Enable scripts for Windows hosts that automatically enroll to Fleet

[noahtalerman]

Goal

User story
As a Client Platform Engineer (CPE) who turned on Windows MDM,
I want to automatically enable scripts for my Windows hosts that automatically enroll
so that I can run PowerShell scripts against my hosts w/o having to deploy a new fleetd w/ the --scripts-enabled flag.

Context

• Requestor(s): @noahtalerman
• Product designer: @noahtalerman

Changes

Product

• [ ] Changes: Add support for enabling scripts when installing the fleetd agent for Windows:

  msiexec /i fleetd-base.msi ENABLE_SCRIPTS=true FLEET_URL="<target_url>" FLEET_SECRET="<secret_to_use>" 

  • This enables Fleet to automatically install fleetd w/ scripts enabled on Windows hosts.
• [ ] Changes to paid features or tiers: Available in Fleet Free and Fleet Premium

Engineering

• [ ] Database schema migrations: TODO
• [ ] Load testing: TODO

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

• Requires load testing: TODO
• Risk level: Low / High TODO
• Risk description: TODO

Manual testing steps

1. Step 1
2. Step 2
3. Step 3

Testing notes

Confirmation

1. [ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
2. [ ] QA (@____): Added comment to user story confirming successful completion of QA.

[noahtalerman]

Pulling notes from the issue description into a comment here:

1. Check if the fleetd-base.msi package that gets installed for automatic enrollment was built with the --enable-scripts flag. Is there another solution for this? What about customer-ufa who uses the base fleetd but doesn't want scripts.

2. Enable for manual enrollment. We can't find any additional logic that would enable scripts post facto if you didn't build your installer with scripts enabled.

[georgekarrv]

Hey team! Please add your planning poker estimate with Zenhub @dantecatalfamo @ghernandez345 @gillespi314 @mna

[noahtalerman]

Hey @georgekarrv heads up, I pulled this story back onto the drafting board knowing we have 61 points in remaining capacity for the upcoming sprint.

Let's discuss during today's sprint planning call.

[valentinpezon-primo]

Hi,

I saw that this issue was relatd to the #18461. I'm afraid that enabling script only will not do the job since the script only locks out locals accounts.In some cases there is no local accounts but only remote accounts when using AzureAD

Is it possible to include remote account in the testing of the lock script ?

thanks ! (fyi @nonpunctual )

[zayhanlon]

@noahtalerman ^ for QA / testing of workflows

[noahtalerman]

Heads up @georgekarrv and @PezHub, testing request from Valentine here.

cc @zayhanlon

[georgekarrv]

While that doesn't pertain to this ticket we can certainly investigate and create a corresponding ticket if that is the case

[valentinpezon-primo]

While that doesn't pertain to this ticket we can certainly investigate and create a corresponding ticket if that is the case

Hi @georgekarrv , this current issue (https://github.com/fleetdm/fleet/issues/17528) was created after this on "Windows lock script doesn't work in some scenarios #18461", after the comment made [here] .(https://github.com/fleetdm/fleet/issues/18461#issuecomment-2120593890) in my understanding, locking remote user that are managed buy AzureAD is a "scenario"

I thought this current issue was related to fix the AzureAD flow 🤔

Thankks !

[dantecatalfamo]

@noahtalerman Looking for context on this issue. What do you mean by run scripts on hosts without --scripts-enabled? I thought the purpose of the flag was so that hosts could choose to not enable scripts? Should all hosts enrolled in MDM have scripts enabled regardless of the flag? Thanks! 🙂

[noahtalerman]

Hey @valentinpezon-primo! Thanks for follow up.

Let's move this conversation over to the "Windows lock script doesn't work..." issue here: #18461

[dantecatalfamo]

This could be a side-car issue for https://github.com/fleetdm/fleet/issues/19219. Then we could add --scripts-enabled to the msiexec auto enrollment.

[noahtalerman]

What do you mean by run scripts on hosts without --scripts-enabled? I thought the purpose of the flag was so that hosts could choose to not enable scripts? Should all hosts enrolled in MDM have scripts enabled regardless of the flag? Thanks!

@dantecatalfamo and I hopped on a call and we updated this story. It now covers turning on scripts for Windows hosts that automatically enroll.

To turn on scripts for hosts that manually enroll, IT admins will install fleetd that was generated w/ the --scripts-enabled=true flag or pass SCRIPTS_ENABLED=true as a parameter in the install script (msiexec).

[noahtalerman]

pass SCRIPTS_ENABLED=true as a parameter in the install script (msiexec).

Since the work to add the SCRIPTS_ENABLED parameter is being done as part of this story, we can remove this requirement from the following story:

• 19219

FYI @marko-lisica @dantecatalfamo

[noahtalerman]

FYI @nonpunctual ^^

[roperzh]

@georgekarrv @dantecatalfamo want to call out that having this fixed for the customer requires to coordinate two different releases:

1. fleetd-base.msi, which generally gets updated only with fleetd releases
2. fleetctl + fleet release (which happens at our regular cadence)

edit: and we can't release fleetd-base.msi until we fix https://github.com/fleetdm/fleet/issues/19176 which is blocked by https://github.com/fleetdm/fleet/issues/19182

[georgekarrv]

Since this requires the 2 blocked tickets complete for end users to see the effects we will hold this ticket from the 4.53 milestone and skip it and QA in the next release when those other tickets are already complete

[roperzh]

This is not blocked anymore and should be ready to test. No special setup needed.

[samleb]

Hello @noahtalerman ! What's the situation on this ticket please ? We're about to launch Autopilot in beta, and this is the last blocking bit. Thank you very much 🙏

[noahtalerman]

Hey @samleb! It looks like we're targeting shipping this in Fleet 4.54.

If it's helpful, you can tell by looking at the milestone in the issue here:

cc @zayhanlon @georgekarrv

[zayhanlon]

@samleb you can check our meeting agenda as well :) i know you had a conflict on Monday's call, but all top priority issues are updated there

[PezHub]

QA Notes: Wiped my Surface Laptop and fresh enrolled via Azure AD and confirmed the run script action was enabled. Successfully executed a powershell script. QA Approved.