From 7cfea0787e6568be88b023468cff7bdb65745791 Mon Sep 17 00:00:00 2001
From: Marcos Oviedo <marcos@fleetdm.com>
Date: Mon, 31 Jul 2023 12:12:06 -0300
Subject: [PATCH] Windows Installer changes to support MDM Azure flow (#13025)

This relates to #12600

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
- [X] Manual QA for all new/changed functionality
---
 changes/issue-12600-azure-install-support |  1 +
 orbit/pkg/packaging/windows_templates.go  | 46 +++++++++++++++++++++--
 server/service/microsoft_mdm.go           | 10 ++---
 3 files changed, 49 insertions(+), 8 deletions(-)
 create mode 100644 changes/issue-12600-azure-install-support

diff --git a/changes/issue-12600-azure-install-support b/changes/issue-12600-azure-install-support
new file mode 100644
index 0000000000..c0c56642a3
--- /dev/null
+++ b/changes/issue-12600-azure-install-support
@@ -0,0 +1 @@
+* Adding support to install Fleetd after enrolling through Azure account
diff --git a/orbit/pkg/packaging/windows_templates.go b/orbit/pkg/packaging/windows_templates.go
index fcbe8df002..d56031fc62 100644
--- a/orbit/pkg/packaging/windows_templates.go
+++ b/orbit/pkg/packaging/windows_templates.go
@@ -54,6 +54,9 @@ var windowsWixTemplate = template.Must(template.New("").Option("missingkey=error
     <Property Id="ARPNOREPAIR" Value="yes" Secure="yes" />
     <Property Id="ARPNOMODIFY" Value="yes" Secure="yes" />
 
+    <Property Id="FLEET_URL" Value="{{ if .FleetURL }}'{{ .FleetURL }}'{{ end }}"/>
+    <Property Id="FLEET_SECRET" Value="dummy"/>
+
     <MediaTemplate EmbedCab="yes" />
 
     <Property Id="POWERSHELLEXE">
@@ -96,7 +99,7 @@ var windowsWixTemplate = template.Must(template.New("").Option("missingkey=error
                   Start="auto"
                   Type="ownProcess"
                   Description="This service runs Fleet's osquery runtime and autoupdater (Orbit)."
-                  Arguments='--root-dir "[ORBITROOT]." --log-file "[System64Folder]config\systemprofile\AppData\Local\FleetDM\Orbit\Logs\orbit-osquery.log"{{ if .FleetURL }} --fleet-url "{{ .FleetURL }}"{{ end }}{{ if .FleetCertificate }} --fleet-certificate "[ORBITROOT]fleet.pem"{{ end }}{{ if .EnrollSecret }} --enroll-secret-path "[ORBITROOT]secret.txt"{{ end }}{{if .Insecure }} --insecure{{ end }}{{ if .Debug }} --debug{{ end }}{{ if .UpdateURL }} --update-url "{{ .UpdateURL }}"{{ end }}{{ if .UpdateTLSServerCertificate }} --update-tls-certificate "[ORBITROOT]update.pem"{{ end }}{{ if .DisableUpdates }} --disable-updates{{ end }}{{ if .Desktop }} --fleet-desktop --desktop-channel {{ .DesktopChannel }}{{ if .FleetDesktopAlternativeBrowserHost }} --fleet-desktop-alternative-browser-host {{ .FleetDesktopAlternativeBrowserHost }}{{ end }}{{ end }} --orbit-channel "{{ .OrbitChannel }}" --osqueryd-channel "{{ .OsquerydChannel }}"'
+                  Arguments='--root-dir "[ORBITROOT]." --log-file "[System64Folder]config\systemprofile\AppData\Local\FleetDM\Orbit\Logs\orbit-osquery.log" --fleet-url "[FLEET_URL]"{{ if .FleetCertificate }} --fleet-certificate "[ORBITROOT]fleet.pem"{{ end }}{{ if .EnrollSecret }} --enroll-secret-path "[ORBITROOT]secret.txt"{{ end }}{{if .Insecure }} --insecure{{ end }}{{ if .Debug }} --debug{{ end }}{{ if .UpdateURL }} --update-url "{{ .UpdateURL }}"{{ end }}{{ if .UpdateTLSServerCertificate }} --update-tls-certificate "[ORBITROOT]update.pem"{{ end }}{{ if .DisableUpdates }} --disable-updates{{ end }}{{ if .Desktop }} --fleet-desktop --desktop-channel {{ .DesktopChannel }}{{ if .FleetDesktopAlternativeBrowserHost }} --fleet-desktop-alternative-browser-host {{ .FleetDesktopAlternativeBrowserHost }}{{ end }}{{ end }} --orbit-channel "{{ .OrbitChannel }}" --osqueryd-channel "{{ .OsquerydChannel }}"'
                 >
                   <util:ServiceConfig
                     FirstFailureActionType="restart"
@@ -142,11 +145,24 @@ var windowsWixTemplate = template.Must(template.New("").Option("missingkey=error
                   DllEntry="WixQuietExec64"
                   Execute="deferred"
                   Return="check"
-                  Impersonate="no" />  
+                  Impersonate="no" />
+
+   <SetProperty Id="CA_UpdateSecret"
+                 Before ="CA_UpdateSecret"
+                 Sequence="execute"
+                 Value='&quot;[POWERSHELLEXE]&quot; -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -File "[ORBITROOT]installer_utils.ps1" -updateSecret "[FLEET_SECRET]"' />
+
+    <CustomAction Id="CA_UpdateSecret"
+                  BinaryKey="WixCA"
+                  DllEntry="WixQuietExec64"
+                  Execute="deferred"
+                  Return="check"
+                  Impersonate="no" />                    
 
