<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#43885
Adds a migration and code to capture the value of the fleet managed
admin account if one exists. Changes file added for entire feature
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [x] Timeouts are implemented and retries are limited to avoid infinite
loops
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
## Database migrations
- [x] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [x] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [x] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Automatic password rotation for managed local admin accounts on macOS,
triggered after viewing activity.
* Provisioning now captures and persists the managed admin account
identifier (UUID) to support rotation and prevents that account from
being stored as a regular user.
* Hosts will request a best-effort recheck when the managed admin
identifier is not yet available.
* **Chores**
* Database schema updated to store rotation scheduling and pending
credential state.
* **Tests**
* Added tests covering UUID capture, conditional updates, migration, and
ingest behavior.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
**Related issue:** Resolves#44127
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Removed the unused Windows Updates feature: ingestion, parsing,
persistence APIs, and detail query; added a migration to drop the
related database table.
* **Tests**
* Removed unit and integration tests for Windows update parsing,
ingestion, persistence, and query inclusion.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
- Added custom domain + ngrok setup instructions for local Autopilot
testing (Entra requires a verified domain, not raw ngrok URLs).
- Clarified that `FLEET_DEV_DOWNLOAD_FLEETDM_URL` is a server runtime
env var requiring `--dev` mode.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40809
**Orbit agent: key rotation replaces decrypt-then-re-encrypt:**
- When the disk is already encrypted, orbit now adds a new Fleet-managed
recovery key protector, removes old ones, and escrows the new key. The
disk is never decrypted.
- If key escrow fails, the rotated key is cached in memory and retried
on subsequent ticks without rotating again.
- Removes `DecryptVolume` and `decrypt()` (no longer called from
production code).
**Server: osquery query returns both protection_status and
conversion_status:**
- The `disk_encryption_windows` query now returns both columns instead
of just checking `protection_status = 1`. This lets the server correctly
identify a disk as encrypted via `conversion_status = 1` even when
`protection_status = 0`.
- New `directIngestDiskEncryptionWindows` function parses both values,
handles parse errors, and normalizes `protection_status = 2` (unknown)
to NULL.
**Server: new `bitlocker_protection_status` column and status logic:**
- Adds `bitlocker_protection_status` column to `host_disks` (DB
migration).
- When a disk is encrypted and key is escrowed but protection is off,
the host shows "Action required" with a detail message explaining the
issue, instead of misleadingly showing "Verified."
- `protection_status = 2` (unknown) and `NULL` (older orbit hosts) are
treated as protection on for backward compatibility.
- The `profiles_verified` and `profiles_verifying` branches in the
combined profiles+BitLocker summary now handle
`bitlocker_action_required`, counting those hosts as "pending".
Contributor docs updates: https://github.com/fleetdm/fleet/pull/43241
Public docs updates: https://github.com/fleetdm/fleet/pull/43243/changes
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
## Database migrations
- [x] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
## fleetd/orbit/Fleet Desktop
- [x] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [x] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [x] Verified that fleetd runs on macOS, Linux and Windows
- [x] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **Bug Fixes**
* Fixed Windows BitLocker encryption/decryption request loop on systems
with secondary drives and auto-unlock.
* **New Features**
* Added BitLocker recovery key rotation capability, allowing safe key
updates without full disk re-encryption.
* Enhanced BitLocker protection status tracking to correctly display
"Action required" when protection is disabled.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Resolves#40396.
No changes file because there should be no user visible changes.
## Testing
- [x] QA'd all new/changed functionality manually
## fleetd/orbit/Fleet Desktop
- [x] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [X] Verified that fleetd runs on macOS, Linux and Windows
- [X] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
Instructions on how to test EAP-TLS with FreeRADIUS and micromdm/scep.
Links to [this guide](https://github.com/fleetdm/fleet/issues/42324)
(not merged yet).
---------
Co-authored-by: Steven Palmesano <3100993+spalmesano0@users.noreply.github.com>
Resolves#42185
## Summary
- Added `flatcar` and `coreos` to `HostLinuxOSs` in
`server/fleet/hosts.go`
- Added both to `HostNeitherDebNorRpmPackageOSs` (neither distro uses
deb or rpm)
- Added both to `HOST_LINUX_PLATFORMS` in
`frontend/interfaces/platform.ts`
- Added test cases in `server/fleet/hosts_test.go`
- Updated platform lists in
`docs/Contributing/product-groups/orchestration/understanding-host-vitals.md`
- Added changelog entry
## Problem
Flatcar Container Linux reports `platform=flatcar` and
`platform_like=coreos` via osquery's `os_version` table. Neither value
is in `HostLinuxOSs`, so `PlatformFromHost("flatcar")` returns `""` and
`RunsForPlatform` skips all Linux-platform-filtered detail queries.
**Symptoms:** Flatcar hosts enroll successfully, appear online, and
respond to live queries. But host details (private IP, disk space, etc.)
are never populated because the detail queries that collect this data
are never sent to the host.
