Okta Verify configurations for Windows devices

You can use configuration options to modify Okta Verify functionality.

When you start the Okta Verify installer, you can pass the configuration values as command-line options:

OktaVerifySetup-x.x.x.x-yyyyyyy.exe <option1Name>=<option1Value> <option2Name>=<option2Value>...

For example, the following command sets the OrgUrl and disables the Bluetooth enrollment bootstrap option:

OktaVerifySetup-4.8.1.0-8f4caf3.exe OrgUrl=https://www.atko.com BluetoothEnrollmentBootstrapping=Disabled

You can also use your mobile device management (MDM) solution to deploy configurations to domains.

Configuration options

Use the following options and values to configure Okta Verify.

AuthenticatorOperationMode

Configure the authenticator's operation mode. See Configure Okta Verify for physical or virtual Windows environments.

Value [String] Description

Normal

Default mode.

VirtualDesktopStatic

Set the authenticator to run in environments where the user is assigned the same virtual machine each time they start a session.

VirtualDesktopLayered

Set the authenticator to run in environments where the user is randomly assigned a virtual machine each time they start a session.

To change the authenticator operation mode after deployment, uninstall Okta Verify and reinstall it with other configuration options.

This option is available in Okta Verify 4.9.0 and later.

AutoUpdateDeferredByDays

If you want to test a new release of Okta Verify before you roll it out to a larger group, you can defer automatic update of user devices.

This option isn't enabled by default.

Value [Integer] Description

0

No deferral of the update action. This is the default.

1 <= N <= 13

Defer the update action by the indicated number of days.

If you set N <= 0, the value is set to 0.

If you set N > 13, the value is set to 13.

AutoUpdatePollingInSecond

This option defines how frequently Okta Verify polls the Okta server for available updates.

The default is one hour. Setting this option to higher values, for example, 14,400 (4 hours) or 86400 (1 day), may miss hotfix updates.

Value [Integer] Description

3600

The polling takes place every 3600 seconds (every hour). This is the default.

BluetoothEnrollmentBootstrapping

By default, no value is set. All users can transfer their Okta Verify accounts to another device using Bluetooth.

Value [String] Description

Disabled

This option deactivates the feature.

Enabled

This option enables the feature if you previously disabled it.

This option is available in Okta Verify 4.2.3 and later.

DeviceHealthOptions

Hide the Device Health page or specific health checks in Okta Verify on end user devices.

By default, no value is set. All device health checks are displayed in Okta Verify on end user devices.

To select multiple values, separate the values using a semicolon. For example, HideOSUpdate;HideDiskEncryption hides the OS update and disk encryption checks. All other device checks are shown.

Value [String] Description

Disabled

Hides the device health page and badge inside Okta Verify.

HideOSUpdate

Hides the OS version check.

HideDiskEncryption

Hides the disk encryption check.

HideBiometrics

Hides the biometrics check.

EnableZTAPlugin

Configure whether the CrowdStrike endpoint detection and response (EDR) manifest file is deployed to devices during Okta Verify installation. See Manage endpoint security integration plugins for Windows.

Value [Boolean]

Description

TRUE

The manifest file is deployed to devices during Okta Verify installation.

FALSE

The manifest file isn't deployed to devices during Okta Verify installation.

This is the default.

EnrollInBetaProgram

Configure whether users can enroll in the Okta Verify beta program on their Windows devices.

By default, no value is set and users aren't enrolled in the beta program. To enroll, users can open Okta Verify and select Join our beta program on the Settings page.

Value [Boolean]

Description

TRUE

Users are enrolled in the beta program.

FALSE

Users aren't enrolled in the beta program and can't enroll by selecting Join our beta program on the Settings page.

EnrollmentOptions

Configure whether end users are prompted to enroll in Okta Verify during authentication.

You can use this option to reduce the number of enrollment prompts shown to a user or to control the roll out of Okta Verify and Okta FastPass in your org.

Value [String]

Description

SilentEnrollmentDisabled

Users are prompted to enroll an account during authentication only when they click Sign in with Okta Verify.

This is the default.

Enabled

Users are prompted to enroll an account during any Okta FastPass authentication, including flows that don't require user interaction.

Disabled

Users are never prompted to enroll in Okta Verify during authentication.

To enroll, users must open the app and click Add an account.

LogLevel

Configure the log level for the event viewer.

Value [String]

Description

None

Critical

Error

Warning

This is the default.

Info

Debug

OrgUrl

When you configure this option, the org URL is included on the user's enrollment page and automatically deploys any available Okta Verify updates. See Deploy Okta Verify to Windows devices.

