Mastering Okta Device Access: A Comprehensive Guide to Deploying Desktop MFA with Microsoft Intune

Requirements

This blog post will serve as a comprehensive guide to deploying and configuring
Okta Device Access (ODA) Desktop MFA for Windows using Microsoft Intune.

Below are the key requirements to ensure a successful implementation.

Okta Requirements

• An Okta Tenant (OIE) with administrator access.
• A valid subscription to enforce Okta Device Access Desktop MFA.
• Ensure the latest Okta Verify version is available for distribution.

Microsoft Intune Requirements

• Microsoft Intune Subscription
• Necessary permissions to create and manage Intune app deployments, configuration profiles, and PowerShell scripts.
• Devices must be Azure AD-joined, Hybrid AD-joined or AD-joined for proper policy enforcement.

Okta Desktop MFA Configuration

In the Admin Console, go to Settings, Account, Embedded widget sign-in support.
And ensure that the Interaction Code checkbox is selected.

Now navigate to Applications –> Applications, click Browse App Catalog and search for Desktop MFA.

Click Add integration

Retrieve the Client ID and Client secret, these will be required during deployment.

Set the Application username format to match your organization’s requirements (e.g., user principal name for Azure AD environments or SAM account name for AD joined or Hybrid environments).

Assign the application to relevant users or groups under the Assignments tab.

Okta Verify Deployment

When deploying Okta Verify via Microsoft Intune, it is necessary to convert the .exe installer into an .intunewin package, which is the required format for deploying Win32 applications using Intune.

Convert Okta Verify into .intunewin Package

Before starting, ensure you have the following:

1. Okta Verify EXE Installer
   • Download the latest version of Okta Verify for Windows from the Okta Admin Console under Settings > Downloads.
   • The downloaded file should be named something like OktaVerify.exe
2. Microsoft Win32 Content Prep Tool
   • Download the Win32 Content Prep Tool from Microsoft’s GitHub repository.
   • Extract the tool to a folder on your local machine (e.g., C:\temp\).
3. A Windows Machine with Administrative Privileges
   • You need a system where you can run PowerShell and execute the Win32 Content Prep Tool.

Run the tool, and provide the required inputs:

1. Select the source folder
2. Specify the setup file name
3. Specify the output folder
4. Specify the catalog folder
5. Specify the catalog folder

After these inputs, the tool will start converting the EXE installer into an .intunewin package. You should see an output similar to:

Navigate to the output directory, and check that the OktaVerify.intunewin file has been generated.

Below is a brief demonstration of the entire process in action.

Deploy the Okta Verify .intunewin Package in Microsoft Intune

Once you have successfully converted the Okta Verify .exe installer into a .intunewin package, the next step is deploying it through Microsoft Intune.

Follow the steps below to configure and deploy the package.
Sign in to the Microsoft Intune Admin Center (https://endpoint.microsoft.com) and navigate to Apps > All apps > Add to initiate the application deployment process.

In the Select app type window, choose Windows app (Win32).

Click Select to proceed.

Under App information, click Select app package file.

Browse and upload the previously created .intunewin file for Okta Verify.

Click OK to continue.

Enter the following details in the App information section:

1. Name
2. Description
3. Publisher
4. *optional Logo

Click Next to proceed

Under the Program section, specify the installation and uninstallation commands:

1. Install command: OktaVerify.exe SKU=ALL ORGURL=https://<YOUR_OKTA_ORG_URL&gt; CLIENTID=xxxxxxxx CLIENTSECRET=xxxxxxxx
2. Uninstall command: OktaVerify.exe /uninstall
3. Installation time required
4. Set if allowing to uninstall
5. Set Install behavior to System for a machine-wide installation.
6. Select the Install behaviour
7. Specify the desired return codes

Click Next to proceed

In the Requirements section, set the following conditions:

1. Operating system architecture: Select 64-bit.
2. Minimum operating system: Choose Windows 10 1709 or later.

Click Next to move forward.

