MFA for Windows Credential Provider

Users can use the Okta Credential Provider for Windows to prompt users for MFA when signing in to supported Windows servers with an RDP client.

Additionally, with version 1.2+ of the agent (EA), end users can reset their Active Directory passwords without contacting their administrators. This is done with a “Reset Okta Password” link on the sign-on screen.


Before you begin

Requirements for installing the Okta Credential Provider for Windows:

  • Proxy Configuration: The Okta Credential Provider for Windows does not support a discrete proxy configuration but will obey system level proxy configurations. To understand management of proxies on Windows machines, refer to
  • The Windows machine used for installation must have an active internet connection with port 443 open.
  • The installing account must have administrative rights to install the Okta Windows Credential Provider Agent, Visual C++ Redistributable and .NET 4.0+.
  • Inline enrollment is not supported.
    End users must have enrolled their MFA tokens previously, by choosing an MFA option for their account when signing in to Okta the first time or after a reset. End users cannot enroll a token during an RDP sign in. End users with unenrolled tokens receive an authentication failed response from Okta when attempting to sign into an RDP server.
Important Note


TLS 1.2 is required. For information on enabling TLS 1.2 in .NET and in Microsoft Internet Explorer browsers, see Okta ends browser support for TLS 1.1.

Supported OS

The Okta Credential Provider for Windows agent can be installed on the following:

  • Windows Server 2019 - v1.3.0 and later.
  • Windows Server 2016
  • Windows Server 2012
  • Windows Server 2012 R2

Supported factors

The following MFA Factors are supported:

Typical workflow



Download the agent
  • Download the Okta Credential Provider for Windows Agent from the Settings > Downloads page your in Okta org. The agent is found in the MFA Plugins and Agents section. Ensure the agent is downloaded to the machine where the agent will be installed.
Configure Okta org
  • Before installing the Okta credential provider for Windows, your org must have configured: Require MFA factors, an appropriate group, and have added the Microsoft RDP (MFA) app.
Install the agent
  • Okta Credential Provider for Windows supports standard and silent install. Install the agent as described.
Assign users
  • All users who login to any machine that has the Credential Provider installed will need to be assigned to the Microsoft RDP (MFA) app
Test and verify
  • Complete the installation by verifying the end-user sign in process.
  • If required, troubleshoot the agent.