This option has no default value.

Value [String] Description

<fully-qualified_domain_name>

<org_sign-in_URL>

ProxyPacLocation

Configure the Proxy Auto-Configuration (PAC) file path for the proxy server.

When you set the PAC file location, the installer updates the AutoUpdate service (C:\Program Files\Okta\UpdateService\Okta.Coordinator.Service.exe.config).

This option has no default value.

Value [String] Description

<PAC_file_path>

Proxy settings can be configured at installation time using a ProxyURL or ProxyPacLocation argument, depending on the customer's proxy setting.

This creates a configuration setting:

Copy
<appSettings>
<system.net>
<defaultProxy>
<proxy scriptLocation="ProxyPacLocation>"/>
</defaultProxy>
</system.net>

ProxyPassword

Configure the password for the authentication proxy server. This option also requires the ProxyURL and ProxyUsername options.

This option has no default value.

Value [String] Description

<password>

Password for the proxy server. For example, GhKan2a_ya12.

If you use spaces, enclose the password using double quotes ("").

The password is encrypted before being stored in the service configuration file. The password is decrypted using the value set in the ProxyPasswordEntropy option.

ProxyURL

Configure the URL and port for the proxy server used to access the AutoUpdate Service (C:\Program Files\Okta\UpdateService\Okta.Coordinator.Service.exe.config).

The ProxyUsername and ProxyPassword configuration settings are optional if you specify a ProxyURL.

This option has no default value.

Value [String] Description

<URL>:<Port>

URL and port of the proxy server. For example, https://example.com:2035.

Proxy settings can be configured at installation time using a ProxyURL or ProxyPacLocation argument, depending on the customer's proxy setting. For example, OktaVerifySetup-X.X.X.X-YYYYYYY.exe ProxyURL=https://proxy.sample.com:3888

This creates a configuration setting:

Copy
<appSettings>
<system.net>
<defaultProxy>
<proxy proxyaddress="<url>:<port>"/>
</defaultProxy>
</system.net>

ProxyUserName

Configure the username for the authentication proxy server. This option also requires the ProxyURL and ProxyPassword options.

This option has no default value.

Value [String] Description

<username>

Username for the proxy server. For example, TestUserName.

This updates the Okta.Coordinator.Service.exe.config file:

Copy
<appSettings>
<!--Possible values None, Critical, Error, Warning, Info, Debug -->

<add key="LogLevel" value="Info" />
<add key="ProxyUrl" value="https://test.com:6545" />
<add key="ProxyUsername" value="TestUserName" />
<add key="ProxyPassword" value="AQAAANCMnd8BFdERjHoAwE/Cl+sB
AAAAiDxe77U1Gk21ZcuZJjmUmAQAAAACAAAAAAAQZgAAAAEAACAAAADo1
s0yrCoIJ15t/iYstL2KDeemboTZ8+RaAac4447v6QAAAAAOgAAAAAIAAC
AAAAAAYMeKTNHpXHKSZIvCahkJJxcvIizIaIKpLm0gARhfNyAAAAC09
RRn7psZmzbuTO+e4HSRjOKeRr3o5KyLGPgV2Jb8+UAAAADtR/AHye/4L
vhhLOf0MGY5IlYaMse87Li7GojQCEOMqdlFpUA3OLL9i/uQLMAx3enyn/gk
8a0euEl3l4MmE4zb"/>
<add key="ProxyPasswordEntropy" value="83928a31-c7c1-449e-8b68-b59a4063f877" />
</appSettings>

ReportDiagnostics

Configure whether crash reports are sent to your diagnostics reporting tool.

Value [Boolean] Description

TRUE

Sends crash reports.

This is the default.

FALSE

Crash reports aren't sent.

UserVerificationType

Configure the type of user verification for the authenticator. See Configure the user verification type for Okta Verify for Windows.

The default value depends on the AuthenticatorOperationMode value.

Value [String] Description

WindowsHello

During authentication, users are prompted to confirm their identity with Windows Hello.

If AuthenticatorOperationMode is Normal, then this is the default.

OktaVerifyPasscode

During enrollment, users are prompted to create a passcode in Okta Verify.

During authentication, users confirm their identity with this passcode.

If AuthenticatorOperationMode is VirtualDesktopStatic or VirtualDesktopLayered, then this is the default.

To change the user verification type after deployment, uninstall Okta Verify and reinstall it with other configuration options.

This option is available in Okta Verify 4.9.0 and later.

Related topics

Deploy Okta Verify to Windows devices

Configure Okta Verify for physical or virtual Windows environments

Configure the user verification type for Okta Verify for Windows