Okta MFA Credential Provider for Windows

Okta MFA Credential Provider for Windows enables strong authentication using multifactor authentication (MFA) with Remote Desktop Protocol (RDP) clients.

You can prompt users for MFA when they use an RDP client to sign in to domain-joined Windows computers and servers.

Users can't enroll in a factor when they sign in using RDP. Advise them to enroll in factors before they use RDP to sign in to a Windows server.

The Sign-In Widget (third generation) doesn't support multifactor authentication for third-party agents.

Before you begin

These are the requirements for installing Okta MFA Credential Provider for Windows:

  • The Okta MFA Credential Provider for Windows doesn't support a discrete proxy configuration. It obeys proxy configurations at the system level.
  • The Windows machine used for installation must have an active internet connection with port 443 open.
  • Verify that Transport Layer Security (TLS) version 1.2 is installed.
  • Use an account with administrative rights to install Okta MFA Credential Provider Agent for Windows, Visual C++, and the .NET Framework. See Okta MFA Credential Provider for Windows version history to find which version of .NET you should use.
  • Configure all MFA factors that you want to use for authentication.
  • Configure an MFA enrollment policy that includes the required MFA factors.
  • Configure an optional group that contains the users allowed to access the Windows Server using RDP.
  • Configure the Microsoft RDP (MFA) app.

Supported operating systems

You can install the Okta MFA Credential Provider for Windows agent on the following platforms:

  • Windows Server 2025
  • Windows Server 2022 (version 1.3.0 and above of the agent)
  • Windows Server 2019 (version 1.3.0 and above of the agent)
  • Windows Server 2016

The Okta MFA Credential Provider for Windows doesn't support Windows Server Core OS.

Supported factors

See MFA factor configuration for a list of supported factors.

Okta MFA Credential Provider for Windows doesn't support FIDO2 (WebAuthn).

Typical workflow

Task

Description
Download the agent Download the Okta MFA Credential Provider for Windows Agent from the MFA Plugins and Agents section of the SettingsDownloads page in your Okta org. Download the agent to the machine that you want to install it onto.
Configure your Okta org Configure your Okta org before you install the Okta MFA Credential Provider for Windows Agent.
Assign users Assign the Microsoft (MFA) app to all users who sign in to a machine with the Okta MFA Credential Provider for Windows Agent installed.
Install the agent
Okta MFA Credential Provider for Windows supports standard and silent installations.
Test and verify Verify the end-user sign-in process.

Configure a system proxy account

Optional. Configure a proxy server.
Troubleshoot Troubleshoot the agent.