Add FileVault and BitLocker disk encryption policies for Workstations team (#42340)

## Summary

- Adds a new **macOS - FileVault enabled** policy that checks whether
FileVault disk encryption is enabled on macOS devices by querying
`filevault_status` for an active status.
- Adds a new **Windows - BitLocker enabled** policy that checks whether
BitLocker disk encryption is enabled on the C: drive of Windows devices
by querying `bitlocker_info` for protection status.
- Both policies are added to the Workstations team configuration in
`workstations.yml`, placed alongside the existing disk encryption check
policies.
- Updated the resolution text for both policies to indicate that
settings should be automatically applied via MDM and to direct users to
#help-it for assistance.
- Changed resolution phrasing from "If you're still seeing this issue"
to "If you're still failing this policy" for both policies.

## Changes

| File | Change |
|------|--------|
| `it-and-security/lib/macos/policies/filevault-enabled.yml` | New
policy file for macOS FileVault check |
| `it-and-security/lib/windows/policies/bitlocker-enabled.yml` | New
policy file for Windows BitLocker check |
| `it-and-security/fleets/workstations.yml` | Added references to both
new policy files |

Built for [Allen
Houchins](https://fleetdm.slack.com/archives/D0AFASNBZMW/p1774388430297229?thread_ts=1774386241.477189&cid=D0AFASNBZMW)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)

---------

Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>

it-and-security/fleets/workstations.yml

@@ -126,6 +126,7 @@ policies:
   - path: ../lib/macos/policies/update-1password.yml
   - path: ../lib/macos/policies/enrollment-profile-up-to-date.yml
   - path: ../lib/macos/policies/disk-encryption-check.yml
+  - path: ../lib/macos/policies/filevault-enabled.yml
   - path: ../lib/macos/policies/disk-space-check.yml
   - path: ../lib/macos/policies/1password-installed.yml
   - path: ../lib/macos/policies/install-macos-compatibility-extension.yml
@@ -137,6 +138,7 @@ policies:
   - path: ../lib/windows/policies/antivirus-signatures-up-to-date.yml
   - path: ../lib/windows/policies/all-windows-updates-installed.yml
   - path: ../lib/windows/policies/disk-encryption-check.yml
+  - path: ../lib/windows/policies/bitlocker-enabled.yml
   - path: ../lib/windows/policies/disk-space-check.yml
   - path: ../lib/windows/policies/1password-installed.yml
   - path: ../lib/windows/policies/update-1password.yml

it-and-security/lib/macos/policies/filevault-enabled.yml

@@ -0,0 +1,7 @@
+- name: macOS - FileVault enabled
+  query: SELECT 1 FROM filevault_status WHERE status = 'FileVault is On.';
+  critical: false
+  description: This policy checks whether FileVault disk encryption is enabled on macOS devices. FileVault encrypts the entire drive and helps protect data at rest.
+  resolution: |-
+    These settings should be automatically applied once MDM is enabled on your device. If you're still failing this policy, please reach out to #help-it for assistance.
+  platform: darwin

it-and-security/lib/windows/policies/bitlocker-enabled.yml

@@ -0,0 +1,7 @@
+- name: Windows - BitLocker enabled
+  query: SELECT 1 FROM bitlocker_info WHERE drive_letter = 'C:' AND protection_status = 1;
+  critical: false
+  description: "This policy checks whether BitLocker disk encryption is enabled on the C: drive of Windows devices. BitLocker encrypts the entire drive and helps protect data at rest."
+  resolution: |-
+    These settings should be automatically applied once MDM is enabled on your device. If you're still failing this policy, please reach out to #help-it for assistance.
+  platform: windows