<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base

Deploying Okta Verify and FastPass on Windows Without Blocking on Windows Hello for Business

Last Updated:

Multi-Factor Authentication
Okta Identity Engine

Overview

Passwordless authentication on Windows requires Windows Hello for Business (WHfB). Decoupling the WHfB rollout from Okta Verify and FastPass reduces support issues by avoiding the simultaneous setup of two interdependent systems.

Applies To

  • Okta Identity Engine
  • Multi-Factor Authentication (MFA)
  • Windows 10/11
  • Okta Verify 9.x+

Solution

What are the key concepts for Okta Verify and Windows Hello for Business?

Review the following table to understand the roles and common misconceptions regarding Okta Verify, FastPass, and Windows Hello for Business.

 

ComponentRole in authenticationCommon admin misconception
Okta VerifyDevice-bound authenticator installed on WindowsRequires WHfB at enrollment (it does not)
FastPassOkta phishing-resistant, device-based login flowNeeds WHfB biometrics on day 1 (it does not)
Windows Hello for BusinessProvides the OS-native user-verification used by FastPass on WindowsMust roll out at the same time as Okta Verify (it should not)

 

NOTE: WHfB always stores a Personal Identification Number (PIN) key, even if biometrics is enabled. Okta cannot distinguish whether the user unlocked WHfB with their face, fingerprint, or PIN.

 

The Recommended Rollout Sequence

Follow the phased approach detailed in the table below to deploy Windows Hello for Business, Okta Verify, and FastPass independently.

 

PhaseGoalAdmin actionsReferences
1. Rollout WHfBProvision WHfB on corporate devices.Push an Intune or other Mobile Device Management (MDM) configuration profile that forces WHfB setup.Configure WHfB using Intune
2. Deploy Okta Verify and FastPassLet users enroll in Okta Verify and FastPass immediately, even if WHfB is unavailable. Allow users to authenticate with a certificate-based check.Go to Security, select Authenticators, choose Okta Verify, and select Edit in the Okta Admin Console. Set Device passcode or biometric user verification to Preferred. Configure the Okta application sign-on policy rules for Windows so that Okta does not require user verification. Clear the Require user interaction checkbox for FastPass to serve as a silent factor, or select Any user interaction.Configure Okta Verify options
Biometric user verification in authentication policies
3. Inform and nudge usersRemind users to finish setting up WHfB.Create an Okta Device Assurance policy that checks whether the user is enrolled in Windows Hello. Set a Grace period (for example, 30 days) so users see a notification of the requirement, but Okta does not block them.Add Device Assurance policies
4. Track WHfB adoptionEnsure the MDM policy takes effect.Use Intune or Omnissa reports to monitor WHfB status. Follow up with out-of-compliance users.Intune device configuration assignment status
5. Enforce user verification in OktaEnforce passwordless, phishing-resistant sign-in.Remove the grace period for any Device Assurance policies enforcing Windows Hello. Set Require user interaction to Require device passcode or biometric user verification in the sign-on policies.Biometric user verification in authentication policies

 

How does the end-user experience change over the rollout timeline?

The end-user experience progresses through three distinct stages during the rollout process.

  1. Day 0: The user installs Okta Verify and enrolls FastPass. They optionally skip enabling Windows Hello since Okta does not require it.
  2. During grace period: The user sees a recurring message in the Okta sign-in widget informing them to finish setting up Windows Hello. They see this message for any sign-in if Okta Verify does not detect a completed Windows Hello setup.

The following image displays the recurring message prompting the user to set up Windows Hello during the grace period.

Okta sign-in widget displaying a Windows Hello setup prompt

  1. After deadline: If the user has not configured WHfB, Okta denies sign-in. The user sees a message indicating that Okta denied access because the Windows Hello setup is incomplete.

The following image shows the "Your device doesn't meet the security requirements" error message displayed to the user after the grace period ends.

Okta sign-in widget displaying an access denied error due to incomplete Windows Hello setup

Tips & Summary

Review the following summary of best practices for deploying Okta Verify and FastPass without blocking on Windows Hello for Business.

  • Push WHfB silently with MDM.
  • Launch Okta Verify and FastPass immediately with user verification set to Preferred.
  • Use Device Assurance to set a deadline and communicate expectations.
  • Monitor adoption in MDM dashboards.
  • Enforce user verification once coverage is high.

Recommended content

Still looking for help?
Loading
Okta Support - Deploying Okta Verify and FastPass on Windows Without Blocking on Windows Hello for Business