Under the Detection rules section, select Manually configure detection rules click Add.

and define the following rule:

1. Rule type: File
2. Path: C:\Program Files\Okta\Okta Verify
3. File or folder: OktaVerify.exe
4. Detection method: File or folder exists

Click OK, then Next

In the Assignments section, define which groups or users should receive the deployment.

Review all settings in the Review + create section, and click Create to finalize the deployment.

Navigate to Apps > Windows > Okta Verify.exe in Intune to track installation progress.

Configuring Registry Settings for Okta Device Access in Microsoft Intune via a PowerShell Script

Deploying Okta Device Access on Windows endpoints requires configuring specific registry settings to enable Desktop MFA, FIDO2 authentication, and user verification policies.
A highly effective method for deploying these settings across multiple devices is leveraging Microsoft Intune in combination with a PowerShell script.

This section outlines the step-by-step process to deploy Okta Device Access registry settings via a PowerShell script in Microsoft Intune.

Configure and deploy Okta Device Access access policies

This PowerShell template provides a foundation for configuring the necessary registry settings.
Be sure to modify it according to your specific requirements.
Save the script as e.g. ODA_MFA.ps1.

# Create ODA Registry Keys
$RegistryPath1 = "HKLM:\Software\Policies\Okta\"
$RegistryPath2 = "HKLM:\Software\Policies\Okta\Okta Device Access"

# Create the key if it does not exist
If (-NOT (Test-Path $RegistryPath1)) { 
New-Item -Path $RegistryPath1 -Force | Out-Null }
# Create the key if it does not exist
If (-NOT (Test-Path $RegistryPath2)) { 
New-Item -Path $RegistryPath2 -Force | Out-Null }


# Create Okta Device Access Policies
New-ItemProperty -Path "HKLM:\Software\Policies\Okta\Okta Device Access" -Name 'MFARequiredList' -PropertyType MultiString -Value ('*')
New-ItemProperty -Path "HKLM:\Software\Policies\Okta\Okta Device Access" -Name "MaxLoginsWithoutEnrolledFactors" -PropertyType DWord -Value 50
New-ItemProperty -Path "HKLM:\Software\Policies\Okta\Okta Device Access" -Name "MaxLoginsWithOfflineFactor" -PropertyType DWord -Value 50
New-ItemProperty -Path "HKLM:\Software\Policies\Okta\Okta Device Access" -Name "MFAGracePeriodInMinutes" -PropertyType DWord -Value 60
New-ItemProperty -Path "HKLM:\Software\Policies\Okta\Okta Device Access" -Name "NetworkTimeoutInSeconds" -PropertyType DWord -Value 15
New-ItemProperty -Path "HKLM:\Software\Policies\Okta\Okta Device Access" -Name "OfflineLoginAllowed" -PropertyType DWord -Value 1
New-ItemProperty -Path "HKLM:\Software\Policies\Okta\Okta Device Access" -Name "OnlineLoginAllowed" -PropertyType DWord -Value 1
New-ItemProperty -Path "HKLM:\Software\Policies\Okta\Okta Device Access" -Name "PasswordlessAccessEnabled" -PropertyType DWord -Value 0
New-ItemProperty -Path "HKLM:\Software\Policies\Okta\Okta Device Access" -Name "SelfServicePasswordResetEnabled" -PropertyType DWord -Value 0
New-ItemProperty -Path "HKLM:\Software\Policies\Okta\Okta Device Access" -Name "SelfServicePasswordResetErrorMessage" -PropertyType String -Value ('Unable to update the password. The value provided does not meet the length, complexity, or history requirements of the domain.')
New-ItemProperty -Path "HKLM:\Software\Policies\Okta\Okta Device Access" -Name "AdminContactInfo" -PropertyType String -Value ('Contact your Help Desk at help@org.com or call 1-800-xxx-xxxx')
New-ItemProperty -Path "HKLM:\Software\Policies\Okta\Okta Device Access" -Name "CredProvidersToExclude" -PropertyType MultiString -Value ('{F8A1793B-7873-4046-B2A7-1F318747F427}')
Write-Output "Okta Device Access registry settings applied successfully."

