BitLocker for Automate — What's New in v1.0.0.23Published by Plugins4, LLC · plugins4automate.com
---
We've been hard at work improving BitLocker for Automate, our ConnectWise Automate plugin for managing BitLocker deployments, key protectors, and volume states across your entire client base. This update is packed with reliability improvements, smarter UI behaviour, and safer remote operations. Here's everything that changed.
---
UI: Volume Status MessagingThe volume detail panel now displays a contextual status label (Volume is Locked / Volume is Suspended) so technicians instantly know the state of a selected volume without having to interpret raw data.
• Locked volumes display "Volume is Locked" in bold maroon text.
• Suspended volumes display "Volume is Suspended".
• The label is always horizontally centred regardless of message length, using a full-width fixed label with TextAlign = MiddleCenter.
• The message clears automatically when switching to a different volume.
---
UI: Suspend / Resume Button FixThe Control BitLocker button group now correctly shows the Resume button when a volume is suspended, and Suspend when it is active.
Previously, selecting a suspended volume left the Suspend button visible because UpdateBitLockerControlButtons was never being called for the suspended state branch. This is now fixed — the suspended volume path calls UpdateBitLockerControlButtons with protectionStatus = "Off", which correctly surfaces the Resume button.
---
Lock BitLocker — Pre-Lock Safety ChecksThe Lock BitLocker operation now performs a full pre-lock verification before issuing the lock command:
1. Database credential check — Verifies that at least one Password or RecoveryPassword protector with a stored credential value exists in the database for the volume. Aborts if none are found, preventing a lock with no known unlock path.
2. Live volume cross-reference — Queries the live agent for all active KeyProtectorId values and cross-references them against the database records. If any database credential KeyProtectorId is missing from the live volume, the operation aborts with a clear message to run Refresh Volume Data first.
3. Safe lock — Only when all checks pass does it execute Lock-BitLocker -ForceDismount.
---
Unlock BitLocker — Credential-Driven UnlockThe Unlock BitLocker operation now queries stored credentials from the database and selects the best available unlock method automatically:
• Uses a stored Password (via ConvertTo-SecureString) as the first preference.
• Falls back to a stored RecoveryPassword if no plain password is available.
• Aborts cleanly with a clear message if neither credential exists in the database.
---
Enable BitLocker — Intelligent Protector HandlingThe Enable BitLocker flow was significantly improved:
• Queries the live agent's existing KeyProtectorId values before adding anything.
• If a Password protector is in the database but its KeyProtectorId is no longer on the live volume, it is re-added using the stored password and the stale ID is cleared from the database.
• Automatically adds a RecoveryPassword protector if no matching protector exists at all, ensuring every volume enabled by the plugin always has a recovery path.
• Guarantees a RecoveryPassword exists on the volume before starting encryption, even if one was added in an earlier step.
• Detects XTS cipher support (xts_aes128 / xts_aes256) and falls back gracefully to aes128 / aes256 on older OS versions.
• Correctly surfaces the "reboot required for TPM hardware test" state as informational rather than a failure, and shows a Reboot Computer button.
---
Remove Key Protector — BitLocker-Aware DeletionThe Remove Key Protector operation is now smarter about when an anchor protector is needed:
• Previously: Always queried the protector count and conditionally added an anchor protector before removing, regardless of whether BitLocker was actually enabled on the volume.
• Now: First queries the live VolumeStatus from the agent. If the volume is FullyDecrypted (BitLocker disabled), the protector is deleted directly — no anchor needed, no unnecessary commands sent to the agent.
• The anchor protector logic (adding a temporary RecoveryPassword or Tpm protector as a safety net) only runs when BitLocker is active on the volume, which is the only scenario where Windows enforces the "last protector" restriction.
---
Manage Client — Drive List ImprovementsThe Manage Client form now uses a ListView with drive icons in place of the original CheckedListBox, giving a clearer visual distinction between encrypted and unencrypted drives. Icons reflect drive lock state sourced from existing plugin resources.
---
Background Thread SafetyAll UI updates throughout the plugin — progress bar, terminal output, status labels, button visibility — are marshalled correctly through InvokeRequired / Me.Invoke patterns, ensuring no cross-thread UI exceptions during long-running remote operations.
---
Refresh Volume Data — Stale Record CleanupAfter every operation that modifies a volume, Refresh Volume Data now:
• Deletes stale volume rows from plugin_p4a_bitlocker_volumes for mount points that no longer exist on the computer.
• Deletes stale protector rows from plugin_p4a_bitlocker_protectors for KeyProtectorId values no longer reported by the live agent.
• Both cleanup steps are scoped to the specific ComputerID to prevent accidental deletion of other computers' data.
• Cleanup is skipped if the agent returns no data, protecting against bad responses wiping valid records.
---
BitLocker for Automate is developed and maintained by Plugins4, LLC. For licensing and support, visit www.plugins4automate.com.