Apologize if this has been asked, I just need a sanity check, because I feel like this should work but it doesnt. When utilizing FleetDM, It processes the Flagfile, then anything that is in Agent Config and Overrides will overwrite anything in the Flagfile. Would it be possible to add Windows events to to Override for Windows Platform, or do you still need to have a flagfile on the device? The intent is to be able to install Orbit and have it use the Overrides.

overrides:
  platforms:
    windows:
      options:
        logger_plugin: tls
        pack_delimiter: /
        logger_tls_period: 10
        distributed_plugin: tls
        disable_distributed: false
        logger_tls_endpoint: /api/v1/osquery/log
        distributed_interval: 10
        distributed_tls_max_attempts: 3
        enable_ntfs_event_publisher: true
        enable_windows_events_subscriber: true
        enable_powershell_events_subscriber: true
        events_optimize: true
        events_max: 100000
        events_expiry: 900
        disable_events: false
        disable_logging: false
        schedule_splay_percent: 10
        schedule_max_drive: 15
        windows_event_channels: >-
          System,Application,Setup,Security,Microsoft-Windows-Windows Firewall
          With Advanced Security/Firewall,Microsoft-Windows-Windows Firewall
          With Advanced Security/ConnectionSecurity
        utc: true
        pack_refresh_interval: 1800
        disable_watchdog: false
        watchdog_level: 0
        watchdog_memory_limit: 512
        watchdog_delay: 120
        enable_extensions_watchdog: true
      decorators:
        load:
          - SELECT version FROM osquery_info
          - SELECT uuid AS host_uuid FROM system_info
        always:
          - >-
            SELECT user AS username FROM logged_in_users WHERE user <> '' ORDER
            BY time LIMIT 1
        interval:
          '3600': SELECT total_seconds AS uptime FROM uptime

Hi jake. Just to make sure I understand your issue, are you trying to add a Windows machine as a host without using a flagfile?

Yes. But I actually got the above to work. When I rewrote it, and applied it thru fleetctl apply -f then the file, instead of doing it in the web interface. So I just install orbit and it automatically pulls flags from the server. So if you add the overrides in the web interface, and queried a windows device flags it wouldn't appear. But applying by the yaml file, it works. To include extensions.

Great! I'm glad to see it works!