## Context
Flatcar Container Linux is an immutable, container-optimized Linux
distribution (successor to CoreOS Container Linux). We deploy Fleet's
Orbit agent on Flatcar via systemd-sysext and have confirmed that all
osquery tables work correctly — the only gap was this platform string
not being recognized.
This follows the same pattern as prior platform additions: #19011
(tuxedo), #28977 (neon), #34357 (manjaro-arm).
## Changes file
- [x] Changes file added in `changes/`
## Checklist
- [x] Added/updated automated tests
- [x] Manual QA: Verified on Flatcar Container Linux 4459.2.4 with
osquery 5.21.0 and Orbit 1.53.0 — confirmed detail queries work after
patching `HostLinuxOSs` locally
- [x] No database migrations needed
- [x] No endpoint changes
- [x] No backward compatibility concerns (additive change only)
**Related issue:** Resolves#36799, Sub-task: #41556
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<img width="924" height="278" alt="Screenshot 2026-03-16 at 10 46 38 AM"
src="https://github.com/user-attachments/assets/313b6650-a849-4bc2-ba14-a62d3d13b60c"
/>
<img width="1441" height="300" alt="Screenshot 2026-03-16 at 10 46
44 AM"
src="https://github.com/user-attachments/assets/915cfd26-168f-4621-bcf5-6c26c40e5faf"
/>
<img width="1923" height="788" alt="Screenshot 2026-03-16 at 10 54
04 AM"
src="https://github.com/user-attachments/assets/62356a3e-84fe-4561-b7ad-0a35c9db3b2a"
/>
<img width="2529" height="483" alt="Screenshot 2026-03-16 at 10 47
02 AM"
src="https://github.com/user-attachments/assets/4dc51073-2c24-4934-bd9d-c5ee648d5ae1"
/>
Tested that with latest released fleetd (1.53.0), we still ingest the
available disk space. There's about 5% difference in the UI vs in the
macOS "Get Info" dialog (expected, since we use the old query, now
called `disk_space_darwin_legacy`):
<img width="267" height="306" alt="Screenshot 2026-03-17 at 8 47 22 AM"
src="https://github.com/user-attachments/assets/73fc1eef-a32c-4d8d-a9ca-13980885f8fe"
/>
<img width="883" height="407" alt="Screenshot 2026-03-17 at 8 47 33 AM"
src="https://github.com/user-attachments/assets/98851b9b-82a8-4ac8-af5c-dbb878f85fad"
/>
<img width="159" height="127" alt="Screenshot 2026-03-17 at 8 47 40 AM"
src="https://github.com/user-attachments/assets/209f784a-29a8-4af5-b95d-0f9bd59917c9"
/>
Also tested running with vanilla osquery by stopping fleetd and then
running osquery manually (adding the `--allow_unsafe` flag). Result is
same as above, `disk_space_darwin_legacy` is used:
<img width="1152" height="418" alt="Screenshot 2026-03-17 at 8 59 23 AM"
src="https://github.com/user-attachments/assets/2b34d23d-61de-4ec1-8d1c-2d3ddb682d11"
/>
<img width="893" height="414" alt="Screenshot 2026-03-17 at 8 59 28 AM"
src="https://github.com/user-attachments/assets/d28ee8fb-08c5-434f-abfa-3825b27ac73b"
/>
## Summary
- Adds a new macOS-only fleetd table `disk_space` that uses
`NSURLVolumeAvailableCapacityForImportantUsageKey` to report available
disk capacity including purgeable storage — matching what macOS shows in
Finder's "Get Info" dialog.
- Adds a new `disk_space_darwin` detail query that uses the new table
(with Discovery, so it only runs on hosts with fleetd ≥ 1.54.0).
- Restricts the existing `disk_space_unix` query to Linux only (darwin
was removed since the new query handles it).
- Adds schema documentation for the new table.
