Configure and deploy Desktop MFA policies for Windows

Configure Desktop MFA behavior by deploying registry keys to your Windows endpoints.

Configure registry keys

You can create PowerShell scripts and use your MDM solution for initial deployment and updates. See Use PowerShell scripts on Windows 10/11 devices in Intune in the Microsoft documentation.

An alternative option is to use Administrative Templates (ADMX) for deployment. See Deploying Desktop MFA for Windows using group policy templates.

Configuration notes

Okta stores all registry keys under: HKLM\Software\Policies\Okta\Okta Device Access, except where noted in the Registry keys table.
Running the Okta Verify installer a second time with command-line parameters doesn't change existing registry key settings.

Note:

To reduce the load on a domain controller, changes to the MFARequiredList and MFABypassList values can take up to 10 minutes.

Registry keys

Registry key	Description
Name: `AdminContactInfo` Type: `REG_SZ` Default: None	A configurable string that provides users with information on how to contact admins if they're locked out of their computer. For example, `Contact your Help Desk at help@org.com or call 1-800-xxx-xxxx`.
Name: `AllowedFactors` Type: `REG_MULTI_SZ` Default: `*`	List of factors that users can authenticate with. The `AllowedFactors` list requires that you also enable `UseDirectAuth`. Possible values for this setting: `*`: all factors are allowed. This is the same as setting this value to empty. `OV_Push` `OV_TOTP` `Offline_TOTP` `Offline_Security_key` `FIDO2_USB_key` `RSA_Token` Ensure that the factors are spelled correctly. Note: A user can be locked out of their computer if the factors included the `AllowedFactors` list don't match the factors shown to the user by the `OfflineLoginAllowed` and `OnlineLoginAllowed` registry settings.
Name: `CredProvidersToExclude` Type: `REG_MULTI_SZ` Default: Empty	Hide any custom credential provider from users by specifying the provider GUID. Note: You can't hide the Okta Desktop MFA credential provider with this key.
Name: `DeviceRecoveryPINDuration` Type: `REG_DWORD` Default: `60`	Valid time period for a device recovery PIN after activation. This period begins after the user completes a successful sign-in attempt using the PIN. The value is in minutes. The maximum value is `7200` (five days). See Enable Desktop MFA recovery for Windows.
Name: `DeviceRecoveryValidityInDays` Type: `REG_DWORD` Default: `90`	Specifies the rotation frequency of the device recovery secret used to generate recovery PINs for the device. After the period expires, this secret can't generate new PINs for the device. The secret is automatically rotated when the user's device connects to your Okta org. If the device can't connect to your Okta org, the secret isn't rotated. You can't generate new recovery pins for the device until the user's device connects and rotates the secret. The value is in days.
Name: `ExcludePasswordCredProvider` Type: `REG_DWORD` Default: Empty	By default, the standard Windows password credential provider is disabled. To restore and display the Windows password credential provider for users, set this value to `0`.
Name: `MaxLoginsWithOfflineFactor` Type: `REG_DWORD` Default: `50`	Defines how many times users can sign in to Windows with offline MFA methods (without internet access). This policy setting also applies when computers are online and the user authenticates with offline MFA methods. If a user exceeds the sign-in attempts limit, access is denied. The user is prompted to connect to the internet to authenticate with an online sign-in method instead.
Name: `MaxLoginsWithoutEnrolledFactors` Type: `REG_DWORD` Default: `50`	Defines how many times users can sign in to Windows without an MFA method. This policy setting allows new users to postpone setting up MFA methods for the set number of times. If Okta detects a valid online or offline MFA factor, Okta Verify prompts the user with the factor. When the user signs in with an MFA factor, this policy limit expires. If a user exceeds the sign-in attempts limit, access is denied.
Name: `MFABypassList` Type: `REG_MULTI_SZ` Default: Empty	List of users or Active Directory groups that aren't required to authenticate with MFA. If a user is listed in both `MFARequiredList` and `MFABypassList`, then the `MFABypassList` key takes precedence. Possible values for this setting: Empty: MFA applies to all users. `username@domain.com`: Separate users with a semi-colon `;` character. `GroupName`: Separate group names with a semi-colon `;` character. For example, `john.doe@company.com;IT_Admins;Finance_Team`
Name: `MFAGracePeriodInMinutes` Type: `REG_DWORD` Default: `60`	The grace period within which a user doesn't need to use MFA after locking the computer. If you set `MFAGracePeriodInMinutes` to `0`, then the user is prompted to verify their identity using MFA every time they sign in. The grace period is only applicable when locking the computer. Switching user accounts or restarting the computer prompts the user to verify their identity using MFA. The grace period doesn't apply when you enabled password autofill.
