Troubleshooting
Hosts Enrolling with Empty Data
In my testing, the way to reproduce the issue is:
- Remove a host using the Fleet UI
- The host should automatically re-enroll after a short time as pulses regularly check-in with the Fleet DM server
When the endpoint automatically re-enrolls, this causes some kind of conflict where:
- Re-enrollment is successful
- A second re-enrollment is attempted milliseconds after the original causing a conflict, cause the device identifier is already in use
- This continues indefinitely, even if you reinstall Fleet osquery on the host
Correcting the Issue with Windows Hosts
I was successfully able to resolve the issue by performing the following steps:
- Stop Fleet osquery on the host
- Remove the host in the Fleet UI
- Uninstall Fleet osquery on the host
- Remove
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Fleet osquery - Remove
C:\Windows\System32\config\systemprofile\AppData\Local\FleetDM - Reinstall Fleet osquery on the host
Correcting the Issue with Linux Hosts
I am still investigating the fix with Linux hosts, but if it's anything like the issue on the Windows side, it might be some sort of cached configuration. Will update once I can confirm a fix.