Issue automating bitlocker deployment via kace script & manage-bde

We are in the works to make sure all our devices are bitlocked and encrypted. This has always been a manual process when re-imaging, but we have a good number of devices that need to be bitlocked in remote locations. When we do it manually we save the bitlock key in a text file in a network folder. I would like to script this process and make it auto-save the key file to the same network drive. I have a script that works well as a .bat file but is giving me an error I can pinpoint as to the cause. Anyone have any ideas?

Here is the error:
Running as credntials provided
Creating process returned non-zero: %systemdrive%\Windows\System32\manage-bde.exe -status C: -protectionaserrorlevel: (4294967295)
Error Code: -1
Status Code: 0
Creating process returned non-zero: %systemdrive%\Windows\System32\manage-bde.exe -protectors -add %SystemDrive% -tpm: (4294967295)
Error Code: -1
Status Code: 0

Here is the script:










4 Comments   [ + ] Show comments
  • The script is not visible - Channeler 2 years ago
  • As above the script isn't visible, but you can upload the recovery keys to KACE and place them under the device inventory of the machine. - Ziggi 2 years ago
  • If it's not a 32-bit vs 64-bit issue chucksteel mentioned, it could be file/folder permissions. I believe KACE scripts normally run under the SYSTEM account (not a logged on user), which may not have access to the network share you're using. Try adding the group Domain Computers to both the network share permissions and the file/folder permissions. I'd suggest creating a dummy script for testing, and try using write but NOT read permissions on the folder. I've got a script which creates files and I've setup folder permissions "Read attributes", "Create files / write data", "Create folders / append data", "Write attributes", "Write extended attributes". The folder does NOT have "List folder / read data". - PaulGibson 2 years ago
  • Has this been resolved? I am having similar issues with a script that changes a local password.
    https://www.itninja.com/question/need-help-with-formerly-functioning-script - Loei 2 years ago

Answers (2)

Posted by: chucksteel 2 years ago
Red Belt
The manage-bde.exe command is not available in the 32bit context where the AMPAgent is running. You need to use %windir%\sysnative\manage-bde.exe instead.

Posted by: Timokirch 2 years ago

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

View more:


This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