From d2d918dd4914c7bb177774f7650c65a49214208a Mon Sep 17 00:00:00 2001
From: Magnus Jensen <magnus@fleetdm.com>
Date: Thu, 30 Oct 2025 14:50:03 -0300
Subject: [PATCH] DCSW: Verify Windows SCEP profiles without validation
 (#34852)

<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #34249

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

## Testing

- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
---
 server/mdm/microsoft/profile_verifier.go      |  7 +++++++
 server/mdm/microsoft/profile_verifier_test.go | 20 +++++++++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/server/mdm/microsoft/profile_verifier.go b/server/mdm/microsoft/profile_verifier.go
index 3f13ca0f40..1d09854b3c 100644
--- a/server/mdm/microsoft/profile_verifier.go
+++ b/server/mdm/microsoft/profile_verifier.go
@@ -170,6 +170,13 @@ func compareResultsToExpectedProfiles(ctx context.Context, logger kitlog.Logger,
 	}
 
 	err = LoopOverExpectedHostProfiles(ctx, logger, ds, host, func(profile *fleet.ExpectedMDMProfile, ref, locURI, wantData string) {
+		if strings.HasPrefix(locURI, "./Device/Vendor/MSFT/ClientCertificateInstall/SCEP") {
+			verified[profile.Name] = struct{}{}
+			// We delete here if by some accident it was marked as missing before
+			delete(missing, profile.Name)
+			return
+		}
+
 		// if we didn't get a status for a LocURI, mark the profile as missing.
 		gotStatus, ok := profileResults.cmdRefToStatus[ref]
 		if !ok {
diff --git a/server/mdm/microsoft/profile_verifier_test.go b/server/mdm/microsoft/profile_verifier_test.go
index 30f52a0662..29c42441af 100644
--- a/server/mdm/microsoft/profile_verifier_test.go
+++ b/server/mdm/microsoft/profile_verifier_test.go
@@ -594,6 +594,26 @@ func TestVerifyHostMDMProfilesHappyPaths(t *testing.T) {
 			toFail:   []string{},
 			toRetry:  []string{},
 		},
+		{
+			name: "scep profile instantly verifies",
+			hostProfiles: []hostProfile{
+				{"N1", syncml.ForTestWithData([]syncml.TestCommand{
+					{
+						Verb:   "Replace",
+						LocURI: "./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/bogus-key-value",
+						Data:   "non related data",
+					},
+				}), 0},
+			},
+			existingProfiles: []fleet.HostMDMWindowsProfile{
+				{
+					ProfileUUID: "uuid-N1",
+					Name:        "N1",
+					Status:      &fleet.MDMDeliveryPending,
+				},
+			},
+			toVerify: []string{"N1"},
+		},
 	}
 
 	for _, tt := range cases {