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
**Related issue:** Resolves#40138
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
Installed:
```
go install golang.org/x/tools/cmd/goimports@latest
go install golang.org/x/tools/gopls@latest
go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
```
Validated:
```
osquery> SELECT * FROM go_packages;
+---------------+---------+-----------------------------------+-----------------------------------------------------+------------+----------------------------------+
| name | version | module_path | import_path | go_version | installed_path |
+---------------+---------+-----------------------------------+-----------------------------------------------------+------------+----------------------------------+
| goimports | v0.42.0 | golang.org/x/tools | golang.org/x/tools/cmd/goimports | go1.25.5 | /Users/josh/go/bin/goimports |
| golangci-lint | v1.64.8 | github.com/golangci/golangci-lint | github.com/golangci/golangci-lint/cmd/golangci-lint | go1.25.5 | /Users/josh/go/bin/golangci-lint |
| gopls | v0.21.1 | golang.org/x/tools/gopls | golang.org/x/tools/gopls | go1.25.5 | /Users/josh/go/bin/gopls |
+---------------+---------+-----------------------------------+-----------------------------------------------------+------------+----------------------------------+
```
## fleetd/orbit/Fleet Desktop
- [x] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [x] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [x] Verified that fleetd runs on macOS, Linux and Windows
---------
Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
This PR will remain in draft as a preview of upcoming documentation
changes for 4.82.0
---------
Co-authored-by: Jordan Montgomery <elijah.jordan.montgomery@gmail.com>
Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
Co-authored-by: Magnus Jensen <magnus@fleetdm.com>
Co-authored-by: Victor Lyuboslavsky <2685025+getvictor@users.noreply.github.com>
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Co-authored-by: Dante Catalfamo <43040593+dantecatalfamo@users.noreply.github.com>
Co-authored-by: melpike <79950145+melpike@users.noreply.github.com>
Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com>
Co-authored-by: Nico <32375741+nulmete@users.noreply.github.com>
Co-authored-by: Scott Gress <scottmgress@gmail.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#34620
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Bug Fixes
* Fixed an issue where macOS app names could become empty after removing
the ".app" extension. The app name extraction logic now correctly
handles edge cases, ensuring app names are properly ingested without
empty values.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#38322
This PR utilizes the ping/status ticker that sees if the device is
Unmanaged (aka. not enrolled from a Fleet server perspective), if the
Migrate to Fleet flow before had set the `mdm_migration.txt` file, but
somehow not successfully unenrolled the device, we now keep sending it
if you trigger the modal again.
We wait 90seconds after start, so at most the user can go through the
flow every 90s, but the server has a hard limit on at most one webhook
every 3m, but still it means the user can wait a bit and retry and still
see the webhook gets sent now.
_PS: Updated the old migration test to go from 1,5m to ~2s execution
time with parallel and configurable waitForUnenrollment time (to allow
test to set lower values)
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
## fleetd/orbit/Fleet Desktop
- [x] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [x] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [x] Verified that fleetd runs on macOS, Linux and Windows
- [x] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
---------
Co-authored-by: Jordan Montgomery <elijah.jordan.montgomery@gmail.com>
Resolves#35366
The false negative was caused by a mismatch in product name translation
for `acrobat_reader_dc`. The resolution required platform-specific logic
to accurately identify the "Document Cloud" (DC) variants.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#38223
Retrospective action item from a prior sprint. Do we want to link this
somewhere like the bug template or is it enough to share it with our
customer-facing employees?
---------
Co-authored-by: Magnus Jensen <magnus@fleetdm.com>
Resolves#37686.
Rolling back the detail query change in
527c2230e9.
The test in the original commit was not related to the change so I kept
it as it was added to make sure order of processing of query results.
I tested the ingested device ID matches the one in Entra and that Yes/No
compliant functionality works as expected.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] QA'd all new/changed functionality manually
Resolves#36909.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
This PR will remain in draft as a preview of upcoming documentation
changes for 4.77.0
---------
Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Co-authored-by: Victor Lyuboslavsky <2685025+getvictor@users.noreply.github.com>
Co-authored-by: Ian Littman <iansltx@gmail.com>
Co-authored-by: Noah Talerman <noahtal@umich.edu>
Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
Co-authored-by: Magnus Jensen <magnus@fleetdm.com>
Co-authored-by: Jordan Montgomery <elijah.jordan.montgomery@gmail.com>
Co-authored-by: Janis Watts <184028114+jmwatts@users.noreply.github.com>
Co-authored-by: Allen Houchins <32207388+allenhouchins@users.noreply.github.com>
Co-authored-by: Gabriel Hernandez <ghernandez345@gmail.com>
Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com>
Co-authored-by: Scott Gress <scottmgress@gmail.com>
Co-authored-by: Carlo <1778532+cdcme@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#33907
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
## Database migrations
- [x] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
~- [ ] Confirmed that updating the timestamps is acceptable, and will
not cause unwanted side effects.~ N/A
- [x] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **New Features**
* Windows software inventory now includes upgrade code data for better
software identification and tracking.
* **Chores**
* Database schema updated to support upgrade code storage for software
titles and inventory records.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Addresses #31671
- [x] Changes file added for user-visible changes in `changes/`
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
## Database migrations
- [x] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added total disk space metrics for all partitions on Linux hosts. The
disk space indicator now displays comprehensive storage information
including root partition and all other partitions, improving visibility
into host storage capacity.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
Fixes#34157. Seen on Steam games, which also don't have a bundle ID.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [x] QA'd all new/changed functionality manually
**Related issue:** Resolves#31397
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
---------
Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#33520
Recent changes to the users query accidentally introduced an ambiguous
column error with the vscode extensions query. Fixed the SELECT
statement in vscode_extensions to properly account for this
No changes file added since this is an unreleased bug and the feature
has a changes file
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
No automated tests in this area so no tests to update/add
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [x] Confirmed that the fix is not expected to adversely impact load
test results
