Added EUA to the Fleet MSI installer (#43295)

**Related issue:** Resolves #41381

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.

- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.

## Testing

- [x] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
- Forward end-user authentication context (EUA token) to the Fleet MSI
installer and enrollment flow on Windows MDM to avoid duplicate auth
prompts and link devices to hosts.

* **Tests**
- Added comprehensive unit and integration tests for EUA token creation,
validation, and processing to improve reliability.

* **Documentation**
- Added a note describing support for forwarding end-user authentication
context during Windows MDM enrollment.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Author: ksykulev

changes/41381-eua-ms-installer

@@ -0,0 +1 @@
+* Added support for passing end-user authentication context to the Fleet MSI installer during Windows MDM enrollment, so end users are not prompted to authenticate twice when EUA is enabled.

server/fleet/api_orbit.go

@@ -32,6 +32,8 @@ type EnrollOrbitRequest struct {
 	ComputerName string `json:"computer_name"`
 	// HardwareModel is the device's hardware model.
 	HardwareModel string `json:"hardware_model"`
+	// EUAToken is a Fleet-signed JWT containing the user's UPN and Windows MDM device ID.
+	EUAToken string `json:"eua_token,omitempty"`
 }
 
 // SetOrbitNodeKeyer is the interface implemented by orbit request types that

server/fleet/service.go

@@ -122,7 +122,7 @@ type Service interface {
 	//
 	//	- If an entry for the host exists (osquery enrolled first) then it will update the host's orbit node key and team.
 	//	- If an entry for the host doesn't exist (osquery enrolls later) then it will create a new entry in the hosts table.
-	EnrollOrbit(ctx context.Context, hostInfo OrbitHostInfo, enrollSecret string) (orbitNodeKey string, err error)
+	EnrollOrbit(ctx context.Context, hostInfo OrbitHostInfo, enrollSecret string, euaToken string) (orbitNodeKey string, err error)
 	// GetOrbitConfig returns team specific flags and extensions in agent options
 	// if the team id is not nil for host, otherwise it returns flags from global
 	// agent options. It also returns any notifications that fleet wants to surface

server/mdm/microsoft/wstep.go

@@ -45,9 +45,17 @@ type CertManager interface {
 	// NewSTSAuthToken returns an STS auth token for the given UPN claim.
 	NewSTSAuthToken(upn string) (string, error)
 
+	// NewEUAToken returns a Fleet-signed JWT for the given UPN and Windows MDM
+	// device ID. Used to pass end-user authentication context to the orbit
+	// installer so the user is not prompted twice.
+	NewEUAToken(upn string, deviceID string) (string, error)
+
 	// GetSTSAuthTokenUPNClaim validates the given token and returns the UPN claim
 	GetSTSAuthTokenUPNClaim(token string) (string, error)
 
+	// GetEUATokenClaims validates the given EUA token and returns the parsed claims.
+	GetEUATokenClaims(token string) (*EUATokenClaims, error)
+
 	// TODO: implement other methods as needed:
 	// - verify certificate-device association
 	// - certificate lifecycle management (e.g., renewal, revocation)
@@ -66,6 +74,19 @@ type STSClaims struct {
 	jwt.RegisteredClaims
 }
 
+// euaJWTClaims is the internal JWT struct for signing/parsing EUA tokens.
+type euaJWTClaims struct {
+	UPN      string `json:"upn"`
+	DeviceID string `json:"device_id"`
+	jwt.RegisteredClaims
+}
+
+// EUATokenClaims is the validated result returned to callers of GetEUATokenClaims.
+type EUATokenClaims struct {
+	UPN      string
+	DeviceID string
+}
+
 type AzureData struct {
 	UPN        string
 	Audience   []string
@@ -186,8 +207,8 @@ func (m *manager) NewSTSAuthToken(upn string) (string, error) {
 
 	// Create claims with upn field populated
 	claims := STSClaims{
-		upn,
-		jwt.RegisteredClaims{
+		UPN: upn,
+		RegisteredClaims: jwt.RegisteredClaims{
 			ExpiresAt: jwt.NewNumericDate(time.Now().Add(10 * time.Minute)),
 			IssuedAt:  jwt.NewNumericDate(time.Now()),
 			NotBefore: jwt.NewNumericDate(time.Now()),
@@ -205,6 +226,80 @@ func (m *manager) NewSTSAuthToken(upn string) (string, error) {
 	return signedToken, nil
 }
 
