BitLocker Status - Custom Inventory

Version 1

    This document will cover the process used to collect custom inventory items for Microsoft Windows BitLocker HDD Encryption.


    Steps used to Collect Data

    • Research methods to retrieve BitLocker Status (Decided to use CMD: "manage-bde -status c: > C:\BCM\BitlockerStatus.log"
      • You can see I piped data to an output file called "BitlockerStatus.log"
    • Create Op Rule with following Steps
      1. Create Directory (Must have a directory to write my file)
      2. Execute Program (Must own Deploy Module)
        1. This is the file created:
      3. Created 5 steps using "File Analysis via Regular Expression" (I parsed same file 5 times to get the data I was looking to collect)
        1. This is a screen shot of one of the 5 steps:
      4. The last step is to Update & Upload Custom Inventory
      5. Assign this Rule to a device you know has BitLocker enabled and one that does not to ensure you are collecting the data properly (TEST)
        1. This is what the custom inventory return results look like:


    I have exported this rule and have attached at the bottom of this article so you can download and IMPORT to run  (Once imported it will be in Global Settings > Lost and Found. Just locate > Copy and then paste in your desired folder under Operational Rules.


    Once the data is collected you can then create a query to find all devices where BitLocker is either enabled or disabled (depends on what you are trying to achieve).  From there you can create a Device Group from the query or simply create a report showing the results.


    This is a screen shot of a single device using a report:

    I hope you find this useful,



    This document was written in response to Surendar Cholkar and his post: