07/06/2018 807 views
We are in the works to make sure all our devices are bitlocked and encrypted. This has always been a manual process when re-imaging, but we have a good number of devices that need to be bitlocked in remote locations. When we do it manually we save the bitlock key in a text file in a network folder. I would like to script this process and make it auto-save the key file to the same network drive. I have a script that works well as a .bat file but is giving me an error I can pinpoint as to the cause. Anyone have any ideas?

Here is the error:
Running as credntials provided
Creating process returned non-zero: %systemdrive%\Windows\System32\manage-bde.exe -status C: -protectionaserrorlevel: (4294967295)
Error Code: -1
Status Code: 0
Creating process returned non-zero: %systemdrive%\Windows\System32\manage-bde.exe -protectors -add %SystemDrive% -tpm: (4294967295)
Error Code: -1
Status Code: 0

Here is the script:










4 Comments   [ + ] Show comments


  • The script is not visible
  • As above the script isn't visible, but you can upload the recovery keys to KACE and place them under the device inventory of the machine.
  • If it's not a 32-bit vs 64-bit issue chucksteel mentioned, it could be file/folder permissions. I believe KACE scripts normally run under the SYSTEM account (not a logged on user), which may not have access to the network share you're using. Try adding the group Domain Computers to both the network share permissions and the file/folder permissions. I'd suggest creating a dummy script for testing, and try using write but NOT read permissions on the folder. I've got a script which creates files and I've setup folder permissions "Read attributes", "Create files / write data", "Create folders / append data", "Write attributes", "Write extended attributes". The folder does NOT have "List folder / read data".
  • Has this been resolved? I am having similar issues with a script that changes a local password.

All Answers

The manage-bde.exe command is not available in the 32bit context where the AMPAgent is running. You need to use %windir%\sysnative\manage-bde.exe instead.

Answered 07/17/2018 by: chucksteel
Red Belt