Name: `MFARequiredList` Type: `REG_MULTI_SZ` Default: `*`	List of users or Active Directory groups that must authenticate with MFA in addition to a password. Users must sign in to Windows at least once when the computer is online and connected to the organization's network (directly or through a VPN). This connection resolves the users' Active Directory group membership. If users aren't included in this list, they don't have to authenticate with MFA. Users in this list are also eligible to sign in using password autofill. If users aren't in this list, they're required to enter a password to gain access to the desktop computer. Possible values for this setting: `*`: MFA applies to all users. `username@domain.com`: Separate users with a semi-colon `;` character. `GroupName`: Separate group names with a semi-colon `;` character. Empty: Users don't have to use MFA to sign in to Windows For example, `john.doe@company.com;IT_Admins;Finance_Team`
Name: `NetworkAdapterMaxWaitInSeconds` Type: `REG_DWORD` Default: `0`	This sets the maximum number of seconds that Okta waits for the network adapter interface. The default value is `0` seconds. This corresponds to a single attempt with no retries. Admins can use this parameter to define how long the Desktop MFA app should retry to connect to the network adapter before failing over to offline factors. This is helpful for devices that boot up after hibernation and need some time to connect to the internet. The network adapter may be down due to other software running on the machine, for example, security utilities like CrowdStrike. The client checks the network adapter every 200 ms when this is set to a value greater than `0`. For example, if this is set to `1`, then the Desktop MFA app checks the network adapter 5 times (200 ms * 5 = 1 second).
Name: `NetworkTimeoutInSeconds` Type: `REG_DWORD` Default: `15`	This value sets the network timeout to fetch a list of online MFA factors for validation. This timeout is for network operations only and doesn't apply to user interactions. This setting is useful for users with intermittent DNS outages or other connectivity issues. The default value is `15` seconds. The minimum value is `5` and the maximum value is `60`.
Name: `OfflineLoginAllowed` Type: `REG_DWORD` Default: `1`	This value indicates whether a user can sign in using an offline factor. By default, the value is set to `1` (true), meaning that users can see available offline factors. If you set this value to `1` and set `OnlineLoginAllowed` to `0` (false), then users can only see and sign in using an offline factor. This setting is appropriate for orgs that want to use offline security keys for authentication and sign-in flows.
Name: `OktaJoinEnabled` Type: `REG_DWORD` Default: `0`	When this value is set to `1`, the device is designated as Okta-joined. This parameter is required to enroll the device in Device-Bound Single Sign-On.
Name: `OnlineLoginAllowed` Type: `REG_DWORD` Default: `1`	This value indicates whether a user can sign in with an online factor. By default, the policy is set to `1` (true), meaning that users can see available online factors. If you set this policy to `1` and set `OfflineLoginAllowed` to `0` (false), then users can only see and sign in using an online factor. Offline factors aren't available.
Name: `PasswordlessAccessEnabled` Type: `REG_DWORD` Default: `0`	This value enables password autofill, allowing users to sign in to their device securely using non-password factors. By default, password autofill is disabled (`0`). Password autofill supports Okta Verify Push and FIDO2 keys when you specify these as `AllowedFactors`. Desktop MFA always attempts to enforce user verification through the FIDO2 key PIN. If the key doesn't have a PIN, then Desktop MFA falls back to password authentication.
Name: `SelfServicePasswordResetEnabled` Type: `REG_DWORD` Default: `0`	This value allows users to initiate a self-service password reset if the user forgets their password. By default, self-service password reset is disabled (`0`). If the Okta username doesn't match the Microsoft User Principal Name (UPN), you can configure multiple identifiers on the user profile policies. This allows users to be identified with their UPN attribute. The steps to implement this workaround are available in this knowledge base article.
Name: `SelfServicePasswordResetErrorMessage` Type: `REG_SZ` Default: `Unable to update the password. The value provided doesn't meet the domain's length, complexity, or history requirements.`	A configurable string to provide users with a customized error message in the event of a Self Service Password Reset failure.
Name: `UseDirectAuth` Type: `REG_DWORD` Default: `0`	This value enables Desktop MFA users to authenticate with FIDO2 or RSA authenticators. CAUTION: Store the `UseDirectAuth` key at `HKLM\Software\Okta\Okta Device Access`. By default, this setting is disabled (`0`). This value is required for Device-Bound Single Sign-On. If the Okta username doesn't match the Microsoft User Principal Name (UPN), you can configure multiple identifiers on the user profile policies. This allows users to be identified with their UPN attribute. The steps to implement this workaround are available in this knowledge base article.

