Automatic Okta Verify updates on Windows
After Okta Verify for Windows is installed on a device, the app automatically updates whenever Okta releases a new version. Typically, Okta releases major versions on a monthly basis to provide new features, enhancements, and bug fixes.
Rollout schedule for Okta Verify on Windows
Generally Available (GA) releases of Okta Verify for Windows use a staggered rollout schedule spread over seven calendar days. This staggered rollout provides your organization time to detect and respond to environment-specific issues. It also provides a buffer period to avoid exposing potential software issues simultaneously to many users.
There's no staggered rollout when Okta releases critical updates. All devices running the automatic update service receive these updates simultaneously.
|
Rollout schedule |
Devices receiving update |
|---|---|
|
Day 1–3 |
5% |
|
Day 4 |
10% |
|
Day 5 |
20% |
|
Day 6 |
50% |
|
Day 7 |
100% |
|
Day N (Deferred update) |
100% N specifies the number of days after the Day 7 rollout is complete. |
For example, if a new version is released on January 1, then 5% of Windows devices have the new version by January 3. This increases to 10% on January 4 and then to all devices by January 7.
Early Access (EA) releases
EA releases roll out over a two-week period. End users receive automatic updates of EA releases only if they join the Windows Okta Verify beta program.
A best practice for early testing of new versions is to enroll a small set of devices into the Okta Verify beta program using your device management software. For example, you could configure the IT department devices along with a small group of the broader user base.
To configure enrollment in the beta program for Okta Verify on your org, you must set the EnrollInBetaProgram configuration option. See the EnrollInBetaProgram option in Okta Verify configurations for Windows devices. End users need to opt in to the program using the instructions found in Join the Okta Verify beta.
Security and hot fix releases
When Okta releases security updates and hot fixes, all devices with automatic updates enabled receive the updates immediately.
Defer automatic updates
If you want to test a new release of Okta Verify before you roll it out to a larger group, you can defer the automatic update of user devices.
For example, you may want to consider a deferred rollout for critical devices and users. This allows for extra validation before deployment to these systems.
Deferring updates for many devices to a single day eliminates the benefits of the staggered rollout.
The deferral option became available in Okta Verify for Windows version 3.7.1.
Configuration options
When you set a deferred update for devices, Okta Verify doesn't update during the staggered rollout schedule. Instead, the devices receive the update after a specified number of days once the staggered rollout is complete.
To set the deferral period, use the AutoUpdateDeferredByDays configuration option. See the AutoUpdateDeferredByDays option in Okta Verify configurations for Windows devices. The option isn't enabled by default.
|
Deferral integer (N) |
Result |
|---|---|
|
N not set |
No deferral of the update. The update uses the normal staggered Okta Verify schedule. |
|
N ≤ 0 |
If you set AutoUpdateDeferredByDays to 0 or any negative value, the update treats it as 0. No deferral of the update. The update uses the normal staggered Okta Verify schedule. |
|
1 ≤ N ≤ 13 |
Defers the update by the specified number of days. |
|
N ≥ 13 |
If you set AutoUpdateDeferredByDays to any value greater than 13, the update treats it as 13. The update is deferred by 13 days. |
Deployment of deferral configurations
-
New installations of Okta Verify
Deploy Okta Verify with the AutoUpdateDeferredByDays option set to an integer value from 1 through 13. The integer specifies the number of days to defer the automatic update.
-
Devices with Okta Verify already installed
Manually update the local machine's registry keys. This change requires a restart of the Okta Verify app to take effect.
-
Okta Verify installed at scale on multiple endpoints
Use the Microsoft PowerShell Set-ItemPropertycmdlet to update the AutoUpdateDeferredByDays registry value. Replace <deferral days> with the number of days that you want to defer the update:
CopySet-ItemProperty -Path "HKLM:\Software\Okta\Okta Verify" -Name "AutoUpdateDeferredByDays" -Value <deferral days> -ForceDeploy the cmdlet on remote computers using your MDM software. This change requires a restart of the Okta Verify app to take effect.
For example, the following updates the registry key of an existing Okta Verify for Windows installation to defer the automatic update by 13 days:
CopySet-ItemProperty -Path "HKLM:\Software\Okta\Okta Verify" -Name "AutoUpdateDeferredByDays" -Value 13 -Force
Deferral example
The following example shows which devices in an org receive an Okta Verify update released on January 1, based on their deferral value.
|
AutoUpdateDeferredByDays value |
Result |
|---|---|
|
Value not set |
No deferral of the update. Devices receive the update between January 1 and January 7 using the staggered rollout schedule. |
|
3 |
This defers the update to 3 days after the completion of the staggered rollout schedule. All devices in this group receive the automatic update on January 10. |
|
14 |
The value exceeds the maximum value and is treated as 13. This defers the update to 13 days after the completion of the staggered rollout schedule. All devices in this group receive the automatic update on January 20. |
Update devices that aren't enrolled
There may be instances where you have Okta Verify installed on Windows devices, but don't expect users to enroll immediately.
To keep the Okta Verify app up to date, specify the OrgUrl option in the managed app configuration that you use to deploy Okta Verify. See OrgUrl in Okta Verify configurations for Windows devices.
Disable automatic updates
Disabling automatic updates requires you to manually deploy new versions or updates to Okta Verify on your Windows systems.
This configuration isn't recommended as clients don't automatically receive security updates.
To turn off automatic updates, you must disable the Okta Verify auto update service.
Open a command prompt as an administrator and run the following commands:
sc config "Okta Auto Update Service" start=disabled
sc stop "Okta Auto Update Service"This configuration doesn't persist after an Okta Verify update. After an update, the auto update service returns to the default running status.
At any point, you can re-enable the auto update service. Open a command prompt as an administrator and run the following commands:
sc config "Okta Auto Update Service" start=auto
sc start "Okta Auto Update Service"