Main Tool

[Cubert]

The main control is located under each clients console as a tab called BitLocker.

Want to learn more about BitLocker integration with ConnectWise Automate?
YouTube Video

Here it shows all drives that Automate sees for each agent and the current status of that drives encryption. You then use the tools to the right to add Key Protectors to drives. You can add more than one protector to a drive. You can add, remove, suspend encryption on any drive.

• Manage Client - Opens a new console that allows you to apply a key protector to multiple volumes and/or computers

• Volume List - This is an exportable list view of all the volums the client has along with their status. Listed by Key Protector and volume assigned.

• Refresh Scans - Forces a new scheduled script to be queued to scan for BitLocker volumes and changes.

• Add Key Protector - When selecting a drive volume, a right click menu to select to add a key protector will launch a live real time terminal that adds new key protectors and encrypts drive volumes that are not already encrypted.

ClientConsole-agents-selected.jpg (188.31 KiB) Viewed 12 times

[Cubert]

Adding a Key Protector


To add encryption to a drive is easy. Select the drive from the list of agents in the plugin, right click to open menu, select Add Protector from the menu. This will launch a new window that you can select a key protector and encryption size to apply to the drive. TPM is the most common key protector so we will use this as our example. As long as the agent supports TPM then this key will work. If not the terminal will test to see and report back any non compliance before quitting. If all was successful then the terminal should close it's self automatically. You should not need to quit the window manually.

Adding-TPM-key-protector.png (54.87 KiB) Viewed 5926 times

Here is what happens if TPM is attempted on a system that can not support TPM.

TPM-failed test.png (17.81 KiB) Viewed 5926 times

[Cubert]

New Client Manager Tool
This tool allows you to automate BitLocker encryption and key protector deployment across multiple drives and computers at once. It is designed to work within ConnectWise Automate, where it assigns and schedules a script for each selected computer.

To use the tool, select one or more drive volumes from the list of available computers. Then choose your desired key protector type—such as TPM, PIN, password, recovery key, or startup key—and provide any required information like passwords, PINs, or file paths.

If a drive is fully decrypted, the script will apply AES encryption using the specified method. If the drive is already encrypted, the script will skip re-encryption and instead add the selected key protector. This process supports a wide range of key protector types and ensures consistent BitLocker configuration across managed endpoints. It is ideal for bulk deployment, compliance enforcement, and securing data at rest.

ClientConsole-open-client-manager.jpg (185.83 KiB) Viewed 10 times

Select the volumes you want to encrypt or if encrypted add another key protector to volume. The tool will deal with how to apply each volume request so you can mix and match encrypted and decrypted volumes when adding a key.