Windows end-user auth SSO browser window opens behind Autopilot OOBE screen during Intune-managed enrollment #38467
Description
Summary
When Windows devices are still managed by Intune MDM and going through Autopilot OOBE enrollment, the Fleet end-user authentication SSO browser window opens behind the Autopilot enrollment screen. Users cannot see the Fleet sign-in prompt without using ALT+Tab, causing confusion and enrollment failures.
Impact
- 24 devices affected in a single onboarding session
- 8 devices stuck on "Apps (Identifying)" even after users found and completed Fleet sign-in
- Significant disruption to new hire onboarding globally
Environment
- Fleet Server version: 4.78.3 (upgraded ~Jan 12-13)
- Orbit version: 1.50.1 (deployed via PatchMyPC/Intune - had been deployed for some time)
- Scenario: Windows devices enrolled in Intune MDM, with Fleet agent (Orbit) installing during Autopilot enrollment
- Fleet server:
enable_end_user_authentication: trueconfigured undermacos_setup
Root Cause Analysis
This feature requires both server and agent support:
| Component | Version | Role |
|---|---|---|
| Fleet Server | 4.77+ | Returns ErrEndUserAuthRequired to agent, enabling Windows/Linux end-user auth |
| Orbit Agent | 1.50.1+ | Client-side support to open SSO browser when server returns auth required error |
Key insight: The Orbit agent (1.50.1) had been deployed for some time without issue. The behavior only manifested after the Fleet server was upgraded to 4.78.x, which enabled the server-side support for Windows/Linux end-user authentication.
The agent was essentially "dormant" waiting for the server to support this capability. Once the server was upgraded to 4.77+, the enrollment endpoint started returning ErrEndUserAuthRequired, triggering the SSO browser popup on Windows.
Browser Window Issue
The browser window is opened via cmd.exe /c start {url}:
https://github.com/fleetdm/fleet/blob/main/orbit/cmd/orbit/orbit.go#L2479-L2488
case "windows":
unescapedAmpsRegex := regexp.MustCompile(`([^\\^])&`)
browserURL = unescapedAmpsRegex.ReplaceAllString(browserURL, "${1}^&")
cmdLine := fmt.Sprintf("/c start %s", browserURL)
opts := []execuser.Option{
execuser.WithArg(cmdLine, ""),
}
if _, err := execuser.Run("cmd.exe", opts...); err != nil {
return fmt.Errorf("opening windows browser: %w", err)
}During Autopilot OOBE, the enrollment screen runs in a restricted kiosk-like environment. The browser window spawned by cmd.exe /c start does not get foreground focus and appears behind the OOBE modal.
Expected Behavior
The SSO browser window should either:
- Open in foreground with focus (using Windows API to force foreground)
- Be displayed within a Fleet-controlled dialog/window that has proper z-order
- Not trigger during Intune-managed Autopilot enrollment (detect OOBE context)
- Clarify in documentation that
enable_end_user_authenticationundermacos_setupnow also affects Windows/Linux enrollment (this was not obvious from the setting name/location)
Workaround (current)
We are temporarily excluding Fleet from installing during enrollment while this is investigated.
Additional Context
This issue primarily affects customers who:
- Have not yet migrated MDM to Fleet (still Intune-managed)
- Deploy Fleet agent during Autopilot enrollment via Intune
- Have
enable_end_user_authentication: trueconfigured - Recently upgraded Fleet server to 4.77+
The enable_end_user_authentication setting location under macos_setup is misleading - it now affects Windows and Linux as well (as of server 4.77 + agent 1.50.1). This behavioral change was not immediately apparent from the configuration structure.
Related
- Orbit 1.50.1 changelog: "Added support for requiring end-user authentication before enrolling Windows and Linux devices"
- Fleet 4.77 changelog: Server-side support for Windows/Linux end-user authentication
- PR End-user authentication for Window/Linux setup experience: agent #34847: End-user authentication for Window/Linux setup experience: agent
- PR Fix how Orbit opens browser window for end-user auth #35877: Fix how Orbit opens browser window for end-user auth (partial fix)