Registry key

Description

Name: AdminContactInfo

Type: REG_SZ

Default: None

A configurable string that provides users with information on how to contact admins if they're locked out of their computer.

For example, Contact your Help Desk at help@org.com or call 1-800-xxx-xxxx.

Name: AllowedFactors

Type: REG_MULTI_SZ

Default: *

List of factors that users can authenticate with.

The AllowedFactors list requires that you also enable UseDirectAuth.

Possible values for this setting:

*: all factors are allowed. This is the same as setting this value to empty.
OV_Push
OV_TOTP
Offline_TOTP
Offline_Security_key
FIDO2_USB_key
RSA_Token

Ensure that the factors are spelled correctly.

Note:

A user can be locked out of their computer if the factors included the AllowedFactors list don't match the factors shown to the user by the OfflineLoginAllowed and OnlineLoginAllowed registry settings.

Name: CredProvidersToExclude

Type: REG_MULTI_SZ

Default: Empty

Hide any custom credential provider from users by specifying the provider GUID.

Note:

You can't hide the Okta Desktop MFA credential provider with this key.

Name: DeviceRecoveryPINDuration

Type: REG_DWORD

Default: 60

Valid time period for a device recovery PIN after activation. This period begins after the user completes a successful sign-in attempt using the PIN.

The value is in minutes. The maximum value is 7200 (five days).

See Enable Desktop MFA recovery for Windows.

Name: DeviceRecoveryValidityInDays

Type: REG_DWORD

Default: 90

Specifies the rotation frequency of the device recovery secret used to generate recovery PINs for the device.

After the period expires, this secret can't generate new PINs for the device. The secret is automatically rotated when the user's device connects to your Okta org.

If the device can't connect to your Okta org, the secret isn't rotated. You can't generate new recovery pins for the device until the user's device connects and rotates the secret.

The value is in days.

Name: ExcludePasswordCredProvider

Type: REG_DWORD

Default: Empty

By default, the standard Windows password credential provider is disabled.

To restore and display the Windows password credential provider for users, set this value to 0.

Name: MaxLoginsWithOfflineFactor

Type: REG_DWORD

Default: 50

Defines how many times users can sign in to Windows with offline MFA methods (without internet access).

This policy setting also applies when computers are online and the user authenticates with offline MFA methods.

If a user exceeds the sign-in attempts limit, access is denied. The user is prompted to connect to the internet to authenticate with an online sign-in method instead.

Name: MaxLoginsWithoutEnrolledFactors

Type: REG_DWORD

Default: 50

Defines how many times users can sign in to Windows without an MFA method.

This policy setting allows new users to postpone setting up MFA methods for the set number of times.

If Okta detects a valid online or offline MFA factor, Okta Verify prompts the user with the factor. When the user signs in with an MFA factor, this policy limit expires.

If a user exceeds the sign-in attempts limit, access is denied.

Name: MFABypassList

Type: REG_MULTI_SZ

Default: Empty

List of users or Active Directory groups that aren't required to authenticate with MFA.

If a user is listed in both MFARequiredList and MFABypassList, then the MFABypassList key takes precedence.

Possible values for this setting:

Empty: MFA applies to all users.
username@domain.com: Separate users with a semi-colon ; character.
GroupName: Separate group names with a semi-colon ; character.

For example, john.doe@company.com;IT_Admins;Finance_Team

Name: MFAGracePeriodInMinutes

Type: REG_DWORD

Default: 60

The grace period within which a user doesn't need to use MFA after locking the computer.

If you set MFAGracePeriodInMinutes to 0, then the user is prompted to verify their identity using MFA every time they sign in.

The grace period is only applicable when locking the computer. Switching user accounts or restarting the computer prompts the user to verify their identity using MFA.

The grace period doesn't apply when you enabled password autofill.

Name: MFARequiredList

Type: REG_MULTI_SZ

Default: *

List of users or Active Directory groups that must authenticate with MFA in addition to a password.

Users must sign in to Windows at least once when the computer is online and connected to the organization's network (directly or through a VPN). This connection resolves the users' Active Directory group membership.

If users aren't included in this list, they don't have to authenticate with MFA.

Users in this list are also eligible to sign in using password autofill. If users aren't in this list, they're required to enter a password to gain access to the desktop computer.

