Okta Verify configurations for Windows devices

You can use configuration options to modify Okta Verify functionality.

Configuration values are provided as installation options when you start the Okta Verify installer by running a command:

OktaVerifySetup-x.x.x.x-yyyyyyy.exe <option1Name>=<option1Value> <option2Name>=<option2Value>...

Example:

OktaVerifySetup-4.8.1.0-8f4caf3.exe OrgUrl=https://www.atko.com BluetoothEnrollmentBootstrapping=Disabled

You can also use your mobile device management (MDM) solution to deploy configurations to domains.

Use the following options and values to configure Okta Verify:

AuthenticatorOperationMode

Configure the authenticator’s operation mode. For details, see Configure Okta Verify for physical or virtual Windows environments.

This option is available in Okta Verify 4.9.0 and later versions.

To change the authenticator operation mode after deployment, uninstall Okta Verify and reinstall it with other configuration options.

Values (strings):

Normal: Default

VirtualDesktopStatic : Use this value to configure the authenticator to run in a virtual desktop environment where the user's session is always hosted by the same hardware.

VirtualDesktopLayered : Use this value to configure the authenticator to run in a virtual desktop environment where the user’s session isn't always hosted by the same hardware.

AutoUpdateDeferredByDays

Defer automatic updates by one to thirteen days past the staggered release end date. There's no value set by default.

Value: Integer from 1 through 13

BluetoothEnrollmentBootstrapping

By default (when no value is set), all users can transfer their Okta Verify accounts to another device by using Bluetooth.

This option is available in Okta Verify 4.2.3 and later versions.

Values (strings):

Disabled: This option deactivates the feature.

Enabled: This option enables the feature if you previously disabled it.

DeviceHealthOptions

Hide the Device Health page, or hide specific health checks in Okta Verify on end-user devices. You can select multiple values. Separate the values by using a semicolon. For example, HideOSUpdate;HideDiskEncryption hides the OS update and disk encryption checks. All other device checks are shown.

If the value contains Disabled, the Device Health page isn't displayed in Okta Verify.

By default (when no value is set), all device health checks are displayed in Okta Verify on end-user devices.

Values (strings):

Disabled: Hides the device health page and badge.

HideOSUpdate: Hides the OS version check.

HideDiskEncryption: Hides the disk encryption check.

HideBiometrics: Hides the biometrics check.

EnableZTAPlugin

Configure whether the CrowdStrike endpoint detection and response (EDR) manifest file is deployed to devices during Okta Verify installation. See Manage endpoint security integration plugins for Windows.

Values (boolean):

TRUE: The manifest file is deployed to devices during Okta Verify installation.

FALSE: Default. The manifest file isn't deployed to devices during Okta Verify installation.

EnrollInBetaProgram

Configure whether users can enroll in the Okta Verify beta program on their Windows devices.

By default (when no value is set), users aren't enrolled in the beta program. To enroll, users open Okta Verify and select Join our beta program on the Settings page.

Values (boolean):

TRUE: Users are enrolled in the beta program.

FALSE: Users aren't enrolled in the beta program and can't enroll by selecting Join our beta program on the Okta Verify Settings page.

EnrollmentOptions

Configure whether end users are prompted to enroll in Okta Verify during authentication. You can use this option to reduce the number of enrollment prompts shown to a user or to control the rollout of Okta Verify and Okta FastPass in your org.

Values (strings):

SilentEnrollmentDisabled: Default. Users are prompted to enroll an account during authentication only when they click Sign in with Okta Verify.

Enabled: Users are prompted to enroll an account during any Okta FastPass authentication, including flows that don't require user interaction.

Disabled: Users are never prompted to enroll in Okta Verify during authentication. To enroll, users must open the app and click Add an account.

LogLevel

Configure the log level for the event viewer.

Values (strings):

None

Critical

Error

Warning: Default

Info

Debug

OrgUrl

When you configure this option, the org URL is included on the user's enrollment page and automatically deploys updates to Okta Verify when available. See Deploy Okta Verify to Windows devices.

There's no value set by default.

Value (string): <fully-qualified_domain_name> or <org_sign-in_URL>

ProxyPacFileLocation

Configure the PAC file path for the proxy server. When you set the PAC file location, the AutoUpdate service is updated (C:\Program Files\Okta\UpdateService\Okta.Coordinator.Service.exe.config).

