Add Windows awaiting configuration

[getvictor]

Related issue: Resolves #42841

This change is just new columns in a table. No other functional changes.

Checklist for submitter

Testing

• Added/updated automated tests

Database migrations

• Checked schema for all modified table for columns that will auto-update timestamps during migration.

Summary by CodeRabbit

• New Features
  • Added tracking for Windows device enrollment configuration status, including timestamps indicating when devices entered the awaiting-configuration state to improve enrollment lifecycle management.

[getvictor]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[Copilot]

Pull request overview

Adds support for tracking when a Windows MDM enrollment is “awaiting configuration” (primarily for Autopilot/OOBE enrollments) by persisting new state on mdm_windows_enrollments.

Changes:

• Adds awaiting_configuration + awaiting_configuration_at columns to mdm_windows_enrollments (migration + schema.sql).
• Computes awaiting-configuration state during Windows enrollment and stores it on the enrollment row.
• Extends the Windows enrollment model and insert/upsert logic to write the new fields.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
server/service/microsoft_mdm.go	Sets awaiting-configuration flags during Windows MDM enrollment based on programmatic vs automatic flow and OOBE state.
server/fleet/microsoft_mdm.go	Extends MDMWindowsEnrolledDevice to include awaiting-configuration fields.
server/datastore/mysql/microsoft_mdm.go	Writes awaiting-configuration fields on insert/upsert for Windows enrollment rows.
server/datastore/mysql/schema.sql	Updates mdm_windows_enrollments schema (and migration status) to include new columns.
server/datastore/mysql/migrations/tables/20260406120000_AddWindowsAwaitingConfiguration.go	Adds the new columns to mdm_windows_enrollments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Walkthrough

This pull request adds Windows enrollment awaiting configuration tracking to the mdm_windows_enrollments table. Changes include:

• Database migration adding awaiting_configuration (tinyint) and awaiting_configuration_at (datetime) columns to mdm_windows_enrollments
• Schema update reflecting these new columns
• MDMWindowsEnrolledDevice struct expanded with AwaitingConfiguration and AwaitingConfigurationAt fields
• Datastore insertion logic updated to persist these fields via ON DUPLICATE KEY UPDATE
• Enrollment service logic modified to set awaiting_configuration=1 when a non-programmatic enrollment occurs during OOBE, otherwise 0, with corresponding timestamp

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	Pull request description is incomplete. It lacks most required checklist items and provides minimal context about the changes.	Complete all applicable checklist sections: add changes file, verify security/validation, confirm QA testing, database migration checks, and platform compatibility verification. Include specific context about the PR purpose and implementation.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding Windows awaiting configuration tracking to the enrollment system.
Linked Issues check	✅ Passed	The PR implementation comprehensively addresses all requirements from issue #42841: database migration with correct columns, struct fields added to MDMWindowsEnrolledDevice, enrollment detection logic implemented, and ON DUPLICATE KEY UPDATE for re-enrollments.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to the linked issue requirements: migration file, schema updates, struct fields, and enrollment detection logic. No extraneous modifications detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch victor/42841-awaiting-config

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

server/datastore/mysql/microsoft_mdm.go (1)

135-153: ⚠️ Potential issue | 🟠 Major

Don’t make the new enrollment fields write-only.

Lines 135-136 add awaiting_configuration and awaiting_configuration_at to the upsert, but MDMWindowsGetEnrolledDeviceWithDeviceID and MDMWindowsGetEnrolledDeviceWithHostUUID in this file still select the old column set. Any code rehydrating fleet.MDMWindowsEnrolledDevice through those helpers will always see zero values for the new state.

🛠️ Suggested follow-up

SELECT
	id,
	mdm_device_id,
	mdm_hardware_id,
	device_state,
	device_type,
	device_name,
	enroll_type,
	enroll_user_id,
	enroll_proto_version,
	enroll_client_version,
	not_in_oobe,
+	awaiting_configuration,
+	awaiting_configuration_at,
	credentials_hash,
	credentials_acknowledged,
	created_at,
	updated_at,
	host_uuid
FROM mdm_windows_enrollments

Apply the same addition to both MDMWindowsGetEnrolledDeviceWithDeviceID and MDMWindowsGetEnrolledDeviceWithHostUUID.

