Add fallback wipe script for Windows hosts (#34994)
When Fleet's built-in Windows wipe action fails (MDM command returns
status 500, device not wiped), there is no documented fallback. This PR
adds a script that can be run via Fleet to wipe the device when the
native wipe fails.
## Changes
- `docs/solutions/windows/scripts/wipe-windows-device.ps1` - Fallback
wipe script
- `articles/lock-wipe-hosts.md` - Reference to fallback script added
under Windows wipe section
## What the script does
1. Validates and repairs WinRE if disabled (confirmed root cause of wipe
failures in #34994)
2. Checks Component Store integrity via DISM
3. Suspends BitLocker for one reboot cycle
4. Triggers wipe via WMI-to-CSP bridge (`doWipeProtected`, falls back to
`doWipe`), bypassing the MDM command queue
Fully unattended. No user interaction required. Exits 0 on success, 1 on
failure.
## Context
Every fully unattended Windows wipe method uses the same RemoteWipe CSP.
There is no alternative Windows API. This script adds value by fixing
the root causes before calling the wipe, and by bypassing the MDM
command queue where server-side failures (DB timeouts, auth errors) can
occur.
Closes#34994
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added an administrator-only Windows device wipe utility that performs
staged system checks (recovery environment, system health, and disk
protection), attempts to suspend drive protection for a reboot, invokes
multiple local wipe triggers with fallbacks, creates a timestamped audit
log of actions, and provides clear success/failure summaries with likely
causes and suggested next steps.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Co-authored-by: CodeRabbit <noreply@coderabbit.ai>
+ Update bubble component to use for displaying roles in REST API docs
+ Update callout box to reflect styles in the product, and create a new
mixin for consistent styling
(Adding the actual bubbles to the REST API docs will be done in a
separate PR, figured we could get these changes merged in first since it
might take awhile to verify that the role permissions are documented
accurately.)
#### Screenshot of style changes in the REST API docs:
<img width="1057" height="444" alt="Screenshot 2026-04-15 at 5 59 44 PM"
src="https://github.com/user-attachments/assets/1478b4d0-f610-4f87-a72f-2b08af917484"
/>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Role bubbles can be clickable links for specific roles and show hover
interactions.
* **Style**
* Redesigned bubble visuals (typography, padding, border, radius,
colors) with distinct role variants.
* Added hover transition for role-linked bubbles.
* Consolidated "tip" block styling across the site for consistent layout
and spacing.
* Minor spacing tweak for bubbles in documentation.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Eric <eashaw@sailsjs.com>
Automated ingestion of latest Fleet-maintained app data.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **Chores**
* Updated version metadata for Egnyte Desktop to support version 1.16.0
* Updated version metadata for Keka to support version 1.6.3
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: mostlikelee <16102903+mostlikelee@users.noreply.github.com>
## Summary
Migrates CIS benchmark files from `ee/cis/` to `docs/solutions/cis/` in
Fleet GitOps-compatible format, with configuration profiles, remediation
scripts, and policy queries for macOS 13/14/15, Windows 10/11, and
Windows 11 Intune.
**The original AI-generated content (commits 1–4) contained critical
errors that would cause silent deployment failures.** Commits 5–10 are a
systematic review that validates every CSP path, Apple payload key, and
script against official vendor documentation — fixing 30+ issues.
---
## What was wrong and why
### 1. Windows XML profiles used wrong SyncML format (would be rejected
by Fleet)
The AI generated full SyncML protocol envelopes
(`<SyncML><SyncBody><CmdID>…<Final/>`), but Fleet expects flat
`<Replace><Item>…</Item></Replace>` blocks — the same format used in
[`docs/solutions/windows/configuration-profiles/`](https://github.com/fleetdm/fleet/tree/main/docs/solutions/windows/configuration-profiles).
