Hi everyone,

I'm trying to create a new inventory action which enables BitLocker using the following.

Custom Action 

manage-bde.exe -on C:

Has anyone had any luck with creating a similar action?




0 Comments   [ + ] Show Comments


Please log in to comment



Are you trying to enable BitLocker through the use of a custom inventory field? That's an interesting concept but I don't think I would use that functionality to make system changes. It would be better to create a script and target machines that need the change.

Answered 05/21/2013 by: chucksteel
Red Belt

  • Agreed. Build a script that suits your environment based on this: http://technet.microsoft.com/en-us/library/dd894351%28v=ws.10%29.aspx
  • Hi, thank you for your responses. Yes I was hoping to be able to run the command as an action in the inventory field. We have a GPO BITLocker and a script which configures BIOS settings such as activating TPM and setting drive boot order. Right now we open a command prompt on the machine and run manage-bde -on c: and that's almost it. I would like to get rid of this. Also running a script is great however I'd like to keep it as simple as possible and so that the support team does not have to add machines to a label or direct to the script (multiple IT staff adding and removing to labels and a script has been a bit painful thus far in that people are not removing machines once completed and others are removing machines that have just been added by others). That said, maybe I have misunderstood your responses, if I create an action which runs the script or am I limited to doing so via the scripting page.
    • If you want this setting for all machines then you would ideally create a custom inventory rule that finds machines that don't have it set. Use this custom rule to create a smart label and apply that smart label to the script. Machines will automatically receive the label when the script needs to be run on them, but once it has been run they will be removed from the label.

      The custom inventory rule should be used to pull in the BitLocker status and the label is based on that status. I'm not familiar enough with BitLocker to know what the rule would be.
      • I just looked at the link jknox posted. Read the Verifying that BitLocker is enabled section. You should be able to make a custom inventory rule using the manage-bde.exe –status c: command and then use that to create the smart label.
  • Hi ChuckSteel, this is how we were enabling bitlocker for a while however I am keen on setting up an inventory action as this would allow support staff to disable or pause bitlocker when required. If not then we will stick with the current method of managing BitLocker.
    • But if you use a custom inventory rule it will get set every time the machine updates its inventory. With a script you could schedule it to run every day at midnight and then techs can disable it while working on the computer and it will reset the next day.
  • Hi Chucksteel, I know this however my objective was to see if anyone has had any success with setting it up as an action with the view to getting it working for us, if it is not possible then we will either stick with the way which we are currently managing bitlocker possibly with a little fine tuning. Cheers
    • Ok, that's where we got confused. You are talking about a machine action, not a custom inventory rule.

      For a machine action, if you can get it to run from the command line, typically it can become a machine action.

      There a couple of variables that you can use:


      You would basically have to be able to call "manage-bde.exe -on C:" from your local machine and have it run on the remote system. Once you have it working, you would substitute one of the variables so the K1000 can help you target it.
      • Going off of this page, it would be something like the command below: http://technet.microsoft.com/en-us/library/dd875513%28v=ws.10%29.aspx

        manage-bde -off C: [-ComputerName KACE_HOST_NAME]

        I'm not entirely sure the brackets are necessary, but give that a try. the "-off" also appears to have two dashes in front of it. Good luck!
  • Thanks, trying this now, having some problems with getting the command to run as an action and also running it as a scheduled script. KACE support is looking at why the commands are not running, a problem which we have been experiencing with Shell commands, batch files, etc,,, since upgrading the K1000 to 5.4.76848 and agents to 5.3.53177 on Windows 7 x64 machines
Please log in to comment
Answer this question or Comment on this question for clarity