Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Windows MDM Fix Manual Detection #17721

Merged
merged 15 commits into from Mar 21, 2024
Merged

Windows MDM Fix Manual Detection #17721

merged 15 commits into from Mar 21, 2024

Conversation

dantecatalfamo
Copy link
Member

@dantecatalfamo dantecatalfamo commented Mar 19, 2024
edited

#15565

Checklist for submitter

  • Changes file added for user-visible changes in changes/ or orbit/changes/.
    See Changes files for more information.
  • Input data is properly validated, SELECT * is avoided, SQL injection is prevented (using placeholders for values in statements)
  • Added support on fleet's osquery simulator cmd/osquery-perf for new osquery data ingestion features.
  • Added/updated tests
  • Manual QA for all new/changed functionality

@dantecatalfamo
Update documentation on Windows registry keys used by MDM
11834d1
@dantecatalfamo
Fix windows automatic and manual MDM detection
29eb6c4 
Replace the use of the isFederated registry key with a keys that check
for AAD (Azure Active Directory, now Entra ID)

Federated enrollment (isFederated) seems to be when windows uses a
Discovery MDM endpoint to get its policy and management endpoint
configuration. This is always the case when a client is enrolled with
fleet, so installations always show up as automatic.

It's being replaced by a different key, `AADResourceID`, which appears
to identify the resource that controls the automated deployment. In my
tests it only appears to be populated when the computer is enrolled
through automated deployments. This key appears on both Windows 10 and
11.

There is a similar key, `AADTenantID`, which appears to identify the
client (tenant) to the Azure cloud. I haven't seen this ID in our
systems, so it is likely exclusively used in Azure. Both this key and
`AADResourceID` seem to always be set at the same time, so we only
check for the `AADResourceID`.

I've also added documentation on the registry keys I've analyzed in
the previous commit for future reference.
@dantecatalfamo
Replace use of is_federated with aad_resource_id in ingest tests
7bd9ca5
@dantecatalfamo
Fix documentation link
acd39ed
@dantecatalfamo
Update documentation and remaining tests mentioning is_federated
b266216
@dantecatalfamo dantecatalfamo requested review from rachaelshaw and a team as code owners March 19, 2024 19:07
roperzh
roperzh reviewed Mar 19, 2024
View reviewed changes
Copy link
Member

@roperzh roperzh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice fix! for the changes file please see

fleet/docs/Contributing/Committing-Changes.md

Line 31 in af47a83

### Changes files

docs/Contributing/windows-mdm-glossary-and-protocol.md Show resolved Hide resolved
roperzh
roperzh previously approved these changes Mar 19, 2024
View reviewed changes
Copy link
Member

@roperzh roperzh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

docs/Using Fleet/Understanding-host-vitals.md Outdated
-- in order to account for hosts that might not have this
-- key, and servers
WHERE COALESCE(e.state, '0') IN ('0', '1', '2')
LIMIT 1;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sanity-checking: have you generated this using make generate-docs?

@codecov Codecov
Copy link

codecov bot commented Mar 19, 2024
edited

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 65.61%. Comparing base (b10d1db) to head (1efab39).
Report is 14 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #17721      +/-   ##
==========================================
- Coverage   65.68%   65.61%   -0.07%     
==========================================
  Files        1193     1193              
  Lines      108031   108031              
  Branches     2574     2574              
==========================================
- Hits        70955    70885      -70     
- Misses      31707    31764      +57     
- Partials     5369     5382      +13
Flag Coverage Δ
backend 66.62% <100.00%> (-0.08%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@dantecatalfamo dantecatalfamo changed the title Windows entra id detection Windows MDM Fix Manual Detection Mar 19, 2024
roperzh
roperzh previously approved these changes Mar 19, 2024
View reviewed changes
Copy link
Member

@roperzh roperzh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah, I missed that there still doc changes for docs/Using Fleet/Understanding-host-vitals.md 😅 , sorry about that!

@dantecatalfamo
Copy link
Member Author

ah, I missed that there still doc changes for docs/Using Fleet/Understanding-host-vitals.md 😅 , sorry about that!

Oh no so I can bring them back? 😭

roperzh
roperzh previously approved these changes Mar 20, 2024
View reviewed changes
@roperzh
Copy link
Member

roperzh commented Mar 20, 2024

@dantecatalfamo

Oh no so I can bring them back? 😭

sounds good, sorry about that! I'll be on the watch and approve again after you do that.

roperzh
roperzh previously approved these changes Mar 20, 2024
View reviewed changes
@dantecatalfamo dantecatalfamo merged commit bd3e775 into main Mar 21, 2024
23 checks passed
@dantecatalfamo dantecatalfamo deleted the windows-entra-id-detection branch March 21, 2024 19:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rachaelshaw rachaelshaw rachaelshaw approved these changes

@roperzh roperzh roperzh approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@dantecatalfamo @roperzh @rachaelshaw