Okta Verify configurations for Windows devices
You can use configuration options to modify Okta Verify functionality.
When you start the Okta Verify installer, you can pass the configuration values as command-line options:
OktaVerifySetup-x.x.x.x-yyyyyyy.exe <option1Name>=<option1Value> <option2Name>=<option2Value>...
For example, the following command sets the OrgUrl and disables the Bluetooth enrollment bootstrap option:
OktaVerifySetup-4.8.1.0-8f4caf3.exe OrgUrl=https://www.atko.com BluetoothEnrollmentBootstrapping=Disabled
You can also use your mobile device management (MDM) solution to deploy configurations to domains.
Configuration options
Use the following options and values to configure Okta Verify.
AuthenticatorOperationMode
Configure the authenticator's operation mode. See Configure Okta Verify for physical or virtual Windows environments.
| Value [String] | Description |
|---|---|
|
Normal |
Default mode. |
|
VirtualDesktopStatic |
Set the authenticator to run in environments where the user is assigned the same virtual machine each time they start a session. |
|
VirtualDesktopLayered |
Set the authenticator to run in environments where the user is randomly assigned a virtual machine each time they start a session. |
To change the authenticator operation mode after deployment, uninstall Okta Verify and reinstall it with other configuration options.
This option is available in Okta Verify 4.9.0 and later.
AutoUpdateDeferredByDays
If you want to test a new release of Okta Verify before you roll it out to a larger group, you can defer automatic update of user devices.
This option isn't enabled by default.
| Value [Integer] | Description |
|---|---|
|
0 |
No deferral of the update action. This is the default. |
|
1 <= N <= 13 |
Defer the update action by the indicated number of days. If you set N <= 0, the value is set to 0. If you set N > 13, the value is set to 13. |
AutoUpdatePollingInSecond
This option defines how frequently Okta Verify polls the Okta server for available updates.
The default is one hour. Setting this option to higher values, for example, 14,400 (4 hours) or 86400 (1 day), may miss hotfix updates.
| Value [Integer] | Description |
|---|---|
|
3600 |
The polling takes place every 3600 seconds (every hour). This is the default. |
BluetoothEnrollmentBootstrapping
By default, no value is set. All users can transfer their Okta Verify accounts to another device using Bluetooth.
| Value [String] | Description |
|---|---|
|
Disabled |
This option deactivates the feature. |
|
Enabled |
This option enables the feature if you previously disabled it. |
This option is available in Okta Verify 4.2.3 and later.
DeviceHealthOptions
Hide the Device Health page or specific health checks in Okta Verify on end user devices.
By default, no value is set. All device health checks are displayed in Okta Verify on end user devices.
To select multiple values, separate the values using a semicolon. For example, HideOSUpdate;HideDiskEncryption hides the OS update and disk encryption checks. All other device checks are shown.
| Value [String] | Description |
|---|---|
|
Disabled |
Hides the device health page and badge inside Okta Verify. |
|
HideOSUpdate |
Hides the OS version check. |
|
HideDiskEncryption |
Hides the disk encryption check. |
|
HideBiometrics |
Hides the biometrics check. |
EnableZTAPlugin
Configure whether the CrowdStrike endpoint detection and response (EDR) manifest file is deployed to devices during Okta Verify installation. See Manage endpoint security integration plugins for Windows.
|
Value [Boolean] |
Description |
|---|---|
|
TRUE |
The manifest file is deployed to devices during Okta Verify installation. |
|
FALSE |
The manifest file isn't deployed to devices during Okta Verify installation. This is the default. |
EnrollInBetaProgram
Configure whether users can enroll in the Okta Verify beta program on their Windows devices.
By default, no value is set and users aren't enrolled in the beta program. To enroll, users can open Okta Verify and select Join our beta program on the Settings page.
|
Value [Boolean] |
Description |
|---|---|
|
TRUE |
Users are enrolled in the beta program. |
|
FALSE |
Users aren't enrolled in the beta program and can't enroll by selecting Join our beta program on the Settings page. |
EnrollmentOptions
Configure whether end users are prompted to enroll in Okta Verify during authentication.
You can use this option to reduce the number of enrollment prompts shown to a user or to control the roll out of Okta Verify and Okta FastPass in your org.
|
Value [String] |
Description |
|---|---|
|
SilentEnrollmentDisabled |
Users are prompted to enroll an account during authentication only when they click Sign in with Okta Verify. This is the default. |
|
Enabled |
Users are prompted to enroll an account during any Okta FastPass authentication, including flows that don't require user interaction. |
|
Disabled |
Users are never prompted to enroll in Okta Verify during authentication. To enroll, users must open the app and click Add an account. |
LogLevel
Configure the log level for the event viewer.
|
Value [String] |
Description |
|---|---|
|
None |
|
|
Critical |
|
|
Error |
|
|
Warning |
This is the default. |
|
Info |
|
|
Debug |
|
OrgUrl
When you configure this option, the org URL is included on the user's enrollment page and automatically deploys any available Okta Verify updates. See Deploy Okta Verify to Windows devices.
