mirror of
https://github.com/fleetdm/fleet
synced 2026-05-24 09:28:54 +00:00
e51561914b
This pull request updates the Okta Verify on Windows SCEP configuration documentation and profile to simplify deployment with Fleet and reduce manual steps. The changes make the process more reliable by standardizing variable usage, improving instructions, and automating certificate enrollment. **Key improvements and changes:** **Documentation and workflow simplification:** - The guide in `articles/enable-okta-verify-on-windows-using-a-scep-configuration-profile.md` was rewritten for clarity and to reflect the new automated approach. Manual editing of XML and scripts is no longer needed; Fleet-managed variables and secrets now handle all required values. Steps for gathering prerequisites, deploying, verifying, and renewing certificates are streamlined, and troubleshooting guidance is expanded. - The subject name in the certificate is now set to use the hardware serial (`$FLEET_VAR_HOST_HARDWARE_SERIAL`) instead of the host UUID, improving uniqueness and traceability. ([docs/solutions/windows/configuration-profiles/install Okta attestation certificate - [Bundle].xmlL77-R89](diffhunk://#diff-d8fc2c8add5725599bdc41a7b417dc3978cfc34eb6fcb8950db513f2b5799aa5L77-R89)) **Secret management and security:** - The configuration profile now references Fleet secrets (`$FLEET_SECRET_OKTA_SCEP_URL`, `$FLEET_SECRET_OKTA_SCEP_CHALLENGE`, `$FLEET_SECRET_OKTA_CA_THUMBPRINT`) directly, removing the need for manual substitution and reducing risk of misconfiguration. ([docs/solutions/windows/configuration-profiles/install Okta attestation certificate - [Bundle].xmlL98-R141](diffhunk://#diff-d8fc2c8add5725599bdc41a7b417dc3978cfc34eb6fcb8950db513f2b5799aa5L98-R141)) **Automated certificate enrollment:** - An `<Exec>` command is added to the XML profile to automatically trigger SCEP enrollment upon deployment, further reducing manual intervention. ([docs/solutions/windows/configuration-profiles/install Okta attestation certificate - [Bundle].xmlL98-R141](diffhunk://#diff-d8fc2c8add5725599bdc41a7b417dc3978cfc34eb6fcb8950db513f2b5799aa5L98-R141)) These changes make the Okta Verify SCEP configuration for Windows much easier to deploy and maintain, with improved automation and clearer instructions. --------- Co-authored-by: Brock Walters <153771548+nonpunctual@users.noreply.github.com> |
||
|---|---|---|
| .. | ||
| allow network connectivity during connected standby – [ACConnectivityInStandby_2, DCConnectivityInStandby_2].xml | ||
| allow Windows Spotlight collections - [AllowSpotlightCollection].xml | ||
| disable automatic data collection for Web Threat Defense – [AutomaticDataCollection].xml | ||
| disable built-in Administrator account – [Accounts_EnableAdministratorAccountStatus].xml | ||
| disable built-in Guest account – [Accounts_EnableGuestAccountStatus].xml | ||
| disable elevated privileges for MSI installations – [MSIAlwaysInstallWithElevatedPrivileges].xml | ||
| disable elevated privileges for user MSI installations – [MSIAlwaysInstallWithElevatedPrivileges].xml | ||
| disable Internet Connection Sharing service – [ConfigureInternetConnectionSharingServiceStartupMode].xml | ||
| disable Microsoft FTP Service – [ConfigureMicrosoftFTPServiceStartupMode].xml | ||
| disable online speech recognition and personalization - [AllowInputPersonalization].xml | ||
| disable remote assistance - [AllowRemoteAssistance].xml | ||
| disable remote login - [AllowUsersToConnectRemotely].xml | ||
| disable Remote Procedure Call Locator service – [ConfigureRemoteProcedureCallLocatorServiceStartupMode].xml | ||
| disable Routing and Remote Access service – [ConfigureRoutingAndRemoteAccessServiceStartupMode].xml | ||
| disable simple TCPIP services – [SimpleTcp].xml | ||
| disable SSDP Discovery Service – [ConfigureSSDPDiscoveryServiceStartupMode].xml | ||
| disable UPnP Device Host service – [ConfigureUPnPDeviceHostServiceStartupMode].xml | ||
| disable Windows Game Recording and Broadcasting – [AllowGameDVR].xml | ||
| disable Windows Media Player Network Sharing Service – [ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode].xml | ||
| disable Windows Mobile Hotspot Service – [ConfigureWindowsMobileHotspotServiceStartupMode].xml | ||
| disable Windows Remote Assistance – [UnsolicitedRemoteAssistance, SolicitedRemoteAssistance].xml | ||
| disable Windows Spotlight features – [AllowWindowsSpotlight].xml | ||
| disable World Wide Web Publishing Service – [ConfigureWorldWideWebPublishingServiceStartupMode].xml | ||
| disable Xbox services – [Bundle].xml | ||
| Disallow manual MDM unenrollment - [AllowManualMDMUnenrollment].xml | ||
| enable Microsoft Defender SmartScreen - [EnableSmartScreen].xml | ||
| enable Microsoft Web Threat Defense service – [ServiceEnabled].xml | ||
| enable password-reuse warnings for work or school accounts – [NotifyPasswordReuse].xml | ||
| enable UAC prompts for application installations – [UserAccountControl_DetectApplicationInstallationsAndPromptForElevation].xml | ||
| enable user warnings for malicious web activity – [NotifyMalicious].xml | ||
| enable user warnings for unsafe applications – [NotifyUnsafeApp].xml | ||
| enforce account lockout policy – [AccountLockoutPolicy].xml | ||
| enforce device password and lock requirements – [Bundle].xml | ||
| enforce secure boot-start driver policy – [BootStartDriverInitialization].xml | ||
| enforce Windows Defender Firewall on all network profiles – [Bundle].xml | ||
| hide account details on sign in - [BlockUserFromShowingAccountDetailsOnSignin].xml | ||
| install Okta attestation certificate - [Bundle].xml | ||
| prevent enabling lock screen slide show – [PreventLockScreenSlideShow].xml | ||
| prevent users from changing date and time – [AllowDateTime].xml | ||
| require admin consent before UAC elevation - [ConsentPromptBehaviorAdmin].xml | ||
| require PIN for wireless display pairing – [RequirePinForPairing].xml | ||
| restrict Everyone permissions in network access - [NetworkAccess_RestrictAnonymousAccess].xml | ||
| set maximum device lock timeout (10 min max) - [MaxInactivityTimeDeviceLock].xml | ||