Every production Fleet profile (e.g., [`enforce device password and lock
requirements –
[Bundle].xml`](https://github.com/fleetdm/fleet/blob/main/docs/solutions/windows/configuration-profiles/enforce%20device%20password%20and%20lock%20requirements%20%E2%80%93%20%5BBundle%5D.xml))
uses this flat format. This is the same class of error [reported by
@AdamBaali in
#42748](https://github.com/fleetdm/fleet/issues/42748#issuecomment-4223794562)
when testing the `numa` AI-generated security baseline.
**Fix:** Rewrote all 13 XML files to match Fleet's expected format.
### 2. Six Audit CSP names were fabricated (`LogonLogoff_` prefix
doesn't exist)
The AI used `Audit/LogonLogoff_AuditLogon` etc., but the [Microsoft
Audit Policy CSP
documentation](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-audit)
specifies the prefix `AccountLogonLogoff_` — e.g.,
`Audit/AccountLogonLogoff_AuditLogon`. Using the wrong prefix returns
HTTP 500 from the MDM server.
**Fix:** Corrected all 6 across 3 platform variants (18 replacements).
### 3. Three Apple Intelligence profiles used fabricated payload keys
The AI invented keys that don't exist in [Apple's device-management
reference](https://github.com/apple/device-management/blob/release/mdm/profiles/com.apple.applicationaccess.yaml):
| Profile | AI-generated (fabricated) | Correct per Apple reference |
|---------|--------------------------|----------------------------|
| Extensions | `allowIntelligenceExtensions` |
`allowExternalIntelligenceIntegrations` |
| Mail | `com.apple.mail` / `allowMailIntelligence` |
`com.apple.applicationaccess` / `allowMailSmartReplies` +
`allowMailSummary` |
| Notes | `com.apple.mobilenotes` / `allowNotesIntelligence` |
`com.apple.applicationaccess` / `allowNotesTranscription` +
`allowNotesTranscriptionSummary` |
These profiles would deploy silently but enforce nothing — the keys
would be ignored by macOS. The corresponding policy SQL queries also
referenced the fabricated keys, so compliance checks would never pass
even with the profile applied.
**Fix:** Corrected keys, domains, and the corresponding policy SQL
queries so compliance checks match what the profiles actually enforce.
### 4. Firewall CSP used wrong URI prefix
AI used `./Device/Vendor/MSFT/Firewall/MdmStore/…` but [Microsoft's
Firewall CSP
documentation](https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp)
and Fleet's own production profiles use
`./Vendor/MSFT/Firewall/MdmStore/…`.
**Fix:** Updated all firewall URIs across 3 platform variants.
### 5. Wrong SIDs in user rights deny policies
CIS 2.2.16 (Deny access from network) and 2.2.20 (Deny RDP logon)
require denying both **Guests** (`S-1-5-32-546`) and **Local account**
(`S-1-5-113`). The AI only included Guests. This is the same error
[identified by @AdamBaali in
#42748](https://github.com/fleetdm/fleet/issues/42748#issuecomment-4223794562)
where the `numa` baseline used `S-1-2-0` (wrong SID entirely).
**Fix:** Added `S-1-5-113` to both XML profiles and PS1 scripts.
### 6. macOS scripts had runtime-breaking bugs
Scripts copied from `ee/cis/` originals contained issues that would
cause failures when deployed via Fleet:
| Issue | Scripts affected | Impact |
|-------|-----------------|--------|
| Hardcoded `<username>` placeholder | CIS_6.1.1, CIS_6.3.6, CIS_2.11.1,
CIS_2.6.2 | Shell error — `<username>` parsed as redirect |
| Missing `chmod 0440` on sudoers drop-ins | CIS_5.4, CIS_5.5 | macOS
sudo silently ignores files without 0440 perms |
| `sudo IFS=$'\n'` doesn't set IFS in current shell | CIS_5.1.5,
CIS_5.1.6, CIS_5.1.7 | Word splitting breaks on paths with spaces |
| Unsafe temp files (`./tmp.txt` in CWD) | CIS_3.2, CIS_3.3, CIS_3.4 |
Race condition, fails in read-only CWD |
| Missing shebang | CIS_2.6.1.2 | May use wrong shell interpreter |
| `not_always_working` scripts with `<password>` | CIS_2.10.1,
CIS_2.10.2 | Could never work in automated deployment |
**Fix:** Rewrote scripts with dynamic user enumeration, `mktemp`, proper
IFS, `visudo` validation. Removed `not_always_working` scripts.