     <InstallExecuteSequence>
       <Custom Action='CA_RemoveOrbit' Before='RemoveFiles'>(NOT UPGRADINGPRODUCTCODE) AND (REMOVE="ALL")</Custom> <!-- Only happens during uninstall -->
       <Custom Action='CA_UninstallOsquery' After='InstallFiles'>NOT Installed AND NOT WIX_UPGRADE_DETECTED</Custom> <!-- Only happens during first install -->
+      <Custom Action='CA_UpdateSecret' Before='InstallServices'>NOT Installed</Custom> <!-- It happens just before service creation -->      
     </InstallExecuteSequence>
 
     <Feature Id="Orbit" Title="Fleet osquery" Level="1" Display="hidden">
@@ -223,6 +239,7 @@ var windowsPSInstallerUtils = template.Must(template.New("").Option("missingkey=
   [switch] $uninstallOsquery = $false,
   [switch] $uninstallOrbit = $false,
   [switch] $stopOrbit = $false,
+  [string] $updateSecret = "",  
   [switch] $help = $false
 )
 
@@ -434,13 +451,14 @@ function Test-Administrator
 function Do-Help {
   $programName = (Get-Item $PSCommandPath ).Name
   
-  Write-Host "Usage: $programName (-uninstallOsquery|-uninstallOrbit|-stopOrbit|-help)" -foregroundcolor Yellow
+  Write-Host "Usage: $programName (-uninstallOsquery|-uninstallOrbit|-stopOrbit|-updateSecret|-help)" -foregroundcolor Yellow
   Write-Host ""
   Write-Host "  Only one of the following options can be used. Using multiple will result in "
   Write-Host "  options being ignored."
   Write-Host "    -uninstallOsquery         Uninstall Osquery"
   Write-Host "    -uninstallOrbit           Uninstall Orbit"
   Write-Host "    -stopOrbit                Stop Orbit"
+  Write-Host "    -updateSecret <secret>    Update Orbit secret"  
   Write-Host "    -help                     Shows this help screen"
   
   Exit 1
@@ -489,6 +507,20 @@ function Stop-Orbit {
   Start-Sleep -Milliseconds 1000
 }
 
+#Updates Orbit secret
+function Update-OrbitSecret {
+
+  # Ensuring secret file is not empty
+  if (-not ([string]::IsNullOrEmpty($updateSecret)) -and ($updateSecret -ne "dummy"))
+  {
+    Write-Host "Updating secret"    
+    $targetSecretFile = $Env:Programfiles + "\\Orbit\\secret.txt"    
+    Set-Content -NoNewline -Path $targetSecretFile -Value $updateSecret
+
+    Start-Sleep -Milliseconds 1000    
+  }
+}
+
 
