On one of my accounts that I support I was asked about using Kace custom inventory to make Bitlocker keys accessible to Service Desk agents that are not on the domain and do not have direct access to it. For this reason, they were not able to use the default ADUC Bitlocker recovery information stores and the customer was also having issues getting the keys all stored in there as well. After much trial and error(I am rather new to Kace management) I was able to get the information stored in Kace as needed using the following CIR:


ShellCommandTextReturn(cmd.exe /c \"%windir%\sysnative\manage-bde.exe -protectors -get c:\")


I tried literally hundreds of variations before this finally started producing the results we needed. The key seems to be the quote escapes, but I am not a Kace expert yet.. So I will leave that open for debate.

Hopefully this helps someone out there as I spent much time researching, opening tickets, and breaking things to finally get it working.


From here we have set up a daily report that gets sent to the team leads with all stored keys and also the individual machines can be viewed on the fly as it will be stored as part of their scheduled inventory updates.