMVOLUMES.LOG : Device Control Manager Volumes Log file
DCM.XML : Device Control Manager behavior file.
Files within \Documents And Settings\All Users\Application Data\LDSEC directory (Prior to Windows Vista) or \ProgramData\LDSEC directory (Vista and later)
BVD.RPT - File used for display of data within client EPS gui.
LDSECSVC-DCM-DEBUG.LOG - Debug log for Device Control Manager
HIPSCLIENTCONFIG-HIPS-debug.log - Log file for HIPSCLIENTCONFIG.EXE
This program is used when installing Endpoint Security
Files within \Documents And Settings\All Users\Application Data\Vulscan directory (Prior to Windows Vista) or \ProgramData\Vulscan directory (Vista and later)
HipsBehavior_(CoreServerName)_ID#.XML - Mainly contains Trusted Location information for HIPS and LANDESK Firewall
HipsBehavior_(CoreServerName)_ID#.ZIP - .ZIP file containing all Endpoint Security behavior .XML files.
ActionHistory.(ClientIPAddress).sent.#.xml - Action history sent from client to the core.
vulscan.log or vulscan.#.log - useful for troubleshooting installation, change settings
softmon.log - logs ActionHistory activity for actions sent to core by the Softmon process
Important Registry Keys
Settings - Current EPS settings.
Known Volumes - Volumes that were present at the time of the DCM policy installation. These should be excluded from the volume policy.
Reset Known Volumes
This will reset the list of volumes that are listed as allowed by EPS. You would reset a known volume in the instance that you deployed an EPS configuration yet an undesired volume (such as an external USB hard drive) was plugged in at time of install. This will automatically add this drive to the "known volumes" list, thus it will be allowed even if a volume restriction policy is in the EPS configuration.
- Push out an agent configuration that Allows all volumes. This will reset the known volumes list.
- You can then push out the final Agent Configuration with the desired volume restrictions and exceptions.
- From the command prompt type "sc.exe control ldsecsvc 130"
When switching a policy from "Deny" to "Full Access" the known volume list is reset for 1 minute and any plugged in devices will be re-learned for that minute. So when these steps are taken the Administrator should be aware of this.
You may also use the following to forcefully reset known volumes
- Deploy a device control policy with the 'storage volumes' policy set to 'Full access'
- Deploy it again with the required policy (read only/encryption only/no access as appropriate)
General Troubleshooting steps
- Are the Device Control Settings on the core server configured correctly for the expected outcome?
- Check the Device Control Settings in the Security Configurations Tool on the Core Server)
- Make sure you are looking in the correct group - My, Public or All
- Make a note of the ID #, Name, and Revision # for the Device Control Setting
- Do the Device Control Settings match what is listed on the Core Server?
- Check which Endpoint Security setting is active on the client
Look in the registry at: HKLM\Software\LANDESK\ManagementSuite\WinClient\Vulscan
Does the Behavior ID, Name and Revision match the core setting? (If different, run Vulscan /changesettings /showui)
Within the DCM.XML file in the LDCLIENT\HIPS directory, do the settings match what is expected?
- Examine the log files (DCM.LOG and DCMVOLUMES.LOG in LDCLIENT\HIPS) (Best way to gather is by turning on debug logging)
- Do any of the ActionHistory.(ClientIPAddress).ID#.sent.xml files that contains the action expected?
If not, duplicate the failure again and check the ActionHistory XML files.
How actions are sent from the Client to the core server
Whenever an action takes place (A device is blocked, shadow copy activity takes place, etc) this activity is recorded in the ActionHistory.(ClientIPAddress).ID#.xml file. If no further activity takes place within 2 minutes, Softmon will send this information to the core server. Otherwise every time Vulscan runs, it gathers the ActionHistory information and sends it to the core server. This ActionHistory information gets stored in the SecurityAction table in the database and is displayed in the Security Activity window. After the ActionHistory is sent, the .XML is renamed to .SENT.XML. 11 copies of this file are kept on the client. .sent and then .sent #'s 1-10.