### 7. Policy YAML formatting bugs and spelling
- **Computer Browser policy** (win-10, win-11): `resolution: |` was on
the same line as description text, causing YAML to swallow the entire
resolution into the description — no remediation steps shown.
- **Set Time and Date policy** (macOS 13/14/15): Empty `description:`
parsed as `null`.
- 14 spelling errors across macOS and Windows YAML (`existance`,
`Extention` ×8, `recomendation`, `bellow`, `enableds`, `addess` ×2,
etc.)
- Filename inconsistencies: `on-device-dictiation-enabled` (typo),
`2.8.1.disable` (dots vs dashes)
---
## Verification methodology
Every CSP OMA-URI and Apple payload key was validated against official
vendor documentation:
| Category | Count | Source | Result |
|----------|-------|--------|--------|
| [Audit
CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-audit)
| 27 | Microsoft docs | 6 corrected |
| [UserRights
CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-userrights)
| 27 | Microsoft docs | All verified correct |
| [LocalPoliciesSecurityOptions
CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions)
| 27 | Microsoft docs | 1 format corrected |
| [Firewall
CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp)
| 14 | Microsoft docs | All correct (after path fix) |
| [Defender
CSP](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender)
| 9 | Microsoft docs | All verified correct |
| [Apple
applicationaccess](https://github.com/apple/device-management/blob/release/mdm/profiles/com.apple.applicationaccess.yaml)
| 13 profiles | Apple device-management repo | 3 corrected |
| Fleet GitOps YAML | 1,857 policies | [Fleet GitOps
docs](https://fleetdm.com/docs/configuration/yaml-files) | 2 format bugs
fixed |
| Fleet XML format | 13 files |
[`docs/solutions/windows/`](https://github.com/fleetdm/fleet/tree/main/docs/solutions/windows/configuration-profiles)
| Reformatted to match |
| Fleet blocked CSPs | — | `server/fleet/windows_mdm.go` | No conflicts
|
| [#43598](https://github.com/fleetdm/fleet/issues/43598) glob bug | 305
files | Filename scan | No `*`, `?`, `[`, `{` in any filename |
## Commits
1. `89d9418` — Copy CIS benchmarks to docs/solutions/cis/ in
GitOps-compatible format
2. `bbabb13` — Restructure with policies/, configuration-profiles/,
scripts/ subdirs
3. `00004f4` — Promote test artifacts, add Contents to READMEs
4. `786591f` — Add configuration profiles and scripts to all CIS
benchmark platforms
5. `0a47a53` — Fix macOS scripts (username placeholders, sudoers perms,
IFS, temp files, shebang, dictation typo, remove broken scripts)
6. `4efbd40` — Reformat all 13 Windows XML profiles to Fleet's flat
Replace/Item format, fix Firewall CSP paths, fix SIDs
7. `f0abb66` — Fix 6 Audit CSP names: `LogonLogoff_` →
`AccountLogonLogoff_`
8. `bfb0f95` — Fix `SmartCardRemovalBehavior` format type (`int` →
`chr`)
9. `4cbb33e` — Fix 3 Apple Intelligence profiles (fabricated keys → real
Apple keys), fix YAML formatting bugs
10. `d3a0031` — Fix spelling (14 corrections), naming conventions,
policy-profile key alignment
## Current state
| Platform | Policies | Config Profiles | Scripts |
|----------|----------|-----------------|---------|
| macOS 13 | 1 YAML (111 policies) | 46 .mobileconfig | 43 .sh |
| macOS 14 | 1 YAML (111 policies) | 47 .mobileconfig | 43 .sh |
| macOS 15 | 1 YAML (113 policies) | 43 .mobileconfig | 44 .sh |
| Windows 10 | 1 YAML (510 policies) | 4 SyncML XML | 5 .ps1 |
| Windows 11 | 1 YAML (555 policies) | 4 SyncML XML | 5 .ps1 |
| Windows 11 Intune | 3 YAML (457 policies) | 5 SyncML XML | 2 .ps1 |
The source files in `ee/cis/` are intentionally left untouched.
