/build/static/layout/Breadcrumb_cap_w.png

Has anyone had any success with creating computer inventory actions that enables BitLocker?

Hi everyone,

I'm trying to create a new inventory action which enables BitLocker using the following.

Custom Action 

manage-bde.exe -on C:

Has anyone had any luck with creating a similar action?

 

 

 

Asked 10 years ago 2020 views
0 Comments   [ + ] Show comments

Answers (1)

Posted by: chucksteel 10 years ago
Red Belt
1

Are you trying to enable BitLocker through the use of a custom inventory field? That's an interesting concept but I don't think I would use that functionality to make system changes. It would be better to create a script and target machines that need the change.

Comments:
  • Agreed. Build a script that suits your environment based on this: http://technet.microsoft.com/en-us/library/dd894351%28v=ws.10%29.aspx - jknox 10 years ago
  • Hi, thank you for your responses. Yes I was hoping to be able to run the command as an action in the inventory field. We have a GPO BITLocker and a script which configures BIOS settings such as activating TPM and setting drive boot order. Right now we open a command prompt on the machine and run manage-bde -on c: and that's almost it. I would like to get rid of this. Also running a script is great however I'd like to keep it as simple as possible and so that the support team does not have to add machines to a label or direct to the script (multiple IT staff adding and removing to labels and a script has been a bit painful thus far in that people are not removing machines once completed and others are removing machines that have just been added by others). That said, maybe I have misunderstood your responses, if I create an action which runs the script or am I limited to doing so via the scripting page. - White Belt 10 years ago
    • If you want this setting for all machines then you would ideally create a custom inventory rule that finds machines that don't have it set. Use this custom rule to create a smart label and apply that smart label to the script. Machines will automatically receive the label when the script needs to be run on them, but once it has been run they will be removed from the label.

      The custom inventory rule should be used to pull in the BitLocker status and the label is based on that status. I'm not familiar enough with BitLocker to know what the rule would be. - chucksteel 10 years ago
      • I just looked at the link jknox posted. Read the Verifying that BitLocker is enabled section. You should be able to make a custom inventory rule using the manage-bde.exe –status c: command and then use that to create the smart label. - chucksteel 10 years ago
  • Hi ChuckSteel, this is how we were enabling bitlocker for a while however I am keen on setting up an inventory action as this would allow support staff to disable or pause bitlocker when required. If not then we will stick with the current method of managing BitLocker. - White Belt 10 years ago
    • But if you use a custom inventory rule it will get set every time the machine updates its inventory. With a script you could schedule it to run every day at midnight and then techs can disable it while working on the computer and it will reset the next day. - chucksteel 10 years ago
  • Hi Chucksteel, I know this however my objective was to see if anyone has had any success with setting it up as an action with the view to getting it working for us, if it is not possible then we will either stick with the way which we are currently managing bitlocker possibly with a little fine tuning. Cheers - White Belt 10 years ago
    • Ok, that's where we got confused. You are talking about a machine action, not a custom inventory rule.

      For a machine action, if you can get it to run from the command line, typically it can become a machine action.

      There a couple of variables that you can use:

      KACE_HOST_IP
      KACE_HOST_NAME
      KACE_CUSTOM_INVENTORY_*

      You would basically have to be able to call "manage-bde.exe -on C:" from your local machine and have it run on the remote system. Once you have it working, you would substitute one of the variables so the K1000 can help you target it. - jknox 10 years ago
      • Going off of this page, it would be something like the command below: http://technet.microsoft.com/en-us/library/dd875513%28v=ws.10%29.aspx

        manage-bde -off C: [-ComputerName KACE_HOST_NAME]

        I'm not entirely sure the brackets are necessary, but give that a try. the "-off" also appears to have two dashes in front of it. Good luck! - jknox 10 years ago
  • Thanks, trying this now, having some problems with getting the command to run as an action and also running it as a scheduled script. KACE support is looking at why the commands are not running, a problem which we have been experiencing with Shell commands, batch files, etc,,, since upgrading the K1000 to 5.4.76848 and agents to 5.3.53177 on Windows 7 x64 machines - White Belt 10 years ago

Posted by:

White Belt Blue Belt
Ninja since: 12 years ago

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

View more:

KACE Product Support Questions
question

Related Questions

Link

Related Links

Post

Related Posts

Share

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