Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 13:37:30 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 91
fleet/docs
History
Victor Lyuboslavsky 58563852f0
Bitlocker: do not decrypt already encrypted drive. (#43130) 
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #40809

**Orbit agent: key rotation replaces decrypt-then-re-encrypt:**
- When the disk is already encrypted, orbit now adds a new Fleet-managed
recovery key protector, removes old ones, and escrows the new key. The
disk is never decrypted.
- If key escrow fails, the rotated key is cached in memory and retried
on subsequent ticks without rotating again.
- Removes `DecryptVolume` and `decrypt()` (no longer called from
production code).

**Server: osquery query returns both protection_status and
conversion_status:**
- The `disk_encryption_windows` query now returns both columns instead
of just checking `protection_status = 1`. This lets the server correctly
identify a disk as encrypted via `conversion_status = 1` even when
`protection_status = 0`.
- New `directIngestDiskEncryptionWindows` function parses both values,
handles parse errors, and normalizes `protection_status = 2` (unknown)
to NULL.

**Server: new `bitlocker_protection_status` column and status logic:**
- Adds `bitlocker_protection_status` column to `host_disks` (DB
migration).
- When a disk is encrypted and key is escrowed but protection is off,
the host shows "Action required" with a detail message explaining the
issue, instead of misleadingly showing "Verified."
- `protection_status = 2` (unknown) and `NULL` (older orbit hosts) are
treated as protection on for backward compatibility.
- The `profiles_verified` and `profiles_verifying` branches in the
combined profiles+BitLocker summary now handle
`bitlocker_action_required`, counting those hosts as "pending".

Contributor docs updates: https://github.com/fleetdm/fleet/pull/43241
Public docs updates: https://github.com/fleetdm/fleet/pull/43243/changes

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.

## Testing

- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually

## Database migrations

- [x] Checked schema for all modified table for columns that will
auto-update timestamps during migration.

## fleetd/orbit/Fleet Desktop

- [x] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [x] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [x] Verified that fleetd runs on macOS, Linux and Windows
- [x] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

## Release Notes

* **Bug Fixes**
* Fixed Windows BitLocker encryption/decryption request loop on systems
with secondary drives and auto-unlock.

* **New Features**
* Added BitLocker recovery key rotation capability, allowing safe key
updates without full disk re-encryption.
* Enhanced BitLocker protection status tracking to correctly display
"Action required" when protection is disabled.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-04-09 18:33:03 -04:00
..
01-Using-Fleet Starter library matches fleets in fleetctl new templates (#42554) 2026-03-27 14:37:05 -05:00
Configuration Docs: Clarify MySQL read replica config is independent from primary (#43013) 2026-04-08 17:43:14 -05:00
Contributing Bitlocker: do not decrypt already encrypted drive. (#43130) 2026-04-09 18:33:03 -04:00
Deploy Preview of v4.83.0 doc changes (#39805) 2026-04-01 11:21:11 -05:00
files Handbook: Adding 2024 pen test document to security audit page (#21393) 2024-08-21 11:15:37 -04:00
Get started Clarify that not all Linux distros require the GNOME extension (#43297) 2026-04-08 17:07:59 -05:00
images Keep Entity ID consistent (#37936) 2026-01-27 16:12:23 -06:00
REST API Document after and related API params. (#42844) 2026-04-03 18:03:25 -05:00
solutions Update Android password policy and clarify how it works with BYOD (#43374) 2026-04-09 17:29:14 -05:00
mdm-commands.yml Fix Apple's spelling errors (#39464) 2026-02-06 13:37:40 -06:00
queries.yml Add MITRE ATT&CK framework queries to query library (#39930) 2026-03-06 12:28:11 -06:00
README.md Updated broken links for Using Fleet and Deploying (#20655) 2024-07-25 10:04:18 -04:00
scripts.yml Add 'Disable Wi-Fi auto-join' macOS script to scripts library (#39813) 2026-02-18 15:32:28 -06:00

README.md

Fleet documentation

Welcome to the documentation for Fleet, the lightweight management platform for laptops and servers.

You can also read the Fleet docs over at https://fleetdm.com/docs.

Using Fleet

Resources for using the Fleet UI, fleetctl CLI, and Fleet REST API.

Deploying

Resources for installing Fleet's infrastructure dependencies, configuring Fleet, deploying osquery to hosts, and viewing example deployment scenarios.

Contributing

If you're interested in interacting with the Fleet source code, you'll find information on modifying and building the code here.

If you have any questions, please don't hesitate to File a GitHub issue or join us on Slack. You can find us in the #fleet channel.