Possible values for this setting:

*: MFA applies to all users.
username@domain.com: Separate users with a semi-colon ; character.
GroupName: Separate group names with a semi-colon ; character.
Empty: Users don't have to use MFA to sign in to Windows

For example, john.doe@company.com;IT_Admins;Finance_Team

Name: NetworkAdapterMaxWaitInSeconds

Type: REG_DWORD

Default: 0

This sets the maximum number of seconds that Okta waits for the network adapter interface.

The default value is 0 seconds. This corresponds to a single attempt with no retries.

Admins can use this parameter to define how long the Desktop MFA app should retry to connect to the network adapter before failing over to offline factors.

This is helpful for devices that boot up after hibernation and need some time to connect to the internet. The network adapter may be down due to other software running on the machine, for example, security utilities like CrowdStrike.

The client checks the network adapter every 200 ms when this is set to a value greater than 0.

For example, if this is set to 1, then the Desktop MFA app checks the network adapter 5 times (200 ms * 5 = 1 second).

Name: NetworkTimeoutInSeconds

Type: REG_DWORD

Default: 15

This value sets the network timeout to fetch a list of online MFA factors for validation.

This timeout is for network operations only and doesn't apply to user interactions. This setting is useful for users with intermittent DNS outages or other connectivity issues.

The default value is 15 seconds. The minimum value is 5 and the maximum value is 60.

Name: OfflineLoginAllowed

Type: REG_DWORD

Default: 1

This value indicates whether a user can sign in using an offline factor.

By default, the value is set to 1 (true), meaning that users can see available offline factors.

If you set this value to 1 and set OnlineLoginAllowed to 0 (false), then users can only see and sign in using an offline factor. This setting is appropriate for orgs that want to use offline security keys for authentication and sign-in flows.

Name: OktaJoinEnabled

Type: REG_DWORD

Default: 0

When this value is set to 1, the device is designated as Okta-joined.

This parameter is required to enroll the device in Device-Bound Single Sign-On.

Name: OnlineLoginAllowed

Type: REG_DWORD

Default: 1

This value indicates whether a user can sign in with an online factor.

By default, the policy is set to 1 (true), meaning that users can see available online factors.

If you set this policy to 1 and set OfflineLoginAllowed to 0 (false), then users can only see and sign in using an online factor. Offline factors aren't available.

Name: PasswordlessAccessEnabled

Type: REG_DWORD

Default: 0

This value enables password autofill, allowing users to sign in to their device securely using non-password factors.

By default, password autofill is disabled (0).

Password autofill supports Okta Verify Push and FIDO2 keys when you specify these as AllowedFactors.

Desktop MFA always attempts to enforce user verification through the FIDO2 key PIN. If the key doesn't have a PIN, then Desktop MFA falls back to password authentication.

Name: SelfServicePasswordResetEnabled

Type: REG_DWORD

Default: 0

This value allows users to initiate a self-service password reset if the user forgets their password.

By default, self-service password reset is disabled (0).

If the Okta username doesn't match the Microsoft User Principal Name (UPN), you can configure multiple identifiers on the user profile policies. This allows users to be identified with their UPN attribute. The steps to implement this workaround are available in this knowledge base article.

Name: SelfServicePasswordResetErrorMessage

Type: REG_SZ

Default: Unable to update the password. The value provided doesn't meet the domain's length, complexity, or history requirements.

A configurable string to provide users with a customized error message in the event of a Self Service Password Reset failure.

Name: UseDirectAuth

Type: REG_DWORD

Default: 0

This value enables Desktop MFA users to authenticate with FIDO2 or RSA authenticators.

CAUTION:

Store the UseDirectAuth key at HKLM\Software\Okta\Okta Device Access.

By default, this setting is disabled (0).

This value is required for Device-Bound Single Sign-On.

GUIDs for popular credential providers

Use these GUIDs to exclude the most common credential providers:

Credential provider	GUID	Description
Password provider	`{60b78e88-ead8-445c-9cfd-0b87f74ea6cd}`	Username and password credentials
NGC credentials	`{D6886603-9D2F-4EB2-B667-1971041FA96B}`	Credentials for Windows Hello for Business PIN
FIDO credentials	`{F8A1793B-7873-4046-B2A7-1F318747F427}`	Credential used for FIDO2 security keys

Next steps

The following steps are optional, depending on your organizational needs for Desktop MFA.

Enable self-service password reset for Windows

Enforce number challenge for Desktop MFA for Windows

Configure Desktop MFA for Windows to use FIDO2 keys

Configure Desktop Password Autofill for Windows

Enable Desktop MFA recovery for Windows

Desktop MFA user experience for Windows

Support your Windows Desktop MFA users