This option has no default value.
| Value [String] | Description |
|---|---|
|
<fully-qualified_domain_name> |
|
|
<org_sign-in_URL> |
|
ProxyPacLocation
Configure the Proxy Auto-Configuration (PAC) file path for the proxy server.
When you set the PAC file location, the installer updates the AutoUpdate service (C:\Program Files\Okta\UpdateService\Okta.Coordinator.Service.exe.config).
This option has no default value.
| Value [String] | Description |
|---|---|
|
<PAC_file_path> |
|
Proxy settings can be configured at installation time using a ProxyURL or ProxyPacLocation argument, depending on the customer's proxy setting.
This creates a configuration setting:
<appSettings>
<system.net>
<defaultProxy>
<proxy scriptLocation="ProxyPacLocation>"/>
</defaultProxy>
</system.net>ProxyPassword
Configure the password for the authentication proxy server. This option also requires the ProxyURL and ProxyUsername options.
This option has no default value.
| Value [String] | Description |
|---|---|
|
<password> |
Password for the proxy server. For example, GhKan2a_ya12. If you use spaces, enclose the password using double quotes (""). The password is encrypted before being stored in the service configuration file. The password is decrypted using the value set in the ProxyPasswordEntropy option. |
ProxyURL
Configure the URL and port for the proxy server used to access the AutoUpdate Service (C:\Program Files\Okta\UpdateService\Okta.Coordinator.Service.exe.config).
The ProxyUsername and ProxyPassword configuration settings are optional if you specify a ProxyURL.
This option has no default value.
| Value [String] | Description |
|---|---|
|
<URL>:<Port> |
URL and port of the proxy server. For example, https://example.com:2035. |
Proxy settings can be configured at installation time using a ProxyURL or ProxyPacLocation argument, depending on the customer's proxy setting. For example, OktaVerifySetup-X.X.X.X-YYYYYYY.exe ProxyURL=https://proxy.sample.com:3888
This creates a configuration setting:
<appSettings>
<system.net>
<defaultProxy>
<proxy proxyaddress="<url>:<port>"/>
</defaultProxy>
</system.net>ProxyUserName
Configure the username for the authentication proxy server. This option also requires the ProxyURL and ProxyPassword options.
This option has no default value.
| Value [String] | Description |
|---|---|
|
<username> |
Username for the proxy server. For example, TestUserName. |
This updates the Okta.Coordinator.Service.exe.config file:
<appSettings>
<!--Possible values None, Critical, Error, Warning, Info, Debug -->
<add key="LogLevel" value="Info" />
<add key="ProxyUrl" value="https://test.com:6545" />
<add key="ProxyUsername" value="TestUserName" />
<add key="ProxyPassword" value="AQAAANCMnd8BFdERjHoAwE/Cl+sB
AAAAiDxe77U1Gk21ZcuZJjmUmAQAAAACAAAAAAAQZgAAAAEAACAAAADo1
s0yrCoIJ15t/iYstL2KDeemboTZ8+RaAac4447v6QAAAAAOgAAAAAIAAC
AAAAAAYMeKTNHpXHKSZIvCahkJJxcvIizIaIKpLm0gARhfNyAAAAC09
RRn7psZmzbuTO+e4HSRjOKeRr3o5KyLGPgV2Jb8+UAAAADtR/AHye/4L
vhhLOf0MGY5IlYaMse87Li7GojQCEOMqdlFpUA3OLL9i/uQLMAx3enyn/gk
8a0euEl3l4MmE4zb"/>
<add key="ProxyPasswordEntropy" value="83928a31-c7c1-449e-8b68-b59a4063f877" />
</appSettings>ReportDiagnostics
Configure whether crash reports are sent to your diagnostics reporting tool.
| Value [Boolean] | Description |
|---|---|
|
TRUE |
Sends crash reports. This is the default. |
|
FALSE |
Crash reports aren't sent. |
UserVerificationType
Configure the type of user verification for the authenticator. See Configure the user verification type for Okta Verify for Windows.
The default value depends on the AuthenticatorOperationMode value.
| Value [String] | Description |
|---|---|
|
WindowsHello |
During authentication, users are prompted to confirm their identity with Windows Hello. If AuthenticatorOperationMode is Normal, then this is the default. |
|
OktaVerifyPasscode |
During enrollment, users are prompted to create a passcode in Okta Verify. During authentication, users confirm their identity with this passcode. If AuthenticatorOperationMode is VirtualDesktopStatic or VirtualDesktopLayered, then this is the default. |
To change the user verification type after deployment, uninstall Okta Verify and reinstall it with other configuration options.
This option is available in Okta Verify 4.9.0 and later.
Related topics
Deploy Okta Verify to Windows devices
Configure Okta Verify for physical or virtual Windows environments
Configure the user verification type for Okta Verify for Windows