Also applies to: 158-175

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@server/datastore/mysql/microsoft_mdm.go` around lines 135 - 153, The upsert
adds awaiting_configuration and awaiting_configuration_at but the read helpers
still select the old columns, so add these two columns to the SELECT list and
scanning targets in both MDMWindowsGetEnrolledDeviceWithDeviceID and
MDMWindowsGetEnrolledDeviceWithHostUUID (and any similar getters around lines
158-175) so fleet.MDMWindowsEnrolledDevice.awaiting_configuration and
awaiting_configuration_at are populated; ensure the SELECT order matches the
Scan destination order (or use named scans) and update any variable names used
in those Scan calls to accept the new fields.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@server/datastore/mysql/migrations/tables/20260406120000_AddWindowsAwaitingConfiguration.go`:
- Around line 13-20: The migration currently returns early if
awaiting_configuration exists, which can skip adding awaiting_configuration_at;
update the idempotency logic around the columnExists checks so both columns are
verified individually (use columnExists(tx, "mdm_windows_enrollments",
"awaiting_configuration") and columnExists(tx, "mdm_windows_enrollments",
"awaiting_configuration_at")) and only return nil if both columns already exist,
or alternatively run separate ALTER TABLE statements to add each missing column
rather than a single early return before executing tx.Exec that adds both
columns.

---

Outside diff comments:
In `@server/datastore/mysql/microsoft_mdm.go`:
- Around line 135-153: The upsert adds awaiting_configuration and
awaiting_configuration_at but the read helpers still select the old columns, so
add these two columns to the SELECT list and scanning targets in both
MDMWindowsGetEnrolledDeviceWithDeviceID and
MDMWindowsGetEnrolledDeviceWithHostUUID (and any similar getters around lines
158-175) so fleet.MDMWindowsEnrolledDevice.awaiting_configuration and
awaiting_configuration_at are populated; ensure the SELECT order matches the
Scan destination order (or use named scans) and update any variable names used
in those Scan calls to accept the new fields.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 9011ca67-dba2-45b6-9538-0a9b86d094b7

📥 Commits

Reviewing files that changed from the base of the PR and between 1e24ead and 5013b48.

📒 Files selected for processing (5)

• server/datastore/mysql/microsoft_mdm.go
• server/datastore/mysql/migrations/tables/20260406120000_AddWindowsAwaitingConfiguration.go
• server/datastore/mysql/schema.sql
• server/fleet/microsoft_mdm.go
• server/service/microsoft_mdm.go

[codecov]

Codecov Report

❌ Patch coverage is 83.33333% with 6 lines in your changes missing coverage. Please review.
✅ Project coverage is 66.85%. Comparing base (1b95a58) to head (718207d).
⚠️ Report is 14 commits behind head on main.

Files with missing lines	Patch %	Lines
.../20260406120000_AddWindowsAwaitingConfiguration.go	60.00%	4 Missing and 2 partials ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #43067   +/-   ##
=======================================
  Coverage   66.84%   66.85%           
=======================================
  Files        2578     2579    +1     
  Lines      206869   206904   +35     
  Branches     9283     9283           
=======================================
+ Hits       138291   138322   +31     
- Misses      56006    56008    +2     
- Partials    12572    12574    +2     

Flag	Coverage Δ
backend	68.62% <83.33%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[JordanMontgomery]

For whatever it's worth my initial thinking for this was this was almost a state based thing. I made it a tinyint to not make the windows enrollments rows too big but in Magnus's POC he did the same where essentially it was 0=not waiting, 1=initial waiting state, 2=later state which is basically once the full initialization/enrollment has completed and things have actually started

[getvictor]

Thanks. Updated to 3 states

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}