Skip to content

Releases: robgrame/BitLockerKeyMonitor

v1.5.2 - First tagged release

05 Jun 11:58
@robgrame robgrame
v1.5.2
f54e308

Choose a tag to compare

View all tags
v1.5.2 - First tagged release Latest
Latest

BitLocker Key Monitor v1.5.2

First tagged release of the enterprise BitLocker recovery key consistency monitor.
This version is the baseline for all future releases — version metadata is now
centralized in Directory.Build.props so every binary, log line and
WorkerHeartbeat.Version row reports the same value.

✨ Highlights since the start of the project

Audit & visibility

  • Structured audit log persisted to SQL (AuditEvents table) with a new
    /audit admin page: date range / source / action / outcome / user / subject
    filters, paginated table, CSV export.
  • AUDIT call sites wired into KeyValueVault, DeviceDetail, AdScannerService,
    EntraScannerService, CsvExportService, ConfigurationProvider.

Operations

  • Worker liveness heartbeat: cross-process signaling via SQL
    (WorkerHeartbeat singleton row), 30 s beat from a BackgroundService.
  • Sticky pulsing status badge in the top-right of every Web page —
    Online / Stale / Offline / Unknown, pulse animation reserved for attention
    states (with prefers-reduced-motion honored). Click → details modal with
    PID, version, uptime, last/next scan.
  • Live device search + paginated Recovery Key Vault (5 entries/page).

Reliability

  • Microsoft Graph User-Agent fix — adds the required header on every Graph
    call (the bug that produced 400 BadRequest: Parameter (User-Agent) is required but missing from headers on Entra scans).
  • Polly v8 resilience pipeline for Graph throttling with DelayGenerator
    clamping (MaxDelay is not honored when a DelayGenerator is supplied).
  • ScheduleSyncService hardened against Quartz startup race and invalid-cron
    log spam; reconciles cron on startup.

Deployment

  • Deploy-Remote.ps1 now accepts -GraphCertificateThumbprint and
    -HttpsCertificateThumbprint and merges them in place into
    appsettings.json     (with timestamped .bak backup) — no more
    appsettings.Production.json overlay file.
  • Cleans up stale appsettings.Production.json artifacts from prior deploys.
  • Worker and Web publish is locked to -r win-x64 --no-self-contained to avoid
    the netstandard ServiceController stub being loaded instead of the Windows
    implementation (which would crash the service on start with
    PlatformNotSupportedException).

📦 Artifacts

Both archives are framework-dependent win-x64 publishes built against
.NET 10 Runtime. Extract on the target host, then run Deploy-Remote.ps1
(or copy in place and register as Windows Services).

File Contents
BitLockerKeyMonitor-Worker-v1.5.2-win-x64.zip BitLockerKeyMonitor.Worker.exe + dependencies — runs scans, audit writes, heartbeat
BitLockerKeyMonitor-Web-v1.5.2-win-x64.zip BitLockerKeyMonitor.Web.exe + wwwroot — Blazor Server portal with Negotiate auth

Prerequisites on the target host

  • Windows Server 2019/2022/2025, .NET 10 Runtime + ASP.NET Core 10 Runtime
  • SQL Server reachable from both services
  • For the Worker: gMSA or service identity with ReadProperty + ExtendedRight
    on msFVE-RecoveryInformation (use tools/Setup-BitLockerMonitorGmsa.ps1)
  • For Graph: app registration with Device.Read.All + BitlockerKey.ReadBasic.All
    (admin consent) and a client certificate

🚀 Quick deploy

.\Deploy-Remote.ps1 `
  -ComputerName srvblkmon01.mslabs.local `
  -GraphCertificateThumbprint <thumbprint> `
  -HttpsCertificateThumbprint <thumbprint>

🔢 Versioning

Bump <Version> in Directory.Build.props and rebuild — assembly version,
file version, informational version, User-Agent header and heartbeat row will
all pick it up automatically.

Assets 4
Loading