If ActionHistory is sent during a Vulnerability Scan, this action will be logged in the Vulscan.log file
If ActionHistory is sent via Softmon, this is logged in the Softmon.log file
Items to gather and send to the LANDESK Support technician
1. GetSystemInfo Report
2. Debug Logs
3. Exported Security Configuration Settings
4. If issue is a blue screen, gather a Kernel Mode Memory dump
Instructions for gathering this information follows:
Gather a GetSystemInfo report
The GetSystemInfo gathers details information about a computer, including hardware information, operating systems, drivers, installed, software, etc. This utility can be very useful for determining the cause of certain issues.
For Windows Workstation/Server
1. Run GetSystemInfo.exe on the computers with the problem.
2. Click the button Create report in the right part of the main window.
3. Wait until the utility has completely scanned the system.
4. Click OK to confirm the creation of a report.
A file will be created with the default name GetSystemInfo_<USER>_YYYY_MM_DD.zip.
Attach this report to your created case, or e-mail it to your LANDESK Support technician.
How to enable debug logging in LDMS 9.6 SP2
- Open the Endpoint Security GUI by clicking on the EPS system tray icon.
- Hold LSHIFT (left shift key) + LCTRL (left control key), then click the Drop-down Menu in the upper right (next to the gear icons) to reveal the Extended Menu
- Click Enable debug mode
- While Debugging is enabled, the Extended menu will show this:
- After reproducing the issue, click the Drop-down Menu using LSHIFT and LCTRL and choose Generate debug logsThe debug logs will be saved to your Desktop as eps-logs.zip
The eps-logs.zip file will contain the required information to send to support for troubleshooting.
- Once done generating the Debug Logs, click the Drop-down Menu and choose Disable debug mode.
The following steps must be taken when gathering Endpoint Security debug logs for LDMS 9.5:
On the affected client right-click the Endpoint Security system tray icon and select "Open"
In the LANDESK Endpoint Security window, click on the "Options" button in the top right, it looks like a wrench and screwdriver crossing.
In the Options window, click on the "Troubleshooting Logs: Disabled" link at the bottom of the window. It will switch to "Troubleshooting Logs: Enabled"
Duplicate the issue that you wish to capture in the logs. If this requires a reboot, reboot at this time.
Go to the Options window and click on the "Troubleshooting Logs: Enabled" link, it will switch back to "Disabled" and you will see a script run that automatically copies all the needed troubleshooting logs to the desktop into the "Logs.cab" and "Logs.def" files.
This will compile the following files and place them in a "Logs.cab" on the desktop.
C:\Documents and Settings\All Users\Application Data\LDSec\*.*, C:\Documents and Settings\All Users\Application Data\Vulscan\ActionHistory*.xml
Windows 7 and higher:
C:\ProgramData\LDSec*.*, C:\ProgramData\vulscan\ActionHistory*.xml, LDClient\HIPS\*.log, *.xml, *.def, *.idx
If the problem is a Blue Screen, collect a Kernel Memory Dump
1. Right-click "My computer" and choose "Properties"
2. Go to the "Advanced" tab and then click "Settings" under "Startup and Recovery"
3. Under the "System failure" section under "Write debugging information" click the drop-down and select "Kernel memory dump".
4. Make note of the path that the MEMORY.DMP file will be saved to.
5. Duplicate the blue screen issue and then collect the MEMORY.DMP file and compress it in a .ZIP file.
A kernel memory dump must be supplied, a mini memory dump does not supply sufficient information.
Summary of items gathered
The following is the list of files to be supplied to the Support Technician:
From "Gather Debug Logs"
Endpoint Security Settings ##.ldms
From exporting the Endpoint Security Setting, this filename will differ based on what you have named the setting.
Device Control Setting ##.ldms
From exporting the Device Control Setting
(Note, this filename will differ based on what you have named the setting)
If issue was a bluescreen and you have gathered a Kernel memory dump
MEMORY.DMP will likely be too large to attach to an e-mail.
If this is the case, name your .ZIP file of MEMORY.DMP to "LANDESK Case # Memory Dump.zip" and upload to ftp://ftp.landesk.com/incoming