<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Configuring Okta Verify for Windows in a Virtual Desktop Infrastructure
May 20, 2026
Multi-Factor Authentication
Okta Identity Engine
Overview

Okta Verify requires specific configurations to function correctly on virtual machines operating in a layered or roaming Virtual Desktop Infrastructure (VDI) environment. Administrators must configure the authenticator operation mode and synchronize specific user profile data to ensure consistent functionality for Okta Verify in a VDI environment.

Applies To
  • Okta Identity Engine (OIE)
  • Okta Verify for Windows
  • Multi-Factor Authentication (MFA)
  • Virtual Desktop Infrastructure (VDI)
Solution

How does the AuthenticatorOperationMode setting function?

 

The AuthenticatorOperationMode setting configures the behavior of Okta Verify in physical and virtual Windows environments. This option is available in Okta Verify version 4.9.0 and later and requires configuration during the deployment of the application. To modify the authenticator operation mode after deployment, administrators must uninstall and reinstall Okta Verify with the desired configuration.

Review the following available values for the AuthenticatorOperationMode setting:

  • Normal: This is the default operation mode for Okta Verify. It functions in physical Windows environments.
  • VirtualDesktopStatic: Use this value to configure Okta Verify in static virtual environments where the VDI assigns a user the same virtual machine each time a session starts.
  • VirtualDesktopLayered: Use this value to configure Okta Verify in layered virtual environments where the VDI randomly assigns a user a virtual machine when a session starts.

Select the appropriate AuthenticatorOperationMode value based on the type of virtual environment:

  • For static virtual environments, use VirtualDesktopStatic.
  • For layered virtual environments, use VirtualDesktopLayered.

 

 

How does the UserVerificationType setting function?

 

To configure Okta Verify to use Okta Verify Passcode for user verification, administrators leverage the UserVerificationType installer flag.

 

The UserVerificationType installer flag contains two values:

  • WindowsHello
  • OktaVerifyPasscode

Okta adjusts the default value of the UserVerificationType flag based on the value provided for the AuthenticatorOperationMode flag.

Review the following default behaviors for the UserVerificationType flag:

  • When the AuthenticatorOperationMode mode is Normal, the UserVerificationType defaults to WindowsHello.
  • When the AuthenticatorOperationMode mode is either VirtualDesktopStatic or VirtualDesktopLayered, the UserVerificationType defaults to OktaVerifyPasscode.

When configuring Okta Verify to run in a virtual environment and to use Okta Verify Passcode for user verification, administrators only need to set the AuthenticatorOperationMode properly. Okta automatically sets the UserVerificationType to Okta Verify Passcode.

 

 

How do administrators configure Okta Verify for layered VDI environments?

 

Virtual desktop providers that assign users a new virtual machine each session and rely on a user profile service to sync data require specific configurations.

 

Configure the authenticator operation mode and synchronize the necessary Okta Verify data by following these steps:

  1. Ensure the AuthenticatorOperationMode setting matches the environment.
  2. Configure the user profile syncing service to synchronize the user Okta Verify application data located at C:\Users\<userName>\AppData\Local\Okta\OktaVerify.
  3. Configure the user profile syncing service to synchronize the Okta Verify program data located at C:\ProgramData\Okta\OktaVerify.
  4. Configure the user profile syncing service to synchronize the user software key store located at %APPDATA%\Microsoft\Crypto\Keys.
  5. Configure the user profile syncing service to synchronize the Okta Verify application credential located at %localAppData%\Microsoft\Credentials.
  6. Configure the user profile syncing service to synchronize the Okta Verify application vault located at %localAppData%\Microsoft\Vault.

 

 

Additional Considerations for Layered Virtual Environments

 

In certain layered VDI environments, a delay in the user profile synchronization service causes Okta Verify to auto-start before the existing Okta Verify data becomes available. This delay leads to a loss of Okta FastPass enrollments or prevents Okta Verify from launching correctly.

Address this issue by disabling the Okta Verify Activation Task using the following PowerShell command:

Disable-ScheduledTask -TaskPath \ -TaskName "Okta Verify Activation Task"

Re-enable the task using the following PowerShell command:

Enable-ScheduledTask -TaskPath \ -TaskName "Okta Verify Activation Task"

With the activation task disabled, users must manually launch Okta Verify on the first authentication by clicking either Sign in with Okta FastPass or Open Okta Verify.

 

 

Related References

Recommended content

Still looking for help?
Loading
Configuring Okta Verify for Windows in a Virtual Desktop Infrastructure