## Summary
- Adds a new Fleet guide article for the community Intune-to-Fleet CSP
converter tool
- Covers how the tool works, prerequisites, step-by-step usage, result
monitoring, resolver map, customization, and troubleshooting
- Sets honest expectations upfront: ~70–75% policy coverage, community
tool (not official Fleet product)
## Changes
- `articles/migrating-intune-policies-to-fleet-csp-converter.md` — new
guide article
## Notes
- Tool repo: https://github.com/tux234/intune-to-fleet
- Modeled on the style of `creating-windows-csps` and the Okta Verify on
Windows guide
- Download links in the guide point to the external tool repo
---------
Co-authored-by: Brock Walters <153771548+nonpunctual@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves #
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
## Database migrations
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
## New Fleet configuration settings
- [ ] Setting(s) is/are explicitly excluded from GitOps
If you didn't check the box above, follow this checklist for
GitOps-enabled settings:
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
fixed file name
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
Fixes#40975.
8.0.32 (was running in Aurora managed cloud at the time) -> 8.0.39 (what
we're running now) 8.0.36 -> 8.0.44 (latest 8.0.x version supported by
Aurora; holding off on 8.0.45 until Aurora supports it) 8.4.7 -> 8.4.8
9.5.0 -> 9.6.0
Also bumped the supported Aurora version from 3.07.0 to 3.08.2 to match
what we're running in managed cloud right now
Fleet might work on older patch versions but we'll no longer dev/test on
them. MySQL 9.x not testing previous minor versions matches with our
previous approach for that version.
Since these are all patch/minor bumps (and the overnight build cases are
patch bumps/are covered by AWS envs) automated testing should be
sufficient here.
New Article by Team GrowthX
Date: 28-02-2026
cc @nonpunctual @ireedy @johnjeremiah
---------
Co-authored-by: Brock Walters <153771548+nonpunctual@users.noreply.github.com>
Closes: https://github.com/fleetdm/confidential/issues/14623
Changes:
- Updated the "GitOps: A strategic advantage for automation,
collaboration, and cost savings" guide article to use the latest version
of the GitOps workflow diagram.
- Updated the alt text on the GitOps workflow diagram on the
/fleet-gitops page
Updated the BYOD enrollment section to clarify that both profile-based
and account-driven enrollment methods are supported in Fleet, and added
a link to a guide for more information.
Closes: https://github.com/fleetdm/fleet/issues/40161
Closes: https://github.com/fleetdm/confidential/issues/14508
Changes:
- Added support for a new meta tag (`<meta
name="useBasicArticleTemplate" value="true">`) that will be used to
determine which template case study articles use.
- Updated the build-static-content script to not require
`summaryChallenge`, `summarySolution`, `summaryKeyResults`, and
`companyLogoFilename` meta tags for case study articles with a
`useBasicArticleTemplate` meta tag.
- Updated the view-case-study action to display case study articles with
a `useBasicArticleTemplate` meta tag on the basic-article template page
---------
Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com>
This pull request updates the logic for selecting which user receives
maintenance window calendar events on hosts with multiple users. The
changes clarify and enforce a priority system for choosing the recipient
email, ensuring that IdP-sourced emails are preferred, followed by
Google Chrome profile emails. This affects both user-facing
documentation and backend implementation.
**User-facing behavior and documentation:**
* The end-user documentation now explicitly describes the email
selection priority for calendar event recipients: IdP Username email is
chosen first, then Google Chrome profile email, and if multiple Chrome
emails exist, the first alphabetically is selected.
**Backend logic and data selection:**
* The comment in `calendar_cron.go` is updated to match the new email
selection logic, explaining the prioritization of email sources for
host-user assignment.
* The SQL query in `policies.go` is refactored to implement the new
priority system for selecting user emails per host:
- IdP sources (`mdm_idp_accounts`, `idp`) are considered first,
- then Google Chrome profiles,
- then other sources.
- If multiple emails exist at the same priority, the first
alphabetically is chosen.
