Okta Device Access: Deploying Desktop MFA for Windows Using Group Policy Templates
Last Updated:
Overview
This article details using ADMX templates for configuration deployment from Active Directory Group Policy or Intune Configuration Profiles.
Solution
Table of Contents
- Active Directory Group Policy Management
- Intune Device Configuration
- Verifying Administrative Template Changes on Client Machines
Active Directory Group Policy Management
- Extract the Contents: Copy and extract the contents of the provided zip file to a convenient location.
- Locate the PolicyDefinitions Folder: Identify the appropriate location for the ADMX and ADML files:
- Central Store (Recommended for Domain Environments):
\\\\{domain.com}\\SYSVOL\\{domain}\\policies\\PolicyDefinitions - Local Computer (If not using a Central Store):
%systemroot%\\PolicyDefinitions - NOTE: ADML files must reside within language-specific subfolders within the PolicyDefinitions directory. For example, U.S. English ADML files should be placed in a subfolder named en-US.
- Central Store (Recommended for Domain Environments):
- Copy ADMX Files: Copy both
Okta.admxandOktaODA.admxfiles to the PolicyDefinitions folder:- Central Store:
\\{domain.com}\SYSVOL\{domain}\policies\PolicyDefinitions` - Local Computer:
%systemroot%\\PolicyDefinitions
- Central Store:
- Copy ADML Files: Copy both
Okta.admlandOktaODA.admlfiles to the corresponding language subfolder (for example, en-US) within the PolicyDefinitions folder:- Central Store:
\\\\{domain.com}\\SYSVOL\\{domain}\\policies\\PolicyDefinitions\\en-US - Local Computer:
%systemroot%\\PolicyDefinitions\\en-US
- Central Store:
- Open Group Policy Editor:
- Press the Windows Key + R to open the Run dialog.
- Type
gpedit.mscand press Enter.
- Verify Template Availability:
- Navigate to Computer Configuration > Policies > Administrative Templates.
- The Okta > Okta Device Access policy settings should now be visible under Administrative Templates.
- Configuring Group Policy Settings:
- Access Policy Settings: Within the Group Policy Editor, navigate to the specific Okta Device Access policy settings to be modified.
- Enable Policies: Double-click the desired policy setting, then select Enabled.
- Configure Settings: Make the necessary adjustments to the policy options.
- Apply Changes: Click Apply and then OK to save the configuration.
- Example:
- To configure AllowedFactors, double-click on AllowedFactors and select Enabled.
- In the settings below, enter
*in the text box. - Click Apply and then OK to save the configuration.
- Example:
- Verify Registry Changes: On a client machine affected by the GPO, verify that the policy settings have been applied by checking the corresponding registry entries. The specific registry keys modified will depend on the policy configured.
- Example: Navigate to
HKLM\Software\Policies\Okta\Okta Device Accessand verify whether AllowedFactors is enabled.
- Example: Navigate to
NOTE: Keys under HKLM\Software\Policies\Okta\Okta Device Access Backend are for service purposes, do not modify these registry settings.
Intune Device Configuration
-
Navigate to Intune Admin Center: Open the web browser and go to the Microsoft Intune admin center.
- Access Device Configuration:
- In the left-hand navigation pane, select Devices.
- Under Manage devices, select Configuration.
- Import ADMX:
- Click on the Import ADMX tab.
- Upload Files:
- ADMX File: Click Browse or drag and drop the
Okta.admxfile. - ADML File for Default Language: Click Browse or drag and drop the corresponding
Okta.admlfile (for example, from the en-US folder).
- ADMX File: Click Browse or drag and drop the
- Once the files are uploaded, Intune will validate them. If validation is successful, click Next.
- Review the summary and click Create.
- The imported template will now appear in the list of available imported administrative templates. Wait for the "Upload status" to show "Available".
- Repeat the above steps to import
OktaODA.admxADMX file andOktaODA.admlADML file.
Create a Configuration Profile Using Imported ADMX
Once the ADMX/ADML files are successfully imported, a configuration profile can be created to deploy these settings:
- Navigate to Configuration: Go to Devices > Manage Devices > Configuration.
