Configure Device-Bound SSO for Windows

Early Access release. See Enable self-service features.

The Device-Bound Single Sign-On feature protects users against session hijacking, and provides a streamlined sign-in experience. Users can access Okta-protected apps with fewer authentication prompts.

Before you begin

  • Configure Desktop MFA for your org. See Desktop MFA for Windows.
  • Devices are running Windows 10 (version 1709 or later) or Windows 11 and have Trusted Platform Module (TPM) hardware.
  • Devices are joined to Active Directory or Microsoft Entra ID.
  • Devices have Okta Verify for Windows 6.6.0 or later installed and running.
  • Using the Simple Certificate Enrollment Protocol, install a Device Access certificate on the device. See Device Access certificates.
  • Users are enrolled in Okta FastPass.

Deploy Device-Bound SSO to user devices

Use your MDM (for example Microsoft Intune or Workspace ONE) to create and deploy the following registry keys:

Path

Name

Type

Value

Description

HKLM\SOFTWARE\Policies\Okta\Okta Device Access

OktaJoinEnabled

REG_DWORD

1

Designates the device as Okta-joined.

HKLM\SOFTWARE\Okta\Okta Device Access

UseDirectAuth

REG_DWORD

1

Enable direct authentication so the device can authenticate directly with Okta during the Windows sign-in flow. This is required for Device-Bound SSO on Windows.

Configure authentication policy rules

You don't have to create authentication policies for Device-Bound SSO. However, if you add or edit your existing rules to include Device-Bound SSO, you can control how Okta-joined devices interact with your apps.

You can, for example, grant a longer duration between authentication requests on Okta-joined devices because these cryptographically-bound devices have a greater guarantee of session security.

To enforce Device-Bound SSO in your app sign-on policies, follow this procedure.

  1. In the Admin Console, go to SecurityAuthentication Policies.

  2. Open the App sign-in policies.

  3. If you have an existing policy for the apps you want to enable with Device-Bound SSO, click Edit in the Actions menu for that policy. Otherwise, click Create policy.

  4. Create a rule for devices that are Okta-joined. Under this rule, Okta permits the use of the device session for resource authentication:

    1. Click Add rule.

    2. Give the rule an appropriate name, for example, Devices that are Okta-joined.

    3. Set Device State to Registered.

    4. For the custom expression field, enter the following Okta Expression Language statement device.provider.deviceAccess.joined == true.

      This captures all devices that are Okta-joined and eligible for Device-Bound SSO.

    5. Set the Prompt for authentication to either:

      • When it's been over a specified length of time since the user accessed any resource protected by the active Okta global session. Select this option to allow users to access the apps silently during the specified time period.

      • When an Okta global session doesn't exist. Select this option to allow users to access the apps silently for the entire device session.

Check the device state

During Okta FastPass enrollment, the device is registered as a unique object in the Okta Universal Directory.

  1. In the Admin Console, go to DirectoryDevices.

  2. Check the status of the device.

    • If you suspend or deactivate a device, users can't authenticate with Device-Bound SSO. However, after you reactivate the device (using Activate or Unsuspend), Device-Bound SSO can be used again.

    • If you delete a deactivated device, you have to redeploy the Device Access certificates. Users must enroll in Okta FastPass before they can authenticate with Device-Bound SSO again.

  3. Verify that the device status shows as Active.