From fdc184fe5811123ccb5e304d7f69eac040767634 Mon Sep 17 00:00:00 2001
From: Harrison Ravazzolo <38767391+harrisonravazzolo@users.noreply.github.com>
Date: Tue, 21 Oct 2025 17:47:50 +0200
Subject: [PATCH] Windows CSP - Spotlight config + Okta scep (#34589)

---
 .../allow-spotlight-collections.xml           |  12 ++
 .../okta-attestation-cert.xml                 | 103 ++++++++++++++++++
 2 files changed, 115 insertions(+)
 create mode 100644 docs/solutions/windows/configuration-profiles/allow-spotlight-collections.xml
 create mode 100644 docs/solutions/windows/configuration-profiles/okta-attestation-cert.xml

diff --git a/docs/solutions/windows/configuration-profiles/allow-spotlight-collections.xml b/docs/solutions/windows/configuration-profiles/allow-spotlight-collections.xml
new file mode 100644
index 0000000000..4f6ea59d74
--- /dev/null
+++ b/docs/solutions/windows/configuration-profiles/allow-spotlight-collections.xml
@@ -0,0 +1,12 @@
+<Replace>
+  <CmdID>019a01c6-9e1e-7e70-9c72-21151773f075</CmdID>
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Target>
+      <LocURI>./User/Vendor/MSFT/Policy/Config/Experience/AllowSpotlightCollection</LocURI>
+    </Target>
+    <Data>0</Data>
+  </Item>
+</Replace>
diff --git a/docs/solutions/windows/configuration-profiles/okta-attestation-cert.xml b/docs/solutions/windows/configuration-profiles/okta-attestation-cert.xml
new file mode 100644
index 0000000000..d7e74dd7d2
--- /dev/null
+++ b/docs/solutions/windows/configuration-profiles/okta-attestation-cert.xml
@@ -0,0 +1,103 @@
+<Replace>
+      <!-- Set Node here -->
+      <CmdID>1</CmdID>
+      <Item>
+        <Target>
+          <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/OktaVerify</LocURI>
+        </Target>
+        <Meta>
+          <Format xmlns="syncml:metinf">node</Format>
+        </Meta>
+      </Item>
+    </Replace>
+    <Add>
+    <!-- SCEP URL -->      
+      <CmdID>2</CmdID>
+      <Item>
+        <Target>
+          <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/OktaVerify/Install/ServerURL</LocURI>
+        </Target>
+        <Meta>
+          <Format xmlns="syncml:metinf">chr</Format>
+        </Meta>
+        <Data>yourUrlHere</Data>
+      </Item>
+    </Add>
+    <!-- SCEP Challenge -->
+    <Add>
+      <CmdID>3</CmdID>
+      <Item>
+        <Target>
+          <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/OktaVerify/Install/Challenge</LocURI>
+        </Target>
+        <Meta>
+          <Format xmlns="syncml:metinf">chr</Format>
+        </Meta>
+        <Data>yourChallengeHere</Data>
+      </Item>
+    </Add>
+    <!-- CN - check Okta doc for required values (https://help.okta.com/oie/en-us/content/topics/identity-engine/devices/devices-client-certificates-faqs.htm) -->
+    <Add>
+      <CmdID>4</CmdID>
+      <Item>
+        <Target>
+          <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/OktaVerify/Install/SubjectName</LocURI>
+        </Target>
+        <Meta>
+          <Format xmlns="syncml:metinf">chr</Format>
+        </Meta>
+        <Data>$FLEET_VAR_HOST_UUID </Data>
+      </Item>
+    </Add>
+    <!-- Key Length -->
+    <Add>
+      <CmdID>5</CmdID>
+      <Item>
+        <Target>
+          <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/OktaVerify/Install/KeyLength</LocURI>
+        </Target>
+        <Meta>
+          <Format xmlns="syncml:metinf">int</Format>
+        </Meta>
+        <Data>2048</Data>
+      </Item>
+    </Add>
+    <!-- Hash Algorithm -->
+    <Add>
+      <CmdID>6</CmdID>
+      <Item>
+        <Target>
+          <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/OktaVerify/Install/HashAlgorithm</LocURI>
+        </Target>
+        <Meta>
+          <Format xmlns="syncml:metinf">chr</Format>
+        </Meta>
+        <Data>SHA256</Data>
+      </Item>
+    </Add>
+    <!-- Key Usage -->
+    <Add>
+      <CmdID>7</CmdID>
+      <Item>
+        <Target>
+          <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/OktaVerify/Install/KeyUsage</LocURI>
+        </Target>
+        <Meta>
+          <Format xmlns="syncml:metinf">int</Format>
+        </Meta>
+        <Data>160</Data>
+      </Item>
+    </Add>
+    <!-- Extended Key Usage -->
+    <Add>
+      <CmdID>8</CmdID>
+      <Item>
+        <Target>
+          <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/OktaVerify/Install/EKUMapping</LocURI>
+        </Target>
+        <Meta>
+          <Format xmlns="syncml:metinf">chr</Format>
+        </Meta>
+        <Data>1.3.6.1.5.5.7.3.2</Data>
+      </Item>
+    </Add>