https://claude.ai/code/session_01DUqJK6iJ8MWMdz2d25ZTNW
---------
Co-authored-by: Claude <noreply@anthropic.com>
Changes:
- Added support for a new article category: `webinar`.
- Added a template page for webinar articles.
- Added an additional route for webinar articles that users are taken to
to watch the webinar recording.
- Added `deliver-webinar-access-request`, an action that updates CRM
records when users fill out the form on the webinar template page.
- Updated the accepted `intentSignal` values in the
create-historical-event helper.
- Added an article for the "Beyond the hype, practical AI for device
management" webinar.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Public webinar pages (/webinars/:slug and /watch) with optional
embedded video and a new page template, script, and styles.
* Sidebar signup form (first name, last name, work email) with prefill
for signed-in users and improved scroll behavior.
* POST API to request webinar access: validates email domain, records a
webinar-request event, triggers background CRM sync, and returns a watch
view on success.
* Static-site build now recognizes webinar articles and enforces
embedded-video URL validation.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Automated ingestion of latest Fleet-maintained app data.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated version metadata for 12 managed applications to reflect their
latest releases: Adobe DNG Converter, Claude, Connect Fonts, Dialpad,
Google Chrome, Google Drive, Keka, Lens, Opera, WhatsApp, Windsurf, and
Zed. Updates include version numbers, installer artifacts, and
verification checksums.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: allenhouchins <32207388+allenhouchins@users.noreply.github.com>
Automated ingestion of latest Fleet-maintained app data.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **Chores**
* Updated supported versions for multiple applications: Cursor, Dialpad,
GitKraken, Google Chrome, JetBrains Toolbox, Notion, OneDrive, Signal,
Spotify, and Yubico Authenticator. Newer versions of these applications
are now available for download and installation.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: mostlikelee <16102903+mostlikelee@users.noreply.github.com>
Missed a few AMB UI instances as part of [Rename Apple Business Manager
(ABM) to Apple Business (AB) in
UI](https://github.com/fleetdm/fleet/issues/42512)
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:**
https://github.com/fleetdm/fleet/issues/42512#issuecomment-4238323552
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Updated user-facing text and messaging across Apple Business Manager
integration pages, including modal titles, instructional content, and
setup guides
* Refined terminology, formatting, and punctuation throughout tooltip
content, administrative configuration descriptions, and user guidance
* Adjusted messaging and instructional text in Apple Business Manager
and VPP settings pages
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Comment out the patch-fleet-maintained-apps.yml entries for macOS and
Windows in it-and-security/fleets/workstations.yml. This temporarily
disables the FMA patch policies (kept as commented lines with a TEMP
note) to allow re-establishing the Fleet Maintained Apps software state.
Remove several x86-only Fleet-maintained Windows applications and their
associated dynamic labels and patch policies. Changes touch:
- it-and-security/fleets/workstations.yml: removed fleet app entries for
Brave, Docker Desktop, GitHub Desktop, Postman, Sublime Text, Spotify,
Figma, Google Drive, and Cursor.
-
it-and-security/lib/all/labels/windows-with-fleet-maintained-apps-installed.yml:
removed the matching x86 dynamic labels.
- it-and-security/lib/windows/policies/patch-fleet-maintained-apps.yml:
removed the corresponding patch policies for those apps.
This cleans up configuration related to x86-only Windows apps (labels
previously filtered on arch NOT LIKE 'ARM%').
