fleet icon indicating copy to clipboard operation
fleet copied to clipboard
verified publisher icon fleetdm

Windows MDM enrollment details don't clear upon OS change

Open ddribeiro opened this issue 9 months ago • 9 comments

Fleet version: 4.65.0, Orbit 1.40.1

Web browser and operating system: Tested with Windows 11 -> Ubuntu 24.10

💥  Actual behavior

An end user has a Fleet enrolled Windows host with MDM turned on. Then they decide they want to use Linux for work so they re-enroll to Fleet as a Linux host. When this happens, the host's MDM details are not cleared out. This causes issues for reporting where it appears the Linux host is enrolled in Windows MDM, when it is not. The other host details are updated to accurately reflect the new OS details.

Image

🧑‍💻  Steps to reproduce

  1. Enroll a Windows host into Fleet with MDM turned on. Make sure MDM server details populate on the host's details page.
  2. Install Ubuntu on that same host and enroll it into Fleet. Do not erase the host record from Fleet!
  3. Observe that that the existing host record has been updated to reflect that host is now running Ubuntu. The MDM Status and MDM server URL still show the host is enrolled in Windows MDM, which is not correct.

🕯️ More info (optional)

🛠️ To fix

Product designer: marko-lisica

When end users switches from Windows to Linux...

  • The Linux hosts re-enrolls (fleetd is installed)
  • Clear MDM status and MDM server URL

ddribeiro avatar Mar 25 '25 14:03 ddribeiro

I think this might be related, but upon booting my test system back to Windows, I was prompted for my BitLocker recovery key. Fleet shows me "Show disk encryption key" from the host's Actions menu, but when I click it, I get an error. I don't know if this warrants a separate bug or not. I'm not sure the best way to handle the recovery key escrow. It wouldn't make sense to delete it in dual-boot environments.

Image

ddribeiro avatar Mar 25 '25 14:03 ddribeiro

@noahtalerman new numa bug, do we have the right tags? dale discussed with you during POH last week and the suggestion was to file this

zayhanlon avatar Mar 25 '25 15:03 zayhanlon

@zayhanlon looks good. Updated this to #g-mdm. This bug will go through the bug process starting at the "Reproduced" step: https://fleetdm.com/handbook/company/product-groups#reproduced

cc @marko-lisica

noahtalerman avatar Mar 26 '25 18:03 noahtalerman

QA Reproduction Notes:

I was able to reproduce on my PC -

Enrolled with Windows 11 successfully

Image

I did not delete the host record in Fleet, then installed Ubuntu...

Image

The mdm information remains attached to the host.

I'll go thru the same workflow with deleting the host record next and report back

PezHub avatar Apr 04 '25 15:04 PezHub

Walked thru the same workflow except I deleted the Windows host record in fleet before enrolling Ubuntu and can confirm the MDM status and server URL get cleared. Will leave it up to Product to decide next steps

Image

PezHub avatar Apr 04 '25 23:04 PezHub

Hey, @ddribeiro, we always recommend deleting the host from Fleet when wiping a host (best practice), such as when repurposing a device. We believe the same applies in this situation. They can delete the host at any time, as it will re-enroll if fleetd is installed and will have the correct vitals.

We documented this here: https://github.com/fleetdm/fleet/pull/28076. Do you think this is sufficient?

marko-lisica avatar Apr 10 '25 12:04 marko-lisica

@marko-lisica This is a tough one because our best practice could work for some customers but not others. Is there a scenario where Fleet could handle deleting the previous host record before re-enrolling?

For example, in environments with highly technical users (customer-numa), an end user could install Linux on a computer that previously had Windows installed and enroll it into Fleet, and the IT department would have no visibility into that. It would be impossible for them to adhere to our best practice in that situation.

In this particular scenario, it seems wrong for Fleet to keep the Windows MDM server URL for an operating system that can never be enrolled in a Windows MDM server. I think it'd be a better experience for Fleet to be aware of this and clear out the irrelevant information automatically.

ddribeiro avatar Apr 10 '25 18:04 ddribeiro

@ddribeiro, this makes sense. I'm just wondering how technical users get fleetd once they change their OS. Do they have some internal repo or something similar?

marko-lisica avatar Apr 11 '25 18:04 marko-lisica

When end users switches from Windows to Linux...

  • The Linux hosts re-enrolls (fleetd is installed)
  • Clear MDM status and MDM server URL

FYI @marko-lisica met with @georgekarrv and we decided to make this a smaller fix. Why? So we can ship it sooner. Refetching all host vitals is riskier. Potential for bugs in which Fleet clears host vitals unexpectedly.

noahtalerman avatar Apr 11 '25 19:04 noahtalerman

Timebox for the quick and dirty, if this explodes in any way becoming more complicated, raise that early and let's adjust.

georgekarrv avatar Apr 14 '25 17:04 georgekarrv

Merged a fix which clears the host_mdm row entry when a Windows hosts re-enrolls as a non-Windows host. In a dual boot scenario where the windows host later comes back, upon the next fetch the Windows MDM details will be returned by OSQuery and show up in the UI again.

JordanMontgomery avatar Apr 23 '25 12:04 JordanMontgomery

QA Test Results

Confirmed the mdm details are cleared when erasing the device but leaving the host record in Fleet.

Confirmed in a dual boot scenario Windows MDM details return after osquery runs.

Image Image

PezHub avatar Apr 27 '25 14:04 PezHub

Windows to Linux, MDM details refreshed, Clear view in the cloud.

fleet-release avatar May 23 '25 12:05 fleet-release