Create and configure the Desktop MFA app for Windows

Add the Desktop MFA app integration to your org and assign it to the relevant users and groups.

Before you begin

Before you create and configure the Desktop MFA app, be aware of the following limitations:

  • Remote Desktop Protocol (RDP) isn't supported.
  • ARM-based devices aren't supported.
  • If you're using security keys from Yubico, offline authentication only supports YubiKey 5 Series.
  • If you use Windows Server, it must be version 2019 or later.
  • Security keys aren't supported for offline authentication with Windows Server.
  • After installation, users may see two instances of Okta Verify in the Installed Programs list.
  • You can't downgrade Okta Verify to an earlier version.

Procedure

  1. Sign in to your Okta org as a super admin.

  2. In the Admin Console, go to SettingsAccount.

    Under Embedded widget sign-in support, ensure that the Interaction Code checkbox is selected.

  3. In the Admin Console, go to ApplicationsApplications.

  4. Click Browse App Catalog and search for Desktop MFA.

  5. Click Add integration.

    If you get an error message saying This feature isn't enabled, contact your account representative.

  6. On the General Settings page, edit the app label or click Done to accept the default value and create the app.

  7. Open the app to finish the configuration:

    1. On the Sign on tab, go to the Settings section and click Edit.

    2. The Application username format is the username used to sign in to the device. Having a designated username format allows Okta Verify to ensure that the user signing in is prompted for the correct factors.

      Click the Application username format dropdown menu and select the format appropriate for your org. The formats available in the dropdown menu depend on the configuration of your org.

      • AD user principal name: Use for Microsoft Entra ID (formerly Azure Active Directory) environments

      • AD employee ID

      • AD SAM account name: Use for Active Directory or hybrid environments

      • AD SAM account name + domain

      • AD user principal name prefix

      • Custom

      • Email

      • Email prefix

      • Okta: Use if the username is the same as what you already use in Okta

      • Okta username prefix

      If your environment is a mix of Microsoft Entra ID and Active Directory joined devices, create a separate instance of the Desktop MFA app to handle the different username formats.

    3. On the Assignments tab, assign the app to the relevant users or security groups.

    4. On the General tab, go to the Client Credentials section to find the Client ID and Client Secret. The identifier and secret are generated when you create the app integration. Record these values, as they're needed as part of the Desktop MFA for Windows deployment using your MDM solution.

  8. Click Save.

Desktop MFA authentication policy

When the Desktop MFA app is integrated, a Desktop MFA app sign-in policy is added to your org.

This policy verifies that users who try to sign in with Desktop MFA meet specific conditions, and enforces factor requirements based on those conditions. The Desktop MFA app sign-in policy shouldn't be modified for any reason.

If necessary, you can create a separate app sign-in policy to meet the needs of your org. See App sign-in policies.

Next step

Download Okta Verify for Windows