This article outlines how to configure Okta Verify on Virtual Machines (VM) operating in a "Layered" or "Roaming" Virtual Desktop Infrastructure (VDI) environment. Okta Administrators must properly configure the application integration to ensure consistent functionality for Okta Verify on Virtual Machines in VDI.
- Multi-Factor Authentication (MFA)
- Okta Identity Engine (OIE)
- Devices
- Okta Verify (OV) on Windows
- Virtual Desktop Infrastructure (VDI)
About AuthenticatorOperationMode
The AuthenticatorOperationMode setting configures Okta Verify's behavior in physical and virtual Windows environments. This option is available in Okta Verify version 4.9.0 and later and is set during the application's deployment. To modify the authenticator operation mode after deployment, Okta Verify must be uninstalled and reinstalled with the desired configuration.
The available values for the AuthenticatorOperationMode are as follows:
- Normal: This is the default operation mode for Okta Verify. It is intended for use in physical Windows environments.
- VirtualDesktopStatic: Use this value to configure Okta Verify in static virtual environments where a user is assigned the same virtual machine each time they start a session.
- VirtualDesktopLayered: Use this value to configure Okta Verify in layered virtual environments where a user is randomly assigned a virtual machine when they start a session.
The appropriate AuthenticatorOperationMode value depends on the type of virtual environment:
- For static virtual environments, use
VirtualDesktopStatic. - For layered virtual environments, use
VirtualDesktopLayered.
About UserVerificationType
To allow admins to configure Okta Verify to use Okta Verify Passcode for User Verification, Okta administrators may leverage the UserVerificationType installer flag. It has two values:
- WindowsHello
- OktaVerifyPasscode
To make life easier, Okta adjusts the default value of the UserVerificationType flag based on the value provided for the AuthenticatorOperationMode flag.
- When the AuthenticatorOperationMode mode is Normal, the UserVerificationType defaults to WindowsHello.
- When the AuthenticatorOperationMode mode is either VirtualDesktopStatic or VirtualDesktopLayered, the UserVerificationType defaults to OktaVerifyPasscode.
So, when configuring Okta Verify to run in a virtual environment and to use Okta Verify Passcode for user verification, admins will only need to set the AuthenticatorOperationMode properly, and the UserVerificationType will automatically be set to Okta Verify Passcode.
For more information about configuring the user verification type in Okta Verify, refer to our Manual Chapter:
Configuration for Layered VDI
For virtual desktop providers that assign users a new virtual machine each session and rely on a user profile service to sync data, the following steps are necessary:
- Ensure the AuthenticatorOperationMode setting is configured appropriately to the environment.
- Configure the user profile syncing service to synchronize the following Okta Verify data:
-
- User's OV app data:
C:\Users\{userName}\AppData\Local\Okta\OktaVerify. - OV program data:
C:\ProgramData\Okta\OktaVerify. - The user’s software key store:
%APPDATA%\Microsoft\Crypto\Keys. See Microsoft Key Storage and Retrieval for additional reference. - The OV app credential:
%localAppData%\Microsoft\Credentials. - The OV app vault:
%localAppData%\Microsoft\Vault.
- User's OV app data:
Additional Considerations for Layered Virtual Environments
In certain layered VDI environments, a delay in the user profile synchronization service can cause Okta Verify to auto-start before the user's existing Okta Verify data is available. This can lead to a loss of Okta FastPass enrollments or prevent Okta Verify from launching correctly.
To address this, the Okta Verify Activation Task can be disabled using the following PowerShell command:
Disable-ScheduledTask -TaskPath \ -TaskName "Okta Verify Activation Task"
The task can be re-enabled with this PowerShell command:
Enable-ScheduledTask -TaskPath \ -TaskName "Okta Verify Activation Task"
With the activation task disabled, users must manually launch Okta Verify on their first authentication by clicking either Sign in with Okta FastPass or Open Okta Verify.