---------
Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com>
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Co-authored-by: Juan Fernandez <juan-fdz-hawa@users.noreply.github.com>
Co-authored-by: Juan Fernandez <juan@fleetdm.com>
…nagement software
New Article by Team GrowthX
Date: 26-02-2026
cc @nonpunctual @ireedy @johnjeremiah
---------
Co-authored-by: Brock Walters <153771548+nonpunctual@users.noreply.github.com>
New Article by Team GrowthX
cc @nonpunctual @ireedy @johnjeremiah
Date: 26-02-2026
---------
Co-authored-by: Brock Walters <153771548+nonpunctual@users.noreply.github.com>
New Article by Team GrowthX
Date: 26-02-2026
cc @nonpunctual @ireedy @johnjeremiah
Co-authored-by: Brock Walters <153771548+nonpunctual@users.noreply.github.com>
New Article by Team GrowthX
Date: 26-02-2026
cc @nonpunctual @ireedy @nonpunctual
---------
Co-authored-by: Brock Walters <153771548+nonpunctual@users.noreply.github.com>
It feels odd looking at images that are completely text, instead of just
having the text on the page.
---------
Co-authored-by: Brock Walters <153771548+nonpunctual@users.noreply.github.com>
Extended the statistics payload to include arrays of Fleet-maintained
app slugs in use on macOS and Windows. Updated the datastore to query
and populate these fields, and documented the new fields in the usage
statistics article.
---------
Co-authored-by: Juan Fernandez <juan@fleetdm.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#39558
---------
Co-authored-by: Rachael Shaw <r@rachael.wtf>
This PR will remain in draft as a preview of upcoming documentation
changes for 4.81.0
---------
Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
Co-authored-by: Ian Littman <iansltx@gmail.com>
Co-authored-by: kitzy <kitzy@fleetdm.com>
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Co-authored-by: Victor Lyuboslavsky <2685025+getvictor@users.noreply.github.com>
Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
Co-authored-by: Zach Wasserman <zach@fleetdm.com>
Co-authored-by: melpike <79950145+melpike@users.noreply.github.com>
Co-authored-by: Jordan Montgomery <elijah.jordan.montgomery@gmail.com>
Co-authored-by: Magnus Jensen <magnus@fleetdm.com>
Co-authored-by: Dante Catalfamo <43040593+dantecatalfamo@users.noreply.github.com>
- `articles/custom-os-settings.md`: Added one sentence to the Windows
section: "For local testing on Windows,
[SyncMLViewer](https://github.com/okieselbach/SyncMLViewer/releases) is
a useful GUI tool for inspecting MDM traffic."
- `website/views/pages/os-settings.ejs`: Added a matching list item to
the Windows platform section on the `fleetdm.com/os-settings` page,
mirroring the iMazing mention in the Apple section.
While reviewing documentation as part of oncall responsibilities I noted
that there was no reference to Apple MDM migration in the migration
guide. I don't think we need to document it directly since Apple's
documentation is quite good here but it feels like it warrants a callout
link to MDM troubleshooting checklist
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves #
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
## Database migrations
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
## New Fleet configuration settings
- [ ] Setting(s) is/are explicitly excluded from GitOps
If you didn't check the box above, follow this checklist for
GitOps-enabled settings:
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
---------
Co-authored-by: Irena Reedy <205901210+irenareedy@users.noreply.github.com>
If we're comfortable with advertising the new role on the website a bit
early, I think adding the updated permissions table to `main` as soon as
possible will help avoid some nasty merge conflicts in upcoming release
branches.
Changes:
+ Copied over updated roles table from @melpike's
[PR](https://github.com/fleetdm/fleet/pull/37861)
+ Added "coming soon" note w/ link to the user story
---------
Co-authored-by: melpike <79950145+melpike@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves #
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
## Database migrations
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
## New Fleet configuration settings
- [ ] Setting(s) is/are explicitly excluded from GitOps
If you didn't check the box above, follow this checklist for
GitOps-enabled settings:
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
cc @drvcodenta @AdamBaali rather than combining (which I am probably
unqualified to do...) & potentially screwing up all of your brilliant
work I posted Adam's article as a blog
https://fleetdm.com/articles/threat-hunting-ai-agents-like-openclaw-with-automated-tooling.md
& placed a link to Dhruv's article on LinkedIn at the bottom. We can
probably do better but at least they are both out there. Thanks.
- Published part 2 of the OpenClaw series
- Updated meta description in part 1 and linked to part 2
Co-authored-by: Brock Walters <153771548+nonpunctual@users.noreply.github.com>
Changes:
- Fixed a broken link on /customers
(`/announcements/articles/global-workforce-management-company-achieves-compliance-and-clarity-with-fleet`
»
`/announcements/global-workforce-management-company-achieves-compliance-and-clarity-with-fleet`)
- Added a redirect for the security handbook page
- Fixed two broken links in articles
## New article: Why work laptops don't work on plane wifi
This article explores why work laptops often fail to connect properly on
plane wifi, and proposes that IT teams should consider making employee
laptops work on plane wifi by default.
