Implement BitLocker "action required" status

[sgress454]

for #31182

Details

This PR implements the "Action Required" state for Windows host disk encryption. This includes updates to reporting for:

• disk encryption summary (GET /fleet/disk_encryption)
• config profiles summary (GET /configuration_profiles/summary)
• config profile status ( GET /configuration_profiles/{profile_uuid}/status)

For disk encryption summary, the statuses are now determined according to the rules in the Figma. TL;DR if the criteria for "verified" or "verifying" are set, but a required PIN is not set, we report a host as "action required".

For profiles, I followed what seems to be the existing pattern and set the profile status to "pending" if the disk encryption status is "action required". This is what we do for hosts with the "enforcing" or "removing enforcement" statuses.

A lot of the changes in these files are due to the creation of the fleet.DiskEncryptionConfig struct to hold info about disk encryption config, and passing variables of that type to various functions instead of passing a bool to indicate whether encryption is enabled. Other than that, the functional changes are constrained to a few files.

Note: to get the "require bitlocker pin" UI, compile the front end with:

SHOW_BITLOCKER_PIN_OPTION=true NODE_ENV=development yarn run webpack --progress --watch

Checklist for submitter

If some of the following don't apply, delete the relevant line.

• Changes file added for user-visible changes in changes/, orbit/changes/ or ee/fleetd-chrome/changes.
  See Changes files for more information.
  Changelog will be added when feature is complete.

• Input data is properly validated, SELECT * is avoided, SQL injection is prevented (using placeholders for values in statements)

Testing

• Added/updated automated tests

• Where appropriate, automated tests simulate multiple hosts and test for host isolation (updates to one hosts's records do not affect another)

• QA'd all new/changed functionality manually
  Could use some help testing this end-to-end. I was able to test the banners showing up correctly, but testing the Disk Encryption table requires some Windows-MDM-fu (I just get all zeroes).

Database migrations

• Checked table schema to confirm autoupdate
• Checked schema for all modified table for columns that will auto-update timestamps during migration.
• Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects.
• Ensured the correct collation is explicitly set for character columns (COLLATE utf8mb4_unicode_ci).

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch sgress454/31182-implement-bitlocker-action-required

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[sgress454]

Previously we were passing a bool to various functions to indicate whether disk encryption was enabled. Since we now have two flags to be concerned with ("enabled" and "pin required"), this PR introduces a new struct to pass in place of the bool. Most of the file changes in the PR are updating this usage.

[sgress454]

This is in the code which allows filtering hosts by profile status. In this branch of the logic, we haven't determined profile status by means of the host_mdm_windows_profiles table, so we're going completely off of bitlocker status, which we'll transform by removing the bitlocker_ prefix here.

The new case here which checks for the "action required" disk encryption state and, if found, returns the profile status as bitlocker_pending (which will be transformed to pending).

[sgress454]

This part of the profile status filtering SQL utilizes the host_mdm_windows_profiles to get a status, and then modifies it depending on the bitlocker status. Again we're setting the status to "pending" if bitlocker action is required.

[sgress454]

This is in the helper method which provides SQL for checking a host's BitLocker status. We set up a WHERE clause to check whether a host has their TPM PIN set, defaulting to TRUE if PIN is not required.

[sgress454]

Update the "verified" state SQL to include the PIN check.

[sgress454]

Update the "verifying" state SQL to include the PIN check.

[sgress454]

Add the new "action required" state, which is basically the disjunction of the "verifying" and "verified" states, with the additional "PIN not set" check.

[sgress454]

Implement the "action required" state in the SQL that gets the summary of windows host disk encryption states

[sgress454]

For the profiles summary, count both "pending" and "action_required" BitLocker status as "pending" for the sake of the profiles.

[sgress454]

These tests are very inter-related. I tried to make them more table-based (I really did, @ksykulev!) but somehow starting from scratch caused unexpected issues as well, perhaps due to mdm side-effects I don't fully grok. The best I could do is create a mini setup and teardown in this test -- it turns on PIN requirement at the beginning, and removes it at the end. It also reverts the change made to the host before returning.

[ksykulev]

I think changing existing tests is going to be fairly arduous. Especially in some of the extra complicated situations. I have begun pulling out any new tests into new methods in the new paradigm - as long as the setup isn't wildly complicated.

[juan-fdz-hawa]

Great work with this! Something that I noticed is that when the TPM PIN is required and is not set yet, the Pending state is not shown on the host detail page:

If you mean how "Disk Encryption" shows "On", I think this is expected -- we only show "On", "Off" or "Unknown" there. Once we're all done, if the host is not meeting the PIN requirement then we'll show a banner on the host page and My Device pages indicating that they need to take action. If you build the front end from this branch you should be able to see it.

Not the Disk Encryption card, but the OS settings one, I was expecting to see something like this:

[sgress454]

Not the Disk Encryption card, but the OS settings one, I was expecting to see something like this:

ah interesting -- ngl I don't know exactly how that works, will investigate

[sgress454]

@juan-fdz-hawa ok I see it when I turn Windows MDM on in Settings -> Integrations -> Mobile Device Management, and also have Disk Encryption on in Controls -> OS Settings (for the team that the host is on):

The actual verification is based on Fleet getting the disk encryption key. I haven't had any luck getting that to happen between my local Fleet and my VM though.

[juan-fdz-hawa]

@juan-fdz-hawa ok I see it when I turn Windows MDM on in Settings -> Integrations -> Mobile Device Management, and also have Disk Encryption on in Controls -> OS Settings (for the team that the host is on):

The actual verification is based on Fleet getting the disk encryption key. I haven't had any luck getting that to happen between my local Fleet and my VM though.

The encryption process is a little bit slow on Windows because the whole driver needs to be encrypted and then decrypted. The OS Settings card seem to disappear when the require PIN checkbox is set:

Screencast.from.2025-08-04.13-24-54.webm

If you are having problems with your local env setup, I'm happy to approve this and address the issue in another PR to keep the ball rolling.

[sgress454]

Ok that's wacky, let me see if I can get mine to "verified" and I'll see if I can repro.

[sgress454]

I'm sure there's a more Typescript-y way to do this but I could not figure it out and Claude kept making a mess of things, so this will do for now.

[sgress454]

we do want to show "action required" for windows disk encryption status

[sgress454]

This was only used to filter out action_required which we no longer want to do

[jacobshandling]

In a follow up it'd make sense to update / remove this comment

[jacobshandling]

FE looks good