There's no value set by default.

Value (string): <PAC_file_path>

Proxy settings can be configured at installation time using a ProxyURL or ProxyPacLocation argument, depending on the customer's proxy setting. For example, OktaVerifySetup-X.X.X.X-YYYYYYY.exe ProxyPacLocation=<pac-file-location>.

A configuration is created:

Copy
<appSettings>
<system.net>
<defaultProxy>
<proxy scriptLocation="PacFileLocation>"/>
</defaultProxy>
</system.net>

ProxyPassword

Configure the password for the authentication proxy server.

If you use spaces, enclose the password with double quotes (""). The password is encrypted before it’s stored in the service configuration file. The password is decrypted by the value set in the ProxyPasswordEntropy option.

If you use this option, the ProxyURL and ProxyUsername options are also required.

There's no value set by default.

Value (string): <password>

For example, GhKan2a_ya12

ProxyURL

Configure the URL and port for the proxy server that are used to access the AutoUpdate Service (C:\Program Files\Okta\UpdateService\Okta.Coordinator.Service.exe.config).

If you use this option, the ProxyUsername and ProxyPassword options are also required.

There's no value set by default.

Value (string): <URL>:<Port>

For example, https://example.com:2035

During installation: OktaVerifySetup-X.X.X.X-YYYYYYY.exe ProxyURL=https://proxy.sample.com:3888

A configuration is created:

Copy
<appSettings>
<system.net>
<defaultProxy>
<proxy proxyaddress="<url>:<port>"/>
</defaultProxy>
</system.net>

ProxyUserName

Configure the username for the authentication proxy server.

If you use this option, the ProxyURL and ProxyPassword options are also required.

There's no value set by default.

Value (string): <username>

For example, proxyUsername

The Okta.Coordinator.Service.exe.config file is updated:

Copy
<appSettings>
<!--Possible values None, Critical, Error, Warning, Info, Debug -->

<add key="LogLevel" value="Info" />
<add key="ProxyUrl" value="https://test.com:6545" />
<add key="ProxyUsername" value="TestUserName" />
<add key="ProxyPassword" value="AQAAANCMnd8BFdERjHoAwE/Cl+sB
AAAAiDxe77U1Gk21ZcuZJjmUmAQAAAACAAAAAAAQZgAAAAEAACAAAADo1
s0yrCoIJ15t/iYstL2KDeemboTZ8+RaAac4447v6QAAAAAOgAAAAAIAAC
AAAAAAYMeKTNHpXHKSZIvCahkJJxcvIizIaIKpLm0gARhfNyAAAAC09
RRn7psZmzbuTO+e4HSRjOKeRr3o5KyLGPgV2Jb8+UAAAADtR/AHye/4L
vhhLOf0MGY5IlYaMse87Li7GojQCEOMqdlFpUA3OLL9i/uQLMAx3enyn/gk
8a0euEl3l4MmE4zb"/>
<add key="ProxyPasswordEntropy" value="83928a31-c7c1-449e-8b68-b59a4063f877" />
</appSettings>

ReportDiagnostics

Configure whether crash reports are sent to your diagnostics reporting tool (for example, AppCenter).

Value (boolean):

TRUE: Default. Crash reports are sent.

FALSE: Crash reports aren't sent.

UserVerificationType

Configure the type of user verification for the authenticator. For details, see Configure the user verification type for Okta Verify for Windows.

This option is available in Okta Verify 4.9.0 and later versions.

To change the user verification type after deployment, uninstall Okta Verify and reinstall it with other configuration options.

The default value depends on the AuthenticatorOperationMode value. If it's VirtualDesktopStatic or VirtualDesktopLayered, the default value is OktaVerifyPasscode. Otherwise, the default value is WindowsHello.

Before you use this option, ensure that you enabled the Okta Verify user verification with passcode Early Access feature. See Configure Okta Verify options

Values (strings):

WindowsHello: During authentication, users are prompted to confirm their identity with Windows Hello.

OktaVerifyPasscode: During enrollment, users are prompted to create a passcode in Okta Verify. During authentication, users confirm their identity with this passcode.

Related topics

Deploy Okta Verify to Windows devices

Configure Okta Verify for physical or virtual Windows environments

Configure the user verification type for Okta Verify for Windows