- Create Policy:
- Click Create > New Policy.
- Platform: Select Windows 10 and later.
- Profile type: Select Templates.
- In the template list, choose Imported Administrative templates (Preview).
- Click Create.
- Basic Information:
- Name: Provide a descriptive name for the profile (for example, "Okta_ODA_Intune").
- Description: (Optional) Add a description for the profile.
- Click Next.
- Configuration Settings: The settings defined in the ADMX file will be displayed, categorized as All Settings, Computer Configuration, User Configuration.
- Browse to Computer Configuration and Okta, Okta Device Access to configure.
- For each setting:
- Select the setting.
- Choose Enabled, Disabled, or Not Configured.
- If enabled, configure any associated values (for example, text input, dropdown selection) as defined in the ADMX.
- Example:
- To configure AllowedFactors, double-click on AllowedFactors and select Enabled.
- In the settings below, enter
*in the text box. - Click OK.
- Example:
- For each setting:
- Click Next after configuring all desired settings.
- Browse to Computer Configuration and Okta, Okta Device Access to configure.
- Scope Tags (Optional):
- Assign scope tags if the organization uses them for role-based access control.
- Click Next.
- Assignments:
- Included groups: Click Add groups and select the Azure AD user or device groups to which this policy should apply.
- NOTE: Computer Configuration settings should be assigned to device groups.
- Click Next.
- Included groups: Click Add groups and select the Azure AD user or device groups to which this policy should apply.
- Review + Create:
- Review all the settings and assignments.
- Click Create to deploy the profile.
Verifying Administrative Template Changes on Client Machines
After the policy has been assigned and client devices have synced with Intune, verify the changes using the following methods. The default Intune policy sync cycle for Windows devices is approximately every 8 hours. However, a sync can be manually initiated to expedite policy application.
- Manually Initiating an Intune Sync:
- From the Company Portal App (if installed):
- Open the Company Portal app on the Windows device.
- Go to Settings (often represented by a gear icon or found in a menu).
- Look for a Sync button or option and click it. This will initiate a check-in with Intune.
- From the Windows Settings App:
- Open Settings on the Windows device (Windows Key + I).
- Go to Accounts.
- Select Access work or school.
- Click on the account connected to Azure AD/Intune (for example, "Connected to <ExampleOrganization>'s Azure AD").
- Click the Info button.
- Scroll down to the "Device sync status" section and click the Sync button.
- From the Company Portal App (if installed):
- Once the sync is complete (which may take a few minutes), proceed with the verification methods below.
Event Viewer
Intune uses the DeviceManagement-Enterprise-Diagnostics-Provider event log to record MDM policy application.
-
- Open Event Viewer: On the client machine, press Windows Key + R, type
eventvwr.msc, and press Enter. - Navigate to the Log:
- Go to Application and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin.
- Look for Relevant Events: Filter for events related to policy application.
Event ID 813, indicates a policy (like an ADMX setting) is successfully applied.Event ID 814indicates a successfulSetcommand for a policy.
- Open Event Viewer: On the client machine, press Windows Key + R, type
Registry Editor
Since ADMX settings configure registry keys, they can be directly verified in the Registry Editor.
-
- Open Registry Editor: On the client machine, press Windows Key + R, type
regedit, and press Enter.- NOTE: Be extremely careful when navigating and modifying the registry. Incorrect changes can cause system instability.
- Verify Registry Changes: On a client machine, verify that the policy settings have been applied by checking the corresponding registry entries (that is,
HKLM\Software\Policies\Okta\Okta Device Access). The specific registry keys modified will depend on the policy configured.- Example:
- Navigate to
HKLM\Software\Policies\Okta\Okta Device Accessand verify whether AllowedFactors is enabled. - Check if the registry key and value exist, and if the data matches the configuration set in the Intune policy.
- Navigate to
- Example:
- Open Registry Editor: On the client machine, press Windows Key + R, type
NOTE: Keys under HKLM\Software\Policies\Okta\Okta Device Access Backend are for service purposes, do not modify these registry settings.
