Okta Verify configurations for Windows devices

You can use configuration options to modify Okta Verify functionality.

Configuration values are provided as installation options when you start the Okta Verify installer by running a command:

OktaVerifySetup-x.x.x.x-yyyyyyy.exe <option1Name>=<option1Value> <option2Name>=<option2Value>...

Example:

OktaVerifySetup-4.8.1.0-8f4caf3.exe OrgUrl=https://www.atko.com BluetoothEnrollmentBootstrapping=Disabled

You can also use your mobile device management (MDM) solution to deploy configurations to domains.

Use the following options and values to configure Okta Verify:

• AuthenticatorOperationMode

• AutoUpdateDeferredByDays

• AutoUpdatePollingInSecond

• BluetoothEnrollmentBootstrapping

• DeviceHealthOptions

• EnableZTAPlugin

• EnrollInBetaProgram

• EnrollmentOptions

• LogLevel

• OrgUrl

• ProxyPacLocation

• ProxyPassword

• ProxyURL

• ProxyUserName

• ReportDiagnostics

• UserVerificationType

AuthenticatorOperationMode

Configure the authenticator's operation mode. For details, see Configure Okta Verify for physical or virtual Windows environments.

This option is available in Okta Verify 4.9.0 and later versions.

To change the authenticator operation mode after deployment, uninstall Okta Verify and reinstall it with other configuration options.

Values (strings):

Normal: Default

VirtualDesktopStatic: Use this value to configure the authenticator to run in an environment where the user is assigned the same virtual machine each time they start a session.

VirtualDesktopLayered: Use this value to configure the authenticator to run in an environment where the user is randomly assigned a virtual machine when they start a session.

AutoUpdateDeferredByDays

If you want to test a new release of Okta Verify before you roll it out to a larger group, you can defer automatic update of user devices. By default, this option isn't enabled.

Values (integer): The default is 0 (no deferred rollout).

Use the default value 0 (no deferred rollout), or change it to a value in this range: 1 <= N <= 13. If you use a value outside of this range, the value is considered 0 when N <= 0, or 13 when N > 13.

AutoUpdatePollingInSecond

This option defines how frequently Okta Verify polls the Okta server to determine if an update is available. Use the default value (1 hour) or change it slightly. For example, set this option to 14,400 (4 hours) or 86400 (1 day). If you use a high value, you might be missing hotfix updates.

Values (integer): The default is 3600 (1 hour).

BluetoothEnrollmentBootstrapping

By default (when no value is set), all users can transfer their Okta Verify accounts to another device by using Bluetooth.

This option is available in Okta Verify 4.2.3 and later versions.

Values (strings):

Disabled: This option deactivates the feature.

Enabled: This option enables the feature if you previously disabled it.

DeviceHealthOptions

Hide the Device Health page, or hide specific health checks in Okta Verify on end-user devices. You can select multiple values. Separate the values by using a semicolon. For example, HideOSUpdate;HideDiskEncryption hides the OS update and disk encryption checks. All other device checks are shown.

If the value contains Disabled, the Device Health page isn't displayed in Okta Verify.

By default (when no value is set), all device health checks are displayed in Okta Verify on end-user devices.

Values (strings):

Disabled: Hides the device health page and badge.

HideOSUpdate: Hides the OS version check.

HideDiskEncryption: Hides the disk encryption check.

HideBiometrics: Hides the biometrics check.

EnableZTAPlugin

Configure whether the CrowdStrike endpoint detection and response (EDR) manifest file is deployed to devices during Okta Verify installation. See Manage endpoint security integration plugins for Windows.

Values (boolean):

TRUE: The manifest file is deployed to devices during Okta Verify installation.

FALSE: Default. The manifest file isn't deployed to devices during Okta Verify installation.

EnrollInBetaProgram

Configure whether users can enroll in the Okta Verify beta program on their Windows devices.

By default (when no value is set), users aren't enrolled in the beta program. To enroll, users open Okta Verify and select Join our beta program on the Settings page.

Values (boolean):

TRUE: Users are enrolled in the beta program.

FALSE: Users aren't enrolled in the beta program and can't enroll by selecting Join our beta program on the Okta Verify Settings page.

EnrollmentOptions

Configure whether end users are prompted to enroll in Okta Verify during authentication. You can use this option to reduce the number of enrollment prompts shown to a user or to control the rollout of Okta Verify and Okta FastPass in your org.

Values (strings):

SilentEnrollmentDisabled: Default. Users are prompted to enroll an account during authentication only when they click Sign in with Okta Verify.

Enabled: Users are prompted to enroll an account during any Okta FastPass authentication, including flows that don't require user interaction.

Disabled: Users are never prompted to enroll in Okta Verify during authentication. To enroll, users must open the app and click Add an account.