+// NewEUAToken returns a Fleet-signed JWT for the given UPN and Windows MDM device ID.
+func (m *manager) NewEUAToken(upn string, deviceID string) (string, error) {
+	if m == nil {
+		return "", errors.New("windows mdm identity keypair was not configured")
+	}
+
+	if m.identityCert == nil || m.identityPrivateKey == nil {
+		return "", errors.New("invalid identity certificate or private key")
+	}
+
+	if len(upn) == 0 {
+		return "", errors.New("invalid upn field")
+	}
+	if len(deviceID) == 0 {
+		return "", errors.New("invalid device_id field")
+	}
+
+	claims := euaJWTClaims{
+		UPN:      upn,
+		DeviceID: deviceID,
+		RegisteredClaims: jwt.RegisteredClaims{
+			ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),
+			IssuedAt:  jwt.NewNumericDate(time.Now()),
+			NotBefore: jwt.NewNumericDate(time.Now()),
+			Subject:   "EUAToken",
+		},
+	}
+
+	token := jwt.NewWithClaims(jwt.GetSigningMethod("RS256"), claims)
+	signedToken, err := token.SignedString(m.identityPrivateKey)
+	if err != nil {
+		return "", fmt.Errorf("failed to sign EUA token: %w", err)
+	}
+
+	return signedToken, nil
+}
+
+// GetEUATokenClaims validates the given EUA token and returns the parsed claims.
+func (m *manager) GetEUATokenClaims(tokenStr string) (*EUATokenClaims, error) {
+	if m == nil {
+		return nil, errors.New("windows mdm identity keypair was not configured")
+	}
+
+	if m.identityCert == nil || m.identityPrivateKey == nil {
+		return nil, errors.New("invalid identity certificate or private key")
+	}
+
+	if len(tokenStr) == 0 {
+		return nil, errors.New("invalid EUA token")
+	}
+
+	token, err := jwt.ParseWithClaims(tokenStr, &euaJWTClaims{}, func(token *jwt.Token) (any, error) {
+		if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {
+			return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
+		}
+		return m.identityCert.PublicKey, nil
+	})
+	if err != nil {
+		return nil, fmt.Errorf("there was an error parsing the EUA token claims: %w", err)
+	}
+
+	if claims, ok := token.Claims.(*euaJWTClaims); ok && token.Valid {
+		if len(claims.UPN) == 0 {
+			return nil, errors.New("issue with UPN token claim")
+		}
+		if len(claims.DeviceID) == 0 {
+			return nil, errors.New("issue with device_id token claim")
+		}
+		return &EUATokenClaims{UPN: claims.UPN, DeviceID: claims.DeviceID}, nil
+	}
+
+	return nil, errors.New("issue with EUA token validation")
+}
+
 // GetSTSAuthToken validates the given token and returns the UPN claim
 func (m *manager) GetSTSAuthTokenUPNClaim(tokenStr string) (string, error) {
 	if m == nil {

server/mdm/microsoft/wstep_test.go

@@ -99,6 +99,44 @@ func TestSTSTokenSigningAndVerification(t *testing.T) {
 	require.ErrorContains(t, err, "invalid upn field")
 }
 
