New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Windows MDM Fix Manual Detection #17721
Conversation
Replace the use of the isFederated registry key with a keys that check for AAD (Azure Active Directory, now Entra ID) Federated enrollment (isFederated) seems to be when windows uses a Discovery MDM endpoint to get its policy and management endpoint configuration. This is always the case when a client is enrolled with fleet, so installations always show up as automatic. It's being replaced by a different key, `AADResourceID`, which appears to identify the resource that controls the automated deployment. In my tests it only appears to be populated when the computer is enrolled through automated deployments. This key appears on both Windows 10 and 11. There is a similar key, `AADTenantID`, which appears to identify the client (tenant) to the Azure cloud. I haven't seen this ID in our systems, so it is likely exclusively used in Azure. Both this key and `AADResourceID` seem to always be set at the same time, so we only check for the `AADResourceID`. I've also added documentation on the registry keys I've analyzed in the previous commit for future reference.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nice fix! for the changes file please see
### Changes files |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
✨
-- in order to account for hosts that might not have this | ||
-- key, and servers | ||
WHERE COALESCE(e.state, '0') IN ('0', '1', '2') | ||
LIMIT 1; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sanity-checking: have you generated this using make generate-docs
?
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #17721 +/- ##
==========================================
- Coverage 65.68% 65.61% -0.07%
==========================================
Files 1193 1193
Lines 108031 108031
Branches 2574 2574
==========================================
- Hits 70955 70885 -70
- Misses 31707 31764 +57
- Partials 5369 5382 +13
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah, I missed that there still doc changes for docs/Using Fleet/Understanding-host-vitals.md
😅 , sorry about that!
Oh no so I can bring them back? 😭 |
sounds good, sorry about that! I'll be on the watch and approve again after you do that. |
#15565
Checklist for submitter
changes/
ororbit/changes/
.See Changes files for more information.
SELECT *
is avoided, SQL injection is prevented (using placeholders for values in statements)cmd/osquery-perf
for new osquery data ingestion features.