LogLevel

Configure the log level for the event viewer.

Values (strings):

None

Critical

Error

Warning: Default

Info

Debug

OrgUrl

When you configure this option, the org URL is included on the user's enrollment page and automatically deploys updates to Okta Verify when available. See Deploy Okta Verify to Windows devices.

There's no value set by default.

Value (string): <fully-qualified_domain_name> or <org_sign-in_URL>

ProxyPacLocation

Configure the PAC file path for the proxy server. When you set the PAC file location, the AutoUpdate service is updated (C:\Program Files\Okta\UpdateService\Okta.Coordinator.Service.exe.config).

There's no value set by default.

Value (string): <PAC_file_path>

Proxy settings can be configured at installation time using a ProxyURL or ProxyPacLocation argument, depending on the customer's proxy setting. For example, OktaVerifySetup-X.X.X.X-YYYYYYY.exe ProxyPacLocation=<pac-file-location>.

A configuration is created:

<appSettings>
<system.net>
<defaultProxy>
<proxy scriptLocation="ProxyPacLocation>"/>
</defaultProxy>
</system.net>

ProxyPassword

Configure the password for the authentication proxy server.

If you use spaces, enclose the password with double quotes (""). The password is encrypted before it's stored in the service configuration file. The password is decrypted by the value set in the ProxyPasswordEntropy option.

If you use this option, the ProxyURL and ProxyUsername options are also required.

There's no value set by default.

Value (string): <password>

For example, GhKan2a_ya12

ProxyURL

Configure the URL and port for the proxy server that are used to access the AutoUpdate Service (C:\Program Files\Okta\UpdateService\Okta.Coordinator.Service.exe.config).

If you use this option, the ProxyUsername and ProxyPassword options are also required.

There's no value set by default.

Value (string): <URL>:<Port>

For example, https://example.com:2035

During installation: OktaVerifySetup-X.X.X.X-YYYYYYY.exe ProxyURL=https://proxy.sample.com:3888

A configuration is created:

<appSettings>
<system.net>
<defaultProxy>
<proxy proxyaddress="<url>:<port>"/>
</defaultProxy>
</system.net>

ProxyUserName

Configure the username for the authentication proxy server.

If you use this option, the ProxyURL and ProxyPassword options are also required.

There's no value set by default.

Value (string): <username>

For example, proxyUsername

The Okta.Coordinator.Service.exe.config file is updated:

<appSettings>
<!--Possible values None, Critical, Error, Warning, Info, Debug -->

<add key="LogLevel" value="Info" />
<add key="ProxyUrl" value="https://test.com:6545" />
<add key="ProxyUsername" value="TestUserName" />
<add key="ProxyPassword" value="AQAAANCMnd8BFdERjHoAwE/Cl+sB
AAAAiDxe77U1Gk21ZcuZJjmUmAQAAAACAAAAAAAQZgAAAAEAACAAAADo1
s0yrCoIJ15t/iYstL2KDeemboTZ8+RaAac4447v6QAAAAAOgAAAAAIAAC
AAAAAAYMeKTNHpXHKSZIvCahkJJxcvIizIaIKpLm0gARhfNyAAAAC09
RRn7psZmzbuTO+e4HSRjOKeRr3o5KyLGPgV2Jb8+UAAAADtR/AHye/4L
vhhLOf0MGY5IlYaMse87Li7GojQCEOMqdlFpUA3OLL9i/uQLMAx3enyn/gk
8a0euEl3l4MmE4zb"/>
<add key="ProxyPasswordEntropy" value="83928a31-c7c1-449e-8b68-b59a4063f877" />
</appSettings>

ReportDiagnostics

Configure whether crash reports are sent to your diagnostics reporting tool (for example, AppCenter).

Value (boolean):

TRUE: Default. Crash reports are sent.

FALSE: Crash reports aren't sent.

UserVerificationType

Configure the type of user verification for the authenticator. For details, see Configure the user verification type for Okta Verify for Windows.

This option is available in Okta Verify 4.9.0 and later versions.

To change the user verification type after deployment, uninstall Okta Verify and reinstall it with other configuration options.

The default value depends on the AuthenticatorOperationMode value. For VirtualDesktopStatic or VirtualDesktopLayered, the default is OktaVerifyPasscode. Otherwise, the default is WindowsHello.

Values (strings):

WindowsHello: During authentication, users are prompted to confirm their identity with Windows Hello.

OktaVerifyPasscode: During enrollment, users are prompted to create a passcode in Okta Verify. During authentication, users confirm their identity with this passcode.

Related topics

Deploy Okta Verify to Windows devices

Configure Okta Verify for physical or virtual Windows environments

Configure the user verification type for Okta Verify for Windows