### Key topics covered:
- Common frustrations with work laptops on inflight wifi
- Technical causes: VPN conflicts, DNS filtering, captive portal
blocking, certificate errors
- UX challenges: employees can't diagnose or fix issues mid-flight
- Potential solutions: split-tunnel VPNs, captive portal detection,
graceful security degradation
- References a LinkedIn discussion thread on this topic
### Article details:
- **Author:** Mike McNeil (mikermcneil)
- **Category:** articles
- **Word count:** ~750 words
- **File:** `articles/why-work-laptops-dont-work-on-plane-wifi.md`
---
Built for
[mikermcneil](https://fleetdm.slack.com/archives/D0AFASLRHNU/p1770982271436629)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Co-authored-by: Brock Walters <153771548+nonpunctual@users.noreply.github.com>
Related to:
- #35738
---------
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Co-authored-by: Jordan Montgomery <elijah.jordan.montgomery@gmail.com>
Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com>
This guide shows how to deploy Okta Desktop MFA to Windows devices using
Fleet MDM, including:
- Fleet secrets configuration for OAuth credentials
- Software deployment with install/uninstall scripts
- Registry policy configuration for MFA enforcement
- Automated compliance monitoring and remediation
---------
Co-authored-by: Brock Walters <153771548+nonpunctual@users.noreply.github.com>
We designed the setup experience for manual enrollments for agent
install, we haven't got to the automatic piece.
Support for automatic enrollment + Autopilot is coming in this story:
https://github.com/fleetdm/fleet/issues/38785
- Clarify how often Fleet will prompt for enrollment.
- Warn that that Safari may be needed.
---------
Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com>
Guide on how to add custom (private) app to Google Play Console and
deploy via Fleet.
---------
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com>
Clarified the handling of special characters in Fleet variables for
configuration profiles
---------
Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#39227
---------
Co-authored-by: Luke Heath <luke@fleetdm.com>
@ddribeiro After talking with Noah about troubleshooting and logs, I
thought it would be good if we created a user-facing guide for
troubleshooting. Our CSEs frequently send the same troubleshooting
information to customers when they report issues. We can empower
customers with one resource that they can work through, reducing the
significant amount of time in back-and-forth steps sent over Slack.
Also, we've talked about pulling the "Finding fleetd logs" section out
of the [Enroll hosts](https://fleetdm.com/guides/enroll-hosts) guide.
Perhaps when this is complete, we can link to this document from that
guide.
This certainly doesn't contain everything! Please bring the CSEs in to
flesh this out since they're in the day-to-day and have much more
knowledge regarding this than I do.
---------
Co-authored-by: Brock Walters <153771548+nonpunctual@users.noreply.github.com>
Corrected hyphenation and improved clarity in several sections. Enhanced
formatting for list items and headings.
---------
Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com>
Closes#38916
Related: #34993, #33985, fleetdm/confidential#13228
## Changes
**Article update** (`articles/windows-mdm-setup.md`)
- Adds "Migrating from another MDM solution" subsection under **Manual
enrollment** with overview of common migration issues and links to
remediation scripts
**New scripts** (`docs/solutions/windows/scripts/`)
- `reset-mdm-enrollment-flag.ps1` — Resets MmpcEnrollmentFlag blocking
MDM status after migration
- `remove-stale-mdm-enrollment-records.ps1` — Clears orphaned enrollment
GUIDs, AAD discovery cache, and MS DM Server cache
- `fix-workplace-join-configuration.ps1` — Re-enables
Automatic-Device-Join task and configures Workplace Join policies
- `remove-unreachable-wsus-configuration.ps1` — Removes unreachable WSUS
server config that breaks Windows Update
## Context
Customers migrating Windows hosts from Intune to Fleet have been hitting
recurring enrollment issues, MDM status stuck on "Off," enrollment
errors (`0x80190190`, `0x8018000a`), and Windows Update breakage from
leftover RMM agents. These scripts consolidate the workarounds from
multiple customer engagements into self-serve remediation that can be
deployed via **Controls > Scripts**.
---------
Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
