Integrate Okta with Windows Autopilot

This topic explains how to integrate Okta with Windows Autopilot.

Before you begin

Best security practices

Using Windows Autopilot with Okta may allow a device to bypass Okta Device Trust. We recommend the following best practices to minimize this possibility:

  1. Enable Windows Autopilot sign-on policy only for new users. You can create a separate group for new users and apply the policy to this group only.
  2. Once the new users have set up their device with Okta Device Trust, remove them from this group.

Start this procedure

This procedure involves the following tasks:

  1. Add Okta MFA to Windows Autopilot

  2. Optional: Set up Windows Autopilot to work along Okta Device Trust or Okta FastPass

Add Okta MFA to Windows Autopilot

In the Okta Admin Console > Office 365 app > Sign On tab, add an Autopilot sign-on policy rule.

  1. Go to Sign On Policy > Add Rule. The App Sign On Rule window opens.
  2. In the App Sign On Rule window, name the rule. For example, "Check for Windows Autopilot."
  3. Set the appropriate IF conditions for users and devices.
  4. For the Client condition, select One of the following clients from the dropdown and then select Windows Autopilot in the field below the dropdown.

  5. For the Then conditions, select Access is Allowed after successful authentication.
  6. For user authentication requirements, select any of the 2 factor types options from the dropdown.
  7. Set the appropriate factor conditions and re-authentication frequency.
  8. Save the rule.
  9. Back in the Sign-on Policy section, adjust the priority level for this Autopilot sign-on policy rule depending on when you want it to be executed.

You’ve now added Okta MFA to Windows Autopilot.

Optional: Set up Windows Autopilot to work along Okta Device Trust or Okta FastPass

If you are not using Okta Device Trust or Okta FastPass

You need not take any action in Okta if your org doesn't use Okta Device Trust. Windows Autopilot works out of the box with Okta as an Identity Provider. You only need to:

  • Set up Windows Autopilot in your Microsoft environment, and
  • Configure a sign-on rule for the Office 365 app in Okta to allow web browser clients on the Windows platform.

If you are using Okta Device Trust or Okta FastPass

If you are using Okta Device Trust or Okta FastPass, you need to create a new sign-on rule in the Office 365 app to check for Windows Autopilot with device state Any. See Task 1 of this procedure.

The Autopilot rule allows end users to securely enroll their Not Trusted devices. It checks if Windows Autopilot is available for device enrollment. If it is available, the sign-on policy uses Windows Autopilot to enroll the device and doesn't use Okta Device Trust or Okta FastPass. If Windows Autopilot is not available for the device, it applies the Okta Device Trust or Okta FastPass sign-on policy.

Related topics