K1000 Bitlocker Recovery Key (Inventory field)

I have not found this elsewhere so I apologize if it already exists.

This is how I created an Inventory field in the K1000 that stores the Bitlocker recovery key for each machine. 

I found that it wouldn't always upload or update AD so I rest easier knowing this information is updated on every Check in.

ShellCommandTextReturn(cmd.exe /c %windir%\sysnative\manage-bde.exe -protectors -get c:)

The result looks like this.



  • What is this magic?
    I can't see any options for making Custom Inventory rules. - Vivalo 4 years ago
    • There is quite a bit on custom inventory rules and fields to be googled. http://www.itninja.com/blog/view/kace-custom-inventory-rules-101

      Basically you are creating a custom software under Inventory/Software

      Name the Publisher "Custom Field"

      you cn also create a smart label to group them by making a smart label and adding in this bit of sql code (Thanks to Kace Training for it)

      OR ( SOFTWARE.PUBLISHER like '%CUSTOM%')) - jweddington 4 years ago
      • Got it, thanks. It actually seems like v7 now is able to track BitLocker Drive Encryption status. But I made a custom inventory item to pull the k2000 deployment date and used that to find computers deployed in the last 4 hours so i can target computers just those computers with my script to enable BitLocker.

        Seems to work well.

        I ended up putting the BitLocker enabling steps into the K2000 post deploy tasks, I used some Dell BIOS config util and powershell to make sure the TPM chip is ready and enabled before the step to turn on bitlocker. Seems to work well, I still want to get the bitlocker recovery key into K1000 inventory, so will do this now. - Vivalo 4 years ago
  • Sounds great. Glad to have helped. Now if only Kace can add the Recovery key into their Drive Encryption drop down I can retire my custom inventory field.
    Having the recovery key up to date and easily accessible is important to me. I did not want to stand up a server just for MBAM when all I need is a repository for recovery keys. - jweddington 4 years ago
  • Excellent!!!, I have been looking for this for while. - davidotz8 3 years ago
  • I've been able to achieve it with THIS command;

    ShellCommandTextReturn(c:\windows\sysnative\WindowsPowerShell\v1.0\powershell -executionpolicy bypass -Command "(Get-BitLockerVolume -MountPoint C).KeyProtector.RecoveryPassword")

    Returns ONLY the Recovery Key as an item. - RD94 3 years ago
  • It's worthwhile creating a scheduled report daily emailed to yourself detailing bitlocker keys and devices.

    This is important if you delete a device or rebuild a device and the record is overwritten in Kace.

    You will then have the history of bitlocker keys if, like us, you retain the old sata disk and swap out with an SSD.

    This has been a life saver on more than one occasion.

    JB - JonnyBarr 3 years ago
    • Good suggestion. - RD94 3 years ago
This post is locked

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login


This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