Configure Desktop MFA policies

Early Access release. See Manage Early Access and Beta features.

Policies that define how Desktop MFA works are configured on the Windows endpoint registry keys.

Create a PowerShell script and use your MDM solution to deploy the registry keys to your endpoints. For details see Use PowerShell scripts on Windows 10/11 devices in Intune in the Microsoft documentation.

The registry key is stored at HKLM\Software\Policies\Okta\Okta Device Access.

Value name Description Values Default value
MfaRequiredList List of users or Active Directory groups that must authenticate with MFA in addition to a password. Users who aren't in this list (including local users) don't have to authenticate with MFA. If the list is empty, users don't have to use MFA to sign in to Windows.

The username format to specify individual users is For groups, specify only the group name.

Users must sign in to Windows at least one time when the computer is online and connected to the organization's network (directly or by VPN). This enables users' Active Directory group membership to be resolved.

REG_MULTI_SZ * MFA applies to all users
MaxLoginsWithoutEnrolledFactors Defines how many times users can sign in to Windows without an MFA method. This policy allows new users to postpone setting up MFA methods for the set number of times.

If a user exceeds the sign-in attempts limit, access is denied.

MaxLoginsWithOfflineFactor Defines how many times users can sign in to Windows with offline MFA methods (without internet access). This policy also applies when computers are online and the user authenticates with offline MFA methods.

If a user exceeds the sign-in attempts limit, access is denied. The user is prompted to connect to the internet to authenticate with an online sign-in method instead.

MFAGracePeriodInMinutes Defines the length of a grace period (in minutes) that a user has without needing to use MFA after locking the computer. If MFAGracePeriodInMinutes is set to 0, the user is prompted to verify their identity using MFA at every log in.

The grace period is only applicable when locking the computer. Switching user accounts or restarting the computer prompts the user to verify their identity using MFA.


AdminContactInfo Configurable string to allow end users to contact admins if they're locked out of their computer. This string has no default value.

Example: Contact your Help Desk at or call 1-800-xxx-xxxx.

REG_SZ Empty
ExcludePasswordCredProvider The standard Windows password credential provider is disabled by default. To show the Windows credential provider, set this value to 0. The Windows password credential provider is restored for end users. REG_DWORD Empty
CredProvidersToExclude Any custom credential provider can be filtered out by specifying the provider GUID, for example, {60b78e88-ead8-445c-9cfd-0b87f74ea6cd}. The credential provider is hidden from end users when filtered out by this key.

Note that the OktaDesktop MFA credential provider can't be hidden with this key.


Running the Okta Verify installer a second time with command-line parameters doesn't change the registry key parameters. To change Okta Verify parameters, use PowerShell to update key values.

Related topics

Troubleshoot Desktop MFA for Windows