 #Revove Orbit footprint from registry and disk
 function Force-Remove-Orbit {
@@ -717,6 +749,14 @@ function Main {
       Write-Host "Orbit was stopped." -foregroundcolor Cyan
       Exit 0
 
+    } elseif (-not ([string]::IsNullOrEmpty($updateSecret))) {
+      Write-Host "About to update Orbit secret." -foregroundcolor Yellow
+
+      Update-OrbitSecret
+
+      Write-Host "Orbit secret update was called." -foregroundcolor Cyan
+      Exit 0
+      
     } else {
       Write-Host "Invalid option selected: please see -help for usage details." -foregroundcolor Red
       Do-Help
diff --git a/server/service/microsoft_mdm.go b/server/service/microsoft_mdm.go
index e0ac9f2ebd..ae7f218676 100644
--- a/server/service/microsoft_mdm.go
+++ b/server/service/microsoft_mdm.go
@@ -1576,7 +1576,7 @@ func (svc *Service) getConfigProfilesToEnforce(ctx context.Context, commandID *i
 	// installed only the first time the message is issued.
 	// FleetURL and FleetSecret properties are passed to the Fleet MSI
 	// See here for more information: https://learn.microsoft.com/en-us/windows/win32/msi/command-line-options
-	installCommandPayload := `<MsiInstallJob id="{f5645004-3214-46ea-92c2-48835689da06}">
+	installCommandPayload := `<MsiInstallJob id="{A427C0AA-E2D5-40DF-ACE8-0D726A6BE096}">
 					<Product Version="1.0.0.0">
 						<Download>
 							<ContentURLList>
@@ -1584,10 +1584,10 @@ func (svc *Service) getConfigProfilesToEnforce(ctx context.Context, commandID *i
 							</ContentURLList>
 						</Download>
 						<Validation>
-							<FileHash>7D127BA8F8CC5937DB3052E2632D672120217D910E271A58565BBA780ED8F05C</FileHash>
+							<FileHash>9F89C57D1B34800480B38BD96186106EB6418A82B137A0D56694BF6FFA4DDF1A</FileHash>
 						</Validation>
 						<Enforcement>
-							<CommandLine>/quiet FleetURL="` + fleetEnrollUrl + `" FleetSecret="` + globalEnrollSecret + `"</CommandLine>
+							<CommandLine>/quiet FLEET_URL="` + fleetEnrollUrl + `" FLEET_SECRET="` + globalEnrollSecret + `"</CommandLine>
 							<TimeOut>10</TimeOut>
 							<RetryCount>1</RetryCount>
 							<RetryInterval>5</RetryInterval>
@@ -1599,7 +1599,7 @@ func (svc *Service) getConfigProfilesToEnforce(ctx context.Context, commandID *i
 				<CmdID>` + getNextCmdID(commandID) + `</CmdID>
 				<Item>
 					<Target>
-					<LocURI>./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/%7Bf5645004-3214-46ea-92c2-48835689da06%7D/DownloadInstall</LocURI>
+					<LocURI>./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/%7BA427C0AA-E2D5-40DF-ACE8-0D726A6BE096%7D/DownloadInstall</LocURI>
 					</Target>
 				</Item>
 				</Add>
@@ -1607,7 +1607,7 @@ func (svc *Service) getConfigProfilesToEnforce(ctx context.Context, commandID *i
 				<CmdID>` + getNextCmdID(commandID) + `</CmdID>
 				<Item>
 					<Target>
-					<LocURI>./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/%7Bf5645004-3214-46ea-92c2-48835689da06%7D/DownloadInstall</LocURI>
+					<LocURI>./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/%7BA427C0AA-E2D5-40DF-ACE8-0D726A6BE096%7D/DownloadInstall</LocURI>
 					</Target>
 					<Data>` + html.EscapeString(installCommandPayload) + `</Data>
 					<Meta>