fleet icon indicating copy to clipboard operation
fleet copied to clipboard
verified publisher icon fleetdm

Fleet Desktop app not showing on Windows Task Bar after MDM enrollment

Open nonpunctual opened this issue 10 months ago • 17 comments

Fleet version: 4.64.2

Web browser and operating system: N/A

💥  Actual behavior

customer-fourier reports the following:

  1. After completing the setup experience and logging into Windows, the Fleet app does not appear in the System Tray. However, it does show up after a reboot.
  2. After leaving a Fleet enrolled Windows laptop on overnight, the Fleet app did not appear in the System Tray upon login the next morning. A reboot was required to make it visible again.
Image

Windows version:

Image

🧑‍💻  Steps to reproduce

  1. Enroll a Windows host to Fleet via AutoPilot
  2. Check Task Bar for Fleet Desktop app icon
  3. If not seen, restart to see if it appears

🕯️ More info (optional)

Customer has reported this on Win hardware. Unable to reproduce this on Windows vm running the following:

Image

Product designer: @marko-lisica

The fleetd icon should appear in the system tray after automatic enrollment (AutoPilot) without the need to restart.

nonpunctual avatar Mar 21 '25 20:03 nonpunctual

Hi @nonpunctual , I haven't been able to reproduce this on hardware or a VM. Couple questions -

After completing the setup experience and logging into Windows, the Fleet app does not appear in the System Tray. However, it does show up after a reboot.

  1. what do they mean by setup experience? are they manually enrolling with an msi or via Azure AD
  2. do they have their own TUF server?

Either way, if they are able to reproduce after each windows enrollment, it would be helpful to grab their orbit logs.

PezHub avatar Mar 26 '25 04:03 PezHub

They are using Win Autopilot.

nonpunctual avatar Mar 26 '25 13:03 nonpunctual

@georgekarrv as discussed at standup, did some digging into the code.

For Windows, we check if fleetd is present and enqueue its installation if not here: https://github.com/fleetdm/fleet/blob/0ff016aa2ab6e6bc9a991f67138edd6574c02098/server/service/microsoft_mdm.go#L1430-L1442

Note that detection of whether fleetd is installed or not is known to be flawed, see comments in the function https://github.com/fleetdm/fleet/blob/0ff016aa2ab6e6bc9a991f67138edd6574c02098/server/service/microsoft_mdm.go#L1291

But since this bug is about fleet desktop specifically (I assume fleetd itself does get installed), this detection function is probably fine in this case.

The fleetd installed is downloaded from https://download.fleetdm.com/stable/meta.json, but I haven't found in the code whether this build includes Fleet Desktop or not (@lucasmrod might know, this build might be part of the deployments we do to TUF?). But given that this issue mentions seeing Fleet Desktop after a reboot, it looks unlikely that the issue is due to not sending Fleet Desktop as part of the installed fleetd package.

mna avatar Mar 26 '25 17:03 mna

TY, or also @dantecatalfamo ^ if they are aware if / when fleet desktop would be included in the install for Windows Autopilot

georgekarrv avatar Mar 26 '25 18:03 georgekarrv

Oh man it's been a long time. I think Windows Autopilot uses the fleetd-base.msi version of fleetd and requires special msiexec launch flags to install desktop, but I never worked with it directly so I'm not 100% sure.

dantecatalfamo avatar Mar 26 '25 19:03 dantecatalfamo

I don't currently have a way to test AutoPilot but I can confirm that fleetd installed on a fresh windows install via Azure AD join which I believe behaves the same way as far as Fleet is concerned. If we could get orbit logs from the customer the next time they run thru the enrollment workflow and see the bug that would be helpful @nonpunctual

PezHub avatar Mar 27 '25 16:03 PezHub

Linked to Unthread ticket:

Bugs in Fleet user-facing app on Windows 11 #5131

Sampfluger88 avatar Mar 28 '25 19:03 Sampfluger88

After setting up AutoPilot in our dogfood environment I was able to reproduce the issue on my VM. The device enrolls, "the space" is there in the taskbar tray, but no fleet logo is present. After a restart the fleet logo appears and opens the expected My Device Window in a browser.