+func TestSTSTokenWithDeviceID(t *testing.T) {
+	var store CertStore
+	cm, err := NewCertManager(store, testCert, testKey)
+	require.NoError(t, err)
+
+	upn := "user@example.com"
+	deviceID := "test-device-id-123"
+
+	// Generate token with device ID
+	token, err := cm.NewEUAToken(upn, deviceID)
+	require.NoError(t, err)
+	require.NotEmpty(t, token)
+
+	// Validate and extract both claims
+	claims, err := cm.GetEUATokenClaims(token)
+	require.NoError(t, err)
+	require.Equal(t, upn, claims.UPN)
+	require.Equal(t, deviceID, claims.DeviceID)
+
+	// Empty UPN is rejected
+	_, err = cm.NewEUAToken("", deviceID)
+	require.ErrorContains(t, err, "invalid upn field")
+
+	// Empty device ID is rejected
+	_, err = cm.NewEUAToken(upn, "")
+	require.ErrorContains(t, err, "invalid device_id field")
+
+	// Token signed by NewSTSAuthToken (no device_id) is rejected — device_id is required
+	oldToken, err := cm.NewSTSAuthToken(upn)
+	require.NoError(t, err)
+	_, err = cm.GetEUATokenClaims(oldToken)
+	require.ErrorContains(t, err, "issue with device_id token claim")
+
+	// Tampered token is rejected
+	_, err = cm.GetEUATokenClaims(token + "tampered")
+	require.Error(t, err)
+}
+
 func TestCertFingerprintHexStr(t *testing.T) {
 	cases := []struct {
 		name string

server/mock/service/service_mock.go

@@ -50,7 +50,7 @@ type GetTransparencyURLFunc func(ctx context.Context) (string, error)
 
 type AuthenticateOrbitHostFunc func(ctx context.Context, nodeKey string) (host *fleet.Host, debug bool, err error)
 
-type EnrollOrbitFunc func(ctx context.Context, hostInfo fleet.OrbitHostInfo, enrollSecret string) (orbitNodeKey string, err error)
+type EnrollOrbitFunc func(ctx context.Context, hostInfo fleet.OrbitHostInfo, enrollSecret string, euaToken string) (orbitNodeKey string, err error)
 
 type GetOrbitConfigFunc func(ctx context.Context) (fleet.OrbitConfig, error)
 
@@ -2354,11 +2354,11 @@ func (s *Service) AuthenticateOrbitHost(ctx context.Context, nodeKey string) (ho
 	return s.AuthenticateOrbitHostFunc(ctx, nodeKey)
 }
 
-func (s *Service) EnrollOrbit(ctx context.Context, hostInfo fleet.OrbitHostInfo, enrollSecret string) (orbitNodeKey string, err error) {
+func (s *Service) EnrollOrbit(ctx context.Context, hostInfo fleet.OrbitHostInfo, enrollSecret string, euaToken string) (orbitNodeKey string, err error) {
 	s.mu.Lock()
 	s.EnrollOrbitFuncInvoked = true
 	s.mu.Unlock()
-	return s.EnrollOrbitFunc(ctx, hostInfo, enrollSecret)
+	return s.EnrollOrbitFunc(ctx, hostInfo, enrollSecret, euaToken)
 }
 
 func (s *Service) GetOrbitConfig(ctx context.Context) (fleet.OrbitConfig, error) {

server/service/integration_mdm_lifecycle_test.go

@@ -13,6 +13,7 @@ import (
 	"net/http"
 	"os"
 	"path/filepath"
+	"regexp"
 	"strings"
 	"testing"
 	"time"
@@ -508,6 +509,7 @@ func (s *integrationMDMTestSuite) recordWindowsHostStatus(
 
 	msgID, err := device.GetCurrentMsgID()
 	require.NoError(t, err)
+	euaTokenRe := regexp.MustCompile(`EUA_TOKEN="[^"]*"`)
 	for _, c := range cmds {
 		cmdID := c.Cmd.CmdID
 		status := syncml.CmdStatusOK
@@ -522,6 +524,12 @@ func (s *integrationMDMTestSuite) recordWindowsHostStatus(
 		})
 		c.Cmd.CmdID.Value = ""
 		c.Cmd.CmdRef = nil
+		for i := range c.Cmd.Items {
+			if c.Cmd.Items[i].Data != nil {
+				c.Cmd.Items[i].Data.Content = euaTokenRe.ReplaceAllString(
+					c.Cmd.Items[i].Data.Content, `EUA_TOKEN="<redacted>"`)
+			}
+		}
 		recordedCmds = append(recordedCmds, c)
 	}
 

server/service/integration_mdm_test.go

@@ -9173,15 +9173,22 @@ func (s *integrationMDMTestSuite) TestWindowsAutomaticEnrollmentCommands() {
 
