From 58cb5434bb5e3be834fe7f7671e0fff4e6f494b6 Mon Sep 17 00:00:00 2001
From: Adam Baali <45665341+AdamBaali@users.noreply.github.com>
Date: Tue, 26 Aug 2025 13:52:07 +0200
Subject: [PATCH] Create scripts and policies dir and uploaded supported files
 for Article (#32307)

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.

- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes

## Testing

- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)

- [ ] QA'd all new/changed functionality manually

For unreleased bug fixes in a release candidate, one of:

- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed

## Database migrations

- [ ] Checked table schema to confirm autoupdate
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).

## New Fleet configuration settings

- [ ] Setting(s) is/are explicitly excluded from GitOps

If you didn't check the box above, follow this checklist for
GitOps-enabled settings:

- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled

## fleetd/orbit/Fleet Desktop

- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
---
 .../BlockMDMUnenrollment.xml                  | 13 +++++++++
 .../windows-fleet-hardening.policies.yml      |  5 ++++
 assets/scripts/windows-fleet-hardening.ps1    | 27 +++++++++++++++++++
 3 files changed, 45 insertions(+)
 create mode 100644 assets/configuration-profiles/BlockMDMUnenrollment.xml
 create mode 100644 assets/policies/windows-fleet-hardening.policies.yml
 create mode 100644 assets/scripts/windows-fleet-hardening.ps1

diff --git a/assets/configuration-profiles/BlockMDMUnenrollment.xml b/assets/configuration-profiles/BlockMDMUnenrollment.xml
new file mode 100644
index 0000000000..acd5994f64
--- /dev/null
+++ b/assets/configuration-profiles/BlockMDMUnenrollment.xml
@@ -0,0 +1,13 @@
+<Replace>
+  <CmdID>25</CmdID>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/Experience/AllowManualMDMUnenrollment</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+      <Type>text/plain</Type>
+    </Meta>
+    <Data>0</Data>
+  </Item>
+</Replace>
\ No newline at end of file
diff --git a/assets/policies/windows-fleet-hardening.policies.yml b/assets/policies/windows-fleet-hardening.policies.yml
new file mode 100644
index 0000000000..212403c239
--- /dev/null
+++ b/assets/policies/windows-fleet-hardening.policies.yml
@@ -0,0 +1,5 @@
+- name: Windows - Hide uninstall and modify options for Fleet osquery
+  platform: windows
+  description: "This policy checks if the uninstall and modify options are hidden for Fleet osquery by ensuring both the NoRemove and NoModify registry values are set to 1."
+  resolution: "As an IT admin, set the NoRemove and NoModify registry values to 1 under the Fleet osquery uninstall key to prevent users from uninstalling or modifying the agent."
+  query: SELECT CASE WHEN COUNT(*) = 1 THEN 1 ELSE 0 END AS compliant FROM registry nr JOIN registry d ON d.path = REPLACE(nr.path, '\NoRemove', '\DisplayName') JOIN registry nm ON nm.path = REPLACE(nr.path, '\NoRemove', '\NoModify') WHERE nr.path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%\NoRemove' AND d.data = 'Fleet osquery' AND nr.data = '1' AND nm.data = '1';
diff --git a/assets/scripts/windows-fleet-hardening.ps1 b/assets/scripts/windows-fleet-hardening.ps1
new file mode 100644
index 0000000000..0b3ce09f02
--- /dev/null
+++ b/assets/scripts/windows-fleet-hardening.ps1
@@ -0,0 +1,27 @@
+# Prevents uninstall/change of Fleet osquery via Windows UI.
+# Sets NoRemove and NoModify = 1 under Fleet osquery uninstall entry.
+# Hides uninstall/change options across Control Panel and Settings > Apps.
+# Works on all Windows editions.
+
+$UninstallPaths = @(
+    "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*",
+    "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*"
+)
+
+$FleetEntry = Get-ItemProperty -Path $UninstallPaths -ErrorAction SilentlyContinue |
+              Where-Object { $_.DisplayName -like "Fleet osquery*" }
+
+if ($FleetEntry) {
+    Write-Output "[INFO] Fleet osquery found: $($FleetEntry.DisplayName)"
+    $RegKeyPath = $FleetEntry.PSPath
+
+    New-ItemProperty -Path $RegKeyPath -Name "NoRemove" -Value 1 -PropertyType DWord -Force | Out-Null
+    Write-Output "[SET] NoRemove = 1"
+
+    New-ItemProperty -Path $RegKeyPath -Name "NoModify" -Value 1 -PropertyType DWord -Force | Out-Null
+    Write-Output "[SET] NoModify = 1"
+
+    Write-Output "[DONE] Fleet osquery uninstall options hardened."
+} else {
+    Write-Output "[WARN] Fleet osquery not found. Nothing changed."
+}