Here's a video of the AutoPilot workflow with the bug

I've attached orbit logs but not sure that will help since I see the fleet desktop.exe ran after enrollment and again after a restart

2025-03-31T10:21:55-07:00 INF opening path="C:\\Program Files\\Orbit\\bin\\desktop\\windows\\stable\\fleet-desktop.exe"
2025-03-31T10:21:55-07:00 INF killing any pre-existing fleet-desktop instances

orbit-osquery.log

PezHub avatar Mar 31 '25 17:03 PezHub

@PezHub, I see you are assigned. If this is an agent issue, feel free to pass it to orchestration. I'll assign MDM for now. cc @georgekarrv

sharon-fdm avatar Apr 01 '25 14:04 sharon-fdm

Hey team! Please add your planning poker estimate with Zenhub @getvictor @ghernandez345 @gillespi314 @mna

georgekarrv avatar Apr 02 '25 16:04 georgekarrv

adding fleetd logs as well but those don't reveal much either. Here's a screenshot of the empty space where the fleet icon normally appears. Clicking on it does not launch it.

Fleet.zip

Image

PezHub avatar Apr 04 '25 18:04 PezHub

I am still digging into this but the logs so far reveal something interesting:

  1. Orbit attempts to run fleet-desktop:
2025-04-04T10:49:57-07:00 INF killing any pre-existing fleet-desktop instances
  1. Fleet desktop launches(entire log below):
2025-04-04T10:49:57-07:00 INF fleet-desktop version=1.40.1
2025-04-04T10:49:57-07:00 INF got a TUF update root: C:\Program Files\Orbit\.
2025-04-04T10:49:57-07:00 INF Comm channel was acquired

What's missing is the usual call to onReady() which logs "ready" and continues the init process

Current working theory is perhaps the session is not yet in a state where we can launch the desktop app for some reason but I am still digging into why this could be and how we can detect it

JordanMontgomery avatar Apr 07 '25 15:04 JordanMontgomery

After some more investigation this is a bug in the Systray library we use. I have filed an Issue https://github.com/fyne-io/systray/issues/95 and associated PR https://github.com/fyne-io/systray/pull/96

In my testing I am able to repro this more often if I pause for a moment at the Windows Hello PIN setup screen, likely because it extends whatever this invalid early initialization state is just long enough for the agent to be downloaded and installed. If I go through that screen really fast the agent often does't complete installation until I am already looking at the desktop and then it works just fine.

JordanMontgomery avatar Apr 10 '25 00:04 JordanMontgomery

After discussion in standup, went with a more generic fix which is to add a 1 minute timeout for the tray app startup onReady() callback to be called. If this is not called we log a fatal error which exits the tray app and orbit will restart it. If it gets into a bad state during initialization this gets it sorted out in my testing and generally fast enough the user wouldn't even notice. Note that you still may see the blank space where you'd expect the icon for up to a minute given this implementation

JordanMontgomery avatar Apr 10 '25 19:04 JordanMontgomery

Invisible at dawn, Fleet icon blooms with reboot, Windows' silent song.

fleet-release avatar Apr 10 '25 21:04 fleet-release

Fleet icon, unseen, After enrollment's complete, Reboot brings light, serene.

fleet-release avatar Apr 10 '25 21:04 fleet-release

QA Test Results

Confirmed that when the fleet icon does not appear (or a blank space in its place) after Autopilot enrollment, orbit will restart fleetd and the icon appears in the tray within a minute and successfully launches the My device page in a browser. A system reboot is no longer required.

PezHub avatar Apr 10 '25 22:04 PezHub

Fleet icon hidden, Revealed with each new dawn, Ease found in AutoPilot's song.

fleet-release avatar Apr 11 '25 19:04 fleet-release