Migrate Windows hosts

[noahtalerman]

An "on" button in Fleet so you have control over when Windows workstations switch.

Edge cases

• What about offline hosts?
• What happens in between toggling?
• What about the folks that have ‘Windows MDM turned on’
• What happens to those fleetd enrolled Windows hosts?
• What does the reporting look like? (status of hosts that have not transitioned yet, and which have. What if some never check in? How will I know which have and which haven't?)

Goal

User story
As an IT admin,
I want to migrate my Windows hosts from my old MDM solution to Fleet w/o end user action
so that I can use Fleet to enforce configuration on these hosts.

• This is just about switching a Windows host's MDM solution from the old solution to Fleet. We don't need to migrate the host's settings/configuration.

Changes

Product

• [ ] UI changes: TODO
• [ ] CLI usage changes: TODO
• [ ] Permissions changes: TODO
• [ ] Outdated documentation changes: TODO
• [ ] Changes to paid features or tiers TODO

Engineering

• [ ] REST API changes: TODO
• [ ] Database schema migrations: TODO
• [ ] Documentation changes complete

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

Context

• Requestor(s): _____

QA

Risk assessment

• Requires load testing: TODO
• Risk level: Low / High TODO
• Risk description: TODO

Manual testing steps

1. Step 1
2. Step 2
3. Step 3

Testing notes

Confirmation

1. [ ] Engineer (@____): Added comment to user story confirming succesful completion of QA.
2. [ ] QA (@____): Added comment to user story confirming succesful completion of QA.

[noahtalerman]

Hey @zhumo taking this off the drafting board because we won't get to it in the next sprint. I added it to FF because I think we want to bring it back.

[noahtalerman]

Marcos: We can do this programmatically. fleetd will do the unenroll from the old MDM and turn on MDM again to talk to Fleet.

[zhumo]

If that’s the case, does this need to be done at all?

On Thu, Sep 14, 2023 at 12:19 PM Noah Talerman @.***> wrote:

Marcos: We can do this programmatically. fleetd will do the unenroll from the old MDM and turn on MDM again to talk to Fleet.

— Reply to this email directly, view it on GitHub https://github.com/fleetdm/fleet/issues/13667#issuecomment-1720009920, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABI4PYRQABT7CZZ7OFDHO6LX2NKCPANCNFSM6AAAAAA4IBL3LU . You are receiving this because you were mentioned.Message ID: @.***>

[noahtalerman]

Marcos: 2 scenarios: 1) device is not connected to Azure and 2) device is connected to Azure

1) Easier: Programmatically unenroll via Windows API => programmatically enroll via API (already do this)

2) Is it possible to do the migrate w/o logging the user out of the device? @marcosd4h can you please leave a comment w/ the Windows APIs we should use to test this?

• Noah: This is what we want to support

[marcosd4h]

The MDM programmatic APIS exposed by Windows SDK are detailed here.

We can use UnregisterDeviceWithManagement with an empty argument to unenroll the device from ongoing MDM server.

Then RegisterDeviceWithManagement, RegisterDeviceWithManagementUsingAADCredentials, and RegisterDeviceWithManagementUsingAADDeviceCredentials could be used to enroll the device to a different MDM server.

[noahtalerman]

Hey @dherder adn @pintomi1989 , we filed a separate user story for this request.

I removed this request from the feature fest board.

cc @rachaelshaw