docs(fleet): document Windows enrollment via WS1 NDES bridge#517
Merged
Conversation
Fleet's native Smallstep CA type doesn't yet support Windows (fleetdm/fleet#28488), so Windows SCEP enrollment has to go through Fleet's Dynamic SCEP (Okta/NDES) CA type pointed at Smallstep's NDES-emulating endpoints. Those endpoints are exposed by the Smallstep Workspace ONE connector, which can be created with placeholder OAuth credentials when the customer doesn't operate a real WS1 tenant. Remove the previously documented Windows SyncML profile that used the SMALLSTEP_* Fleet variables (those aren't wired up for Windows) and replace it with a dedicated "Windows: bridge via the Workspace ONE connector" section covering: WS1 connector creation with placeholders, Fleet NDES CA setup, SyncML SCEP and Root CA profiles using NDES_SCEP_PROXY_URL and NDES_SCEP_CHALLENGE, GitOps stanza, and a Windows verification recipe. Also flag the Fleet 1-hour challenge TTL expectation as a setup item to confirm. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…stry script Restructure each OS into a self-contained section with its own confirmation step. Linux is intentionally short (no MDM CA in Fleet, agent-only). Windows changes: - Merge the separate Root CA and SCEP SyncML profiles into one smallstep-windows.xml, ordered Root CA -> SCEP nodes -> Exec Enroll, so the chain is in place before enrollment runs. Fleet processes top-level items in document order within a single profile. - Call out the Fleet console upload path (Controls -> OS settings -> Configuration profiles). - Add a step that uses Fleet Scripts to write TeamSlug, CAFingerprint, and Certificate to HKLM:\\Software\\Policies\\Smallstep so the Windows agent can bootstrap from the SCEP-issued certificate. - Add a deploy-the-agent step and a Windows-specific confirmation. Promote the GitOps section to a top-level section after Windows and merge the Windows GitOps notes in. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
darkfronza
approved these changes
May 26, 2026
darkfronza
left a comment
darkfronza
left a comment
There was a problem hiding this comment.
Looks much better, we still need to figure the missing bits for registry and bootstrap cert for Fleet.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Rewrite of
tutorials/connect-fleet-dm-to-smallstep.mdxto make each OS a self-contained section and to fix Windows so it actually enrolls end-to-end.Per-OS structure. Each platform now has its own numbered steps ending in a confirmation step:
.mobileconfigSCEP profile, macOS agent deploy.agent.yamland starts the service. TPM attestation handles registration.fleetctl— promoted to a top-level section after the OS flows, with the previously-separate Windows GitOps notes merged in.Windows: single ordered SyncML profile. Fleet doesn't let you order separately-uploaded SyncML profiles, but within one profile it processes top-level commands in document order (confirmed via Fleet's own Okta Verify bundle). The two previous files (
smallstep-windows-root-ca.xml+smallstep-windows-scep.xml) are merged into onesmallstep-windows.xmlordered as: Root CA<Replace>→ SCEP CSP<Replace>items →<Exec>Enroll last. This guarantees the trust chain is in place before the SCEP install runs.Windows: agent bootstrap via Fleet Scripts. Fleet has no native registry-management UI, so a new step uses Controls → Scripts to run a PowerShell script that writes
TeamSlug,CAFingerprint, andCertificatetoHKLM:\Software\Policies\Smallstep. TheCertificateselector matches the SCEP-issued bootstrap cert by issuer +cn=$env:COMPUTERNAME. Mirrors the Workspace ONE pattern. Pairs with a Fleet policy automation for self-healing.Clearer upload locations. Both Apple and Windows steps explicitly call out Controls → OS settings → Configuration profiles for SyncML / .mobileconfig upload.
Windows: SHA-1
CAThumbprint. Documents the SHA-1 / SHA-256 selector in the Smallstep WS1 connector UI and uses SHA-1 for WindowsCAThumbprintas required by the SCEP CSP.Test plan
CAThumbprintpath installs cleanlyHKLM:\Software\Policies\Smallstepand registers with the team via the SCEP-issued bootstrap certpnpm devfrom the smallstep.com repo🤖 Generated with Claude Code