 		var installJob struct {
 			Product struct {
-				ContentURL string `xml:"Download>ContentURLList>ContentURL"`
-				FileHash   string `xml:"Validation>FileHash"`
+				ContentURL  string `xml:"Download>ContentURLList>ContentURL"`
+				FileHash    string `xml:"Validation>FileHash"`
+				CommandLine string `xml:"Enforcement>CommandLine"`
 			} `xml:"Product"`
 		}
 		err = xml.Unmarshal([]byte(fleetdExecCmd.Cmd.Items[0].Data.Content), &installJob)
 		require.NoError(t, err)
 		require.Equal(t, s.mockedDownloadFleetdmMeta.MSIURL, installJob.Product.ContentURL)
 		require.Equal(t, s.mockedDownloadFleetdmMeta.MSISha256, installJob.Product.FileHash)
 
+		// The device enrolled with a valid UPN (azureMail), so the command line
+		// should include an EUA_TOKEN argument.
+		require.Contains(t, installJob.Product.CommandLine, `EUA_TOKEN="`)
+		require.Contains(t, installJob.Product.CommandLine, `FLEET_URL="`)
+		require.Contains(t, installJob.Product.CommandLine, `FLEET_SECRET="`)
+
 		// reply with success for both commands
 		msgID, err := d.GetCurrentMsgID()
 		require.NoError(t, err)

server/service/microsoft_mdm.go

@@ -1501,6 +1501,28 @@ func (svc *Service) isFleetdPresentOnDevice(ctx context.Context, deviceID string
 	return true, nil
 }
 
+// generateWindowsEUAToken returns a Fleet-signed EUA token for the given Windows
+// MDM device ID if the device enrolled with a valid Azure UPN
+func (svc *Service) generateWindowsEUAToken(ctx context.Context, deviceID string) string {
+	if svc.wstepCertManager == nil {
+		return ""
+	}
+	device, err := svc.ds.MDMWindowsGetEnrolledDeviceWithDeviceID(ctx, deviceID)
+	if err != nil {
+		svc.logger.ErrorContext(ctx, "unable to fetch windows mdm enrollment for EUA token generation", "err", err, "device_id", deviceID)
+		return ""
+	}
+	if device == nil || !microsoft_mdm.IsValidUPN(device.MDMEnrollUserID) {
+		return ""
+	}
+	token, err := svc.wstepCertManager.NewEUAToken(device.MDMEnrollUserID, deviceID)
+	if err != nil {
+		svc.logger.ErrorContext(ctx, "unable to generate EUA token for fleetd install", "err", err, "device_id", deviceID)
+		return ""
+	}
+	return token
+}
+
 func (svc *Service) enqueueInstallFleetdCommand(ctx context.Context, deviceID string) error {
 	secrets, err := svc.ds.GetEnrollSecrets(ctx, nil)
 	if err != nil {
@@ -1530,6 +1552,11 @@ func (svc *Service) enqueueInstallFleetdCommand(ctx context.Context, deviceID st
 	addCommandUUID := uuid.NewString()
 	execCommandUUID := uuid.NewString()
 
+	euaTokenArg := ""
+	if token := svc.generateWindowsEUAToken(ctx, deviceID); token != "" {
+		euaTokenArg = ` EUA_TOKEN="` + token + `"`
+	}
+
 	rawAddCmd := []byte(`
 <Add>
 	<CmdID>` + addCommandUUID + `</CmdID>
@@ -1562,7 +1589,7 @@ func (svc *Service) enqueueInstallFleetdCommand(ctx context.Context, deviceID st
 					<FileHash>` + fleetdMetadata.MSISha256 + `</FileHash>
 				</Validation>
 				<Enforcement>
-					<CommandLine>/quiet FLEET_URL="` + fleetURL + `" FLEET_SECRET="` + globalEnrollSecret + `" ENABLE_SCRIPTS="True"</CommandLine>
+					<CommandLine>/quiet FLEET_URL="` + fleetURL + `" FLEET_SECRET="` + globalEnrollSecret + `" ENABLE_SCRIPTS="True"` + euaTokenArg + `</CommandLine>
 					<TimeOut>10</TimeOut>
 					<RetryCount>1</RetryCount>
 					<RetryInterval>5</RetryInterval>