Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 21:47:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 117
fleet/articles/enable-okta-verify-on-windows-using-a-scep-configuration-profile.md
Adam Baali e51561914b
Add Windows SCEP profile with Exec support and $FLEET_VAR_HOST_HARDWARE_SERIAL for Okta certificate enrollment (#39204) 
This pull request updates the Okta Verify on Windows SCEP configuration
documentation and profile to simplify deployment with Fleet and reduce
manual steps. The changes make the process more reliable by
standardizing variable usage, improving instructions, and automating
certificate enrollment.

**Key improvements and changes:**

**Documentation and workflow simplification:**
- The guide in
`articles/enable-okta-verify-on-windows-using-a-scep-configuration-profile.md`
was rewritten for clarity and to reflect the new automated approach.
Manual editing of XML and scripts is no longer needed; Fleet-managed
variables and secrets now handle all required values. Steps for
gathering prerequisites, deploying, verifying, and renewing certificates
are streamlined, and troubleshooting guidance is expanded.

- The subject name in the certificate is now set to use the hardware
serial (`$FLEET_VAR_HOST_HARDWARE_SERIAL`) instead of the host UUID,
improving uniqueness and traceability.
([docs/solutions/windows/configuration-profiles/install Okta attestation
certificate -
[Bundle].xmlL77-R89](diffhunk://#diff-d8fc2c8add5725599bdc41a7b417dc3978cfc34eb6fcb8950db513f2b5799aa5L77-R89))

**Secret management and security:**
- The configuration profile now references Fleet secrets
(`$FLEET_SECRET_OKTA_SCEP_URL`, `$FLEET_SECRET_OKTA_SCEP_CHALLENGE`,
`$FLEET_SECRET_OKTA_CA_THUMBPRINT`) directly, removing the need for
manual substitution and reducing risk of misconfiguration.
([docs/solutions/windows/configuration-profiles/install Okta attestation
certificate -
[Bundle].xmlL98-R141](diffhunk://#diff-d8fc2c8add5725599bdc41a7b417dc3978cfc34eb6fcb8950db513f2b5799aa5L98-R141))

**Automated certificate enrollment:**
- An `<Exec>` command is added to the XML profile to automatically
trigger SCEP enrollment upon deployment, further reducing manual
intervention. ([docs/solutions/windows/configuration-profiles/install
Okta attestation certificate -
[Bundle].xmlL98-R141](diffhunk://#diff-d8fc2c8add5725599bdc41a7b417dc3978cfc34eb6fcb8950db513f2b5799aa5L98-R141))

These changes make the Okta Verify SCEP configuration for Windows much
easier to deploy and maintain, with improved automation and clearer
instructions.

---------

Co-authored-by: Brock Walters <153771548+nonpunctual@users.noreply.github.com>
2026-02-03 16:47:53 +01:00

5.9 KiB
Raw Blame History

Enable Okta Verify on Windows using a SCEP configuration profile

Introduction

This guide explains how to enable Okta Verify on Windows using a SCEP client certificate delivered by the Windows ClientCertificateInstall CSP. Fleet supports Exec commands in configuration profiles, allowing you to deploy the SCEP configuration and trigger enrollment in a single profile.

Files

Profile XML: install Okta attestation certificate - [Bundle].xml

The profile is ready to use as-is. Fleet will replace the $FLEET_SECRET_* variables with your actual values when deploying to each device.

Prerequisites

1. Gather your Okta details

Collect from your Okta tenant:

  • SCEP URL: Your Okta SCEP endpoint
  • SCEP Challenge: Your static SCEP challenge (plain text, avoid special characters)
  • CA Thumbprint: The SHA-256 thumbprint of your Okta CA certificate

2. Get your CA thumbprint

Download your Okta CA certificate and extract the SHA-256 thumbprint.

macOS/Linux:

openssl x509 -in ~/Downloads/ca.cer -noout -fingerprint -sha256

Windows:

certutil -hashfile ca.cer SHA256

Output will look like:

SHA256 Fingerprint=E2:18:D7:A7:B0:DF:ED:79:B2:05:73:BA:79:CB:14:B1:FE:EA:D2:7B

Remove the colons:

E218D7A7B0DFED79B20573BA79CB14B1FEEAD27B

3. SCEP challenge requirements

  • Your SCEP challenge should be plain text
  • Avoid special characters that can break XML or transport
  • Recommended: letters, numbers only
  • If your challenge contains ! @ # $ % ^ & * ( ) _, rotate to a simpler value

Quick checklist

  • SCEP URL confirmed
  • SCEP challenge validated (plain text, simple characters)
  • CA thumbprint ready (no colons, no spaces)

Deployment

1. Create Fleet secrets

Follow Fleet's guide: https://fleetdm.com/guides/secrets-in-scripts-and-configuration-profiles

Create these secrets in Fleet (Controls > Variables) or via GitOps:

Secret name Value
OKTA_SCEP_URL Your SCEP endpoint URL
OKTA_SCEP_CHALLENGE Your challenge (plain text, simple characters)
OKTA_CA_THUMBPRINT Your thumbprint (no colons, no spaces)

2. Deploy the profile

  1. Download the profile XML (link above)
  2. Navigate to Controls > OS settings > Custom settings in Fleet
  3. Upload the XML file (no editing required)
  4. Assign to your team or hosts

Fleet automatically replaces $FLEET_SECRET_OKTA_SCEP_URL, $FLEET_SECRET_OKTA_SCEP_CHALLENGE, and $FLEET_SECRET_OKTA_CA_THUMBPRINT when deploying. The certificate ID is automatically managed by Fleet using $FLEET_VAR_SCEP_WINDOWS_CERTIFICATE_ID.

Verify the certificate

Check the User cert store

Open PowerShell as the logged-in user (not administrator):

Get-ChildItem -Path Cert:\CurrentUser\My | Where-Object {$_.Subject -like "*managementAttestation*"}

Expected output:

Thumbprint                                Subject
----------                                -------
A1B2C3D4E5F6G7H8I9J0K1L2M3N4O5P6Q7R8S9T0  CN=<SERIAL> managementAttestation

Check the device management logs

Get-WinEvent -LogName Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin -MaxEvents 50

Verify in Okta

  1. Log in to Okta Admin Console
  2. Navigate to Reports > System Log
  3. Filter for device attestation events
  4. Confirm the device appears as managed

Troubleshooting

Exec returns 404

  • Check that all three Fleet secrets exist (OKTA_SCEP_URL, OKTA_SCEP_CHALLENGE, OKTA_CA_THUMBPRINT)
  • Verify the profile was uploaded correctly
  • Review Device Management logs for details

Enrollment fails immediately

Check:

  • ServerURL is correct
  • CAThumbprint format (no colons or spaces)
  • Device can reach the SCEP URL (network/firewall)

Challenge rejected

  • Try a simpler plain text challenge (alphanumeric only)
  • Avoid special characters, especially underscores
  • If your challenge contains ! @ # $ % ^ & * ( ) _, rotate to a simpler value in Okta

Nothing in Cert:\LocalMachine\My

Note: Okta requires certificates in the User store (Cert:\CurrentUser\My), not the Device store.

Review Device Management logs:

Get-WinEvent -LogName Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin -MaxEvents 50

Plan and automate renewal

Monitor expiration

Use a Fleet policy to identify devices with certificates expiring within 30 days:

SELECT 1 
FROM certificates
WHERE 
    common_name LIKE '%managementAttestation%'
    AND julianday(not_valid_after) - julianday('now') < 30;

This policy will:

  • Fail: When a certificate exists and expires within 30 days (needs renewal)
  • Pass: When no certificate exists yet, or certificate is valid for more than 30 days

Automated workflow

To renew certificates, you can:

Manual redeployment: Redeploy the same configuration profile to trigger renewal

Important notes

  • Fleet secrets: Fleet does not hide secrets in profile results. Make sure all three secrets are created before deploying (OKTA_SCEP_URL, OKTA_SCEP_CHALLENGE, OKTA_CA_THUMBPRINT).
  • User vs Device store: Okta requires certificates in the User store. The profile uses ./User/ paths. If you use ./Device, the device will not be marked as managed in Okta.
  • Certificate ID: Fleet automatically manages the certificate node name using $FLEET_VAR_SCEP_WINDOWS_CERTIFICATE_ID - no manual configuration needed.