Navigate to Devices > Windows devices > Scripts and remediations click + Add.

Enter a name for the script

Under Script settings:

1. click Upload and select the ODA_MFA.ps1 file.
2. Set the Run script as signed-in user No
3. Enforce script signature check: No
4. Run script in 64-bit PowerShell: Yes

Click Next.

Under Assignments, define which groups or devices should receive the deployment.

Click Add to finish configuration.

Navigate to Devices > Scripts and remediations to track installation progress.

Additionally, navigate to the device to verify that the registry settings have been successfully applied.

Okta Device Access – Windows Demos

Below are a series of demos showcasing various features and access policies, demonstrating how they adapt based on your specific configuration settings.

Passwordless Login

Offline login to Windows – Device Access Code

Self-Service Password Reset

Configure and Deploy Okta Device Access FIDO2

Utilize the following PowerShell script to set up the necessary registry configurations. Save the script with a filename such as ODA_FIDO2.ps1

# Create Okta Device Access FIDO2 setting
New-ItemProperty -Path "HKLM:\Software\Okta\Okta Device Access" -Name 'UseDirectAuth' -PropertyType DWord -Value 1
Write-Output "Okta Device Access FIDO2 registry settings applied successfully."

Enter a name for the FIDO2 script

Under Script settings:

1. click Upload and select the ODA_FIDO2.ps1 file.
2. Set the Run script as signed-in user No
3. Enforce script signature check: No
4. Run script in 64-bit PowerShell: Yes

Click Next.

Under Assignments, define which groups or devices should receive the deployment.

Click Add to finish configuration.

Navigate to Devices > Scripts and remediations to track installation progress.

Additionally, navigate to the device to verify that the registry settings have been successfully applied.

Demo Okta Device Access – FIDO2 Security Key

Watch this demo, which is also highlighted in my FIDO2 blog post.

Configure and Deploy Okta Device Access Allowed Factors policy

Utilize the following PowerShell script to set up the necessary registry configurations.
Save the script with a filename such as ODA_Allowed_Factors.ps1.

#Create Okta Device Access Allowed Factors Policy
New-ItemProperty -Path "HKLM:\Software\Policies\Okta\Okta Device Access" -Name 'AllowedFactors' -PropertyType MultiString -Value ('OV_Push,OV_TOTP,Offline_TOTP,FIDO2_USB_key,Offline_Security_key')
Write-Output "Okta Device Access Allowed Factors registry settings applied successfully."

Enter a name for the Allowed Factors script.

Under Script settings:

1. click Upload and select the ODA_Allowed_Factors.ps1 file.
2. Set the Run script as signed-in user to No
3. Enforce script signature check: No
4. Run script in 64-bit PowerShell: Yes

Click Next.

Under Assignments, define which groups or devices should receive the deployment.

Click Add to finish configuration.

Navigate to Devices > Scripts and remediations to track installation progress.

Additionally, navigate to the device to verify that the registry settings have been successfully applied.

Demo Okta Device Access – Allowed Factors

Check out this demo, which is also featured in my FIDO2 blog post.

Conclusion

This guide provided a structured, step-by-step approach to deploying Okta Verify, configuring registry settings, and enforcing MFA policies—all within the Intune ecosystem.
Automating these configurations reduces administrative overhead, minimizes potential security gaps, and ensures consistency across all managed devices.

As organizations prioritize security without sacrificing productivity, Okta Device Access Desktop MFA serves as a critical component in modern identity security strategies.
When combined with Intune, it enables enterprises to deploy, enforce, and manage authentication policies at scale, ensuring secure, seamless access to corporate resources.