Skip to content

LocURI protection uses team-wide set instead of per-host label scope #42591

New issue
New issue
Open
Open
LocURI protection uses team-wide set instead of per-host label scope#42591
Assignees
getvictor
Labels
#g-security-complianceSecurity & Compliance product groupbugSomething isn't working as documented~unreleased bugThis bug was found in an unreleased version of Fleet.
Milestone
4.84.0
@getvictor

Description

@getvictor
getvictor
opened on Mar 27, 2026

Found by: code review

💥 Actual behavior

When a Windows profile is deleted or edited to remove LocURIs, Fleet checks if other active profiles in the same team target those LocURIs and skips the <Delete> command if so. This prevents one profile's deletion from undoing settings enforced by another profile.

However, the protection set is built from ALL profiles in the team, regardless of label scope. If profile A (scoped to label "Laptops") and profile B (scoped to label "Desktops") both target the same LocURI, deleting profile A will skip the <Delete> for that LocURI on ALL hosts, including Laptop hosts where profile B does not apply. Those Laptop hosts keep the stale setting.

The same issue exists in two code paths:

  1. Whole-profile deletion (cancelWindowsHostInstallsForDeletedMDMProfiles): queries active LocURIs from all other profiles in the same team(s).
  2. Profile edit (batchSetMDMWindowsProfilesDB): builds allRetainedURIs from all incoming + reserved profiles without considering label scope.

🛠️ To fix

The LocURI protection set should be computed per-host, not per-team. For each host that needs a <Delete>, determine which OTHER profiles actually apply to that host (based on label membership), then only protect LocURIs from those profiles.

This requires joining against label membership tables when building the protection set, which is a more complex query. The current team-wide approach is conservative (over-protects, never incorrectly deletes) and may be acceptable as a tradeoff for simplicity.

This is an edge case of an edge case. So maybe we could keep the current path. Then, if a delete is protected, we check if host has profiles scoped to labels. And if it does, then we do the additional checks.

🧑‍💻 Steps to reproduce

These steps:

  • Have been confirmed to consistently lead to reproduction in multiple Fleet instances.
  • Describe the workflow that led to the error, but have not yet been reproduced in multiple Fleet instances.
  1. Create two labels: "Laptops" and "Desktops"
  2. Create profile A scoped to "Laptops" with LocURIs X, Y
  3. Create profile B scoped to "Desktops" with LocURI Y
  4. Wait for both profiles to be verified on their respective hosts
  5. Delete profile A (or edit it to remove LocURI Y)
  6. Expected: LocURI Y is deleted on Laptop hosts (profile B doesn't apply there)
  7. Actual: LocURI Y is NOT deleted on any host because profile B targets it (team-wide protection)

🕯️ More info

Metadata

Metadata

Assignees

Labels

#g-security-complianceSecurity & Compliance product groupbugSomething isn't working as documented~unreleased bugThis bug was found in an unreleased version of Fleet.

Type

No type

Projects

🛡️ #g-security-compliance

Status

🐣 In progress

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions