<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Prerequisites to Set MFA for Windows Credential Provider
Nov 6, 2025
Integrations
Okta Classic Engine
Multi-Factor Authentication
Okta Identity Engine
Overview

This article covers the prerequisites for installing the Okta Multi-Factor Authentication (MFA) Credential Provider for Windows.

Applies To
  • MFA for Windows Credential Provider
  • Windows Server
  • Remote Desktop Protocol (RDP)
Solution

NOTE: Before installing the Okta Credential Provider for Windows:

  • Proxy Configuration: The Okta Credential Provider for Windows does not support a discrete proxy configuration but will obey system-level proxy configurations.
  • The Windows machine used for installation must have an active internet connection with port 443 open.
  • The installing account must have administrative rights to install the Okta Windows Credential Provider Agent, Visual C++ Redistributable, and .NET 4.0+.
  • Inline enrollment is not supported.
  • End users must have enrolled their MFA tokens previously by choosing an MFA option for their account when signing in to Okta for the first time or after a reset. End users cannot enroll a token during an RDP sign-in. End users with unenrolled tokens receive an authentication failed response from Okta when attempting to sign into an RDP server.
  • Configured MFA factors that include the factor to use for RDP sign-in. For instructions, see MFA.

Limitations

TLS 1.2 is required, as Okta no longer supports encryption, unlike TLS v1.2. For information, see Okta ends browser support for TLS 1.1. Okta has provided a PowerShell script to help administrators enforce TLS v1.2+ (strong encryption) in .NET. The Script can be found in the manual chapter on Troubleshooting, in the section "System.Net.WebException displayed", or in the Solution field for the article RDP Error: System.Net.WebException - SSL/TLS Negotiation Errors.
 

Okta MFA Credential Provider for Windows is incompatible with the Okta Sign-in Widget Gen 3 (SIW G3). For RDP, please use SIW G2.


Supported Operating Systems

The Okta MFA Credential Provider for Windows agent can be installed on the following:

  • Windows Server 2022 (version 1.3.0 and above of the agent)
  • Windows Server 2019 (version 1.3.0 and above of the agent)
  • Windows Server 2016


Supported Factors 

  • Okta Verify
    • NOTE: Okta Verify supports Send push automatically and Do not Challenge for the next X hours options. These options are managed locally via browser cookies. If the browser is configured to clear cache and cookies on the window close automatically, these settings would need to be set again whenever a new browser window is opened, or cache and cookies are cleared.
  • Voice Call
  • On-Prem MFA (RSA)
  • Email
  • SMS Authentication
  • Google Authenticator

NOTE: Fido2 WebAuthn is unsupported for Remote Desktop Connections with Okta Windows Credential Provider.

 

 

Related References

Recommended content

Still looking for help?
Loading
Prerequisites to Set MFA for Windows Credential Provider