Cardinal: Deploying Okta Verify (Fastpass) Desktop Client for Windows

Purpose

This guide demonstrates how to deploy the Okta Verify desktop client for non-managed Commonwealth of Virginia (COV) devices connecting to the virginia.okta.com tenant on Windows systems.

Responsibility

This guide is intended for users with administrative rights to workstations where Okta Verify will be installed for authentication to virginia.okta.com.

Prerequisites

Whitelisting Requirements

โš ๏ธ Required Before Installation
Complete these whitelisting steps before proceeding with installation.
  1. Whitelist the following URLs and configure them for SSL inspection bypass:
    • https://virginia.oktapreview.com
    • https://virginia.okta.com
  2. Add email address to whitelist on your Exchange server or email provider/spam filters:
    • noreply@okta.com

Download Okta Verify Client for Windows

  1. Open your web browser and navigate to:
    https://virginia.okta.com/api/v1/artifacts/WINDOWS_OKTA_VERIFY/download?releaseChannel=GA&packageType=EXE
    Download the installation file.
  2. Rename the downloaded file to OktaVerifySetup.exe and save it to your designated folder.
๐Ÿ“Œ Note
Some installation steps require administrative permissions on your workstation.

Deployment Options Overview

Okta Verify can be configured with different user verification methods depending on your device capabilities:

Option Verification Method Requirements
Windows Hello Biometrics or PIN Windows Hello must be enabled
Okta Verify Passcode Custom passcode No special requirements
โ„น๏ธ Checking Windows Hello Status
Navigate to Start > Settings > Accounts > Sign-in options to verify if Windows Hello is enabled on your device.

 

Installation via Command Prompt

๐Ÿ“Œ Important
User verification is required for virginia.okta.com. Okta Verify will prompt new users to set up either a device passcode or biometrics during enrollment. If your device doesn't support biometrics, you can enable a device passcode instead.
  1. Open Command Prompt with Administrator Permissions
    • Search for cmd.exe in the Start menu
    • Select "Run as administrator"
    • Enter credentials if prompted
  2. Navigate to Installation File Location
    Use the cd command to navigate to where you saved OktaVerifySetup.exe
  3. Choose Installation Option:

    Option 1: Okta Verify Passcode (Basic)

    oktaverifysetup.exe UserVerificationType=OktaVerifyPasscode

    Option 2: Okta Verify Passcode with Pre-populated URL (Recommended)

    For Production Environment:

    oktaverifysetup.exe OrgUrl=https://virginia.okta.com UserVerificationType=OktaVerifyPasscode

     

    Option 3: Windows Hello (If Enabled)

    For Production Environment:

    oktaverifysetup.exe OrgUrl=https://virginia.okta.com UserVerificationType=WindowsHello

    ๐Ÿ“Œ Default Behavior

    The default installation uses Windows Hello automatically if it's enabled on your device.
  4. Review and check the License terms and conditions agreement, then click Install.
  5. After installation completes, click Finish.

Enrolling with Okta Verify / Okta FastPass

๐Ÿ“Œ Enrollment Recommendation
If you're enrolling multiple device types, we recommend enrolling your desktop before enrolling your mobile device.
  1. Open the Okta Verify application on your desktop.
  2. Click Get Started.
  3. Click Next.
  4. Enter the Sign-in URL (if not already populated):
    • For production environment: https://virginia.okta.com
    • For test environment: https://virginia.oktapreview.com
  5. Your browser will open a login window. Enter your Username (email address) and click Next.
  6. Enter your Password for your Okta account and click Verify.
  7. Okta Verify will prompt you to create a passcode.
  8. Create a passcode that meets the complexity requirements:
    โ„น๏ธ Passcode Requirements
    • At least 14 characters
    • Must include letters, numbers, and special characters
    • You MUST remember this passcode
  9. If the passcode meets the complexity requirements, you'll see a "Passcode confirmation enabled" message. You may now log in to applications using Okta.
    ๐Ÿ“Œ Note
    If you receive a Windows Hello biometrics prompt but want to use the Okta passcode option instead, follow the steps in the Troubleshooting section below.

Troubleshooting

Switching from Windows Hello to Okta Verify Passcode

If you're receiving a Windows Hello prompt but expecting to enter an Okta passcode, follow these steps:

  1. In the Windows search bar, type cmd.exe and press Enter or select Open.
  2. Once the command prompt opens, type regedit and press Enter.
  3. If UAC (User Account Control) is enabled, you'll be prompted for credentials.
    ๐Ÿ“Œ Note
    Depending on your organization's configuration, you may not need admin permissions to access the registryโ€”you may only need to enter your password.
  4. In the Registry Editor, navigate to:
    Computer\HKEY_CURRENT_USER\Software\Okta\Okta Verify
  5. Locate the StaticUserVerificationType entry. If it's set to WindowsHello, you'll need to update it to OktaVerifyPasscode.
  6. Right-click on StaticUserVerificationType and select Modify.
  7. In the "Value data" field, replace WindowsHello with OktaVerifyPasscode.
  8. Click OK. The value should now display as OktaVerifyPasscode.
  9. Close the Registry Editor and reboot your computer for the changes to take effect.
  10. After rebooting, follow the "Enrolling with Okta Verify / Okta FastPass" steps above.

Common Errors

  • Unable to Enroll Okta Verify on Windows - "The sign-in URL is not secure" or "Generic enrollment error"
  • Error: "Your device's TPM is locked and Okta Verify cannot be used for authentication"

Additional Resources

For more information about Okta Verify, visit the official Okta documentation:

Print Article