This article provides steps for troubleshooting common issues related to Windows Desktop Multi-Factor Authentication (MFA) Recovery.

• Okta Identity Engine (OIE)
• Okta Device Access (ODA)
• Desktop MFA Recovery
• Windows Devices

A recovery PIN cannot be generated from the Admin Console.

Issue 1 : Okta Verify must be 6.1.1 or higher

[WRN] [ ] [UserLogonSession::GetAdminRecoveryChallengeAsync] Device is not registered, admin recovery unavailable

Admin Recovery for Windows support was added in version 6.1.1.

Issue 2: View Recovery PIN option is missing

Admin does not have permission to generate a recovery PIN.

• Validate that the Administrator account has the required permission as mentioned in Prerequisites. If a custom admin role is used, the Generate device recovery PIN permission is required.

Issue 3: Device Recovery PIN not enabled

Ensure that Enable Device Recovery PIN for Desktop MFA is set to Enabled. In the Okta admin console, navigate to Security > General.

Issue 4: Device Certificates are missing

A device needs a valid certificate to register successfully. If the certificate is missing, the registration will fail.

To troubleshoot, check the ODA logs at “c:\windows\system32\config\systemprofile\appdata\local\okta device access\logs”.

Look for errors that indicate a missing or invalid certificate, similar to this example:

2025-07-23 16:54:59.154 +05:30 [ERR] [DevicePrincipalAuthenticator.CanRegisterClient] Device cannot be registered: Could not find a valid certificate for device authentication.

2025-07-23 16:54:59.154 +05:30 [INF] [ 🟦 ] [DeviceRegistrationJob::RunRegistrationLoop] Device Registration: Device not eligible for registration

If these errors are found, refer to the Okta Help Page to make sure the SCEP profile is correctly configured

Issue 5: Incorrect certificate type was issued

• If using an Okta CA, ensure the CA is configured to be used for Device Access instead of Endpoint management.

Certificates for Device Access are separate from the certificates used for managed device attestation. See Use Okta CA for Device Access.

• Ensure that the certificate is installed with the required OID: 

  • To verify the certificate on a Windows system: 

  • Select Start, and then enter cert. Click Manage Computer certificates.

  • Under Certificates > Local Computer, select Personal > Certificates.

  • Ensure the client certificate exists.

  • Verify that a custom extension with OID 1.3.6.1.4.1.51150.13.1 is present on the client certificate, or the OID extension 1.3.6.1.4.1.51150.13.1.1 exists as part of the enhanced key usage extension if using the DCS to issue certificates. Refer to the section Device Access Certificates for more information

Okta CA issued Certificate

Issue 6: Issuing the CA cert was not added to the Okta console (In case the organization is using ADCS cert)

2025-07-23 17:18:27.640 +05:30 [ERR] [OktaWebRequest.SendMessageAsync] Call to https://<domain>/device-access/api/v1/devices/register failed with Unauthorized. Request Id: f967ece1a6f59140baedaa73c320f91b

2025-07-23 17:18:27.642 +05:30 [WRN] [ 🟠 ] [DeviceRegistrationJob::RunRegistrationLoop] Registration attempt 1 failed: Call to https://<domain>/device-access/api/v1/devices/register failed, HttpStatusCode=Unauthorized, Error='E0000011: Invalid token provided'

• Upload the AD CS Issuing CA certificate to the Okta Certification Authority list. Ensure that when adding the trusted CA, select “Issue certificates for: Device Access”.

Issue 7: Device is registered in the Okta admin console, but the user is not listed under the device record, and shows 0 users

• User has not logged in once the Device Access certificates are installed

• To enroll in Desktop MFA recovery, users must have signed in to the system at least once after the device is online and the device has been registered. Until then, users will not be seen under the device, and no admin recovery option will be available

• If you delete a previously registered Windows computer from the org's Devices inventory, you cannot enable Desktop MFA recovery on that system. This scenario requires reinstalling Okta Verify on the Windows computer to return it to the device inventory, after which you can enroll it in Desktop MFA. 

Issue 8: Device has not been online for the last few days 

• The rotation frequency of the device recovery secret is dependent on the device connecting to your Okta org. 

  • The secret used to generate recovery PINs is automatically rotated when the user's device connects to the Okta org.

  • If the device cannot connect, the secret will not be rotated, and you will not be able to generate new recovery PINs for the device. 

• Make sure the device has been online within the last X days, where X is the value specified for DeviceRecoveryValidityInDays. The default value is 90 days

Issue 9: Login failed after entering the Recovery PIN

The generated recovery PIN must be activated within 2 minutes by entering it into the system that can activate it. After the user successfully gains access to their computer, the PIN is valid for the duration configured with your MDM and the DeviceRecoveryPINDuration setting. The default value is 60 minutes. Share the duration with the IT department. If the PIN doesn't work, regenerate it as it could have expired. See Configure and deploy Desktop MFA policies for Windows.

Log Entries for Successful registration and enrollment generate specific log entries.

Successful Device Registration

2025-07-23 17:26:35.754 +05:30 [INF] [ 🟦 ] [DeviceRegistrationJob::RunRegistrationLoop] Device Registration: Attempting device registration (attempt 47)

2025-07-23 17:26:35.761 +05:30 [INF] [JSonWebToken.EncodeAndSign] Creating token of type DeviceAuthTokenPayload with credential F6A11501C02499994FC8C59BFF04E0779E2C11D9

2025-07-23 17:26:35.774 +05:30 [DBG] [OktaWebRequest.SendMessageAsync] Sending POST-message to https://atkoepd.oktapreview.com/device-access/api/v1/devices/register with token OktaSswsAccessToken

2025-07-23 17:26:35.774 +05:30 [INF] [RetryDelegatingHandler.ExecuteWithRetry] Sending http request 1 of 3

2025-07-23 17:26:36.505 +05:30 [INF] [OktaWebRequest.SendMessageAsync] Received response from https://atkoepd.oktapreview.com/device-access/api/v1/devices/register with status OK and request id 1ee5bd866a92c9293bf2add1f0dec484

2025-07-23 17:26:36.535 +05:30 [INF] [DeviceRegistrationJob.RunRegistrationLoop] Device registered

Successful Admin Recovery User Enrollment

After the device is registered, the user's first login should generate these log entries:

025-07-25 00:09:53.556 +05:30 [INF] [ 🟦 ] [OfflineFactorManagementHandlerFactory::CreateHandlerInstance] Creating an offline factor handler... Type: AdminRecovery - User: HIDDEN - factor: 2025-07-25 00:09:53.650 +05:30 [INF] [ 🟦 ] [AdminRecoveryFactorManagementHandler::CreateFactorAsync] Generating a new admin recovery secret for the current user... 2025-07-25 00:09:53.733 +05:30 [INF] [JSonWebToken.EncodeAndSign] Creating token of type DeviceAuthTokenPayload with credential F6A11501C02499994FC8C59BFF04E0779E2C11D9



2025-07-25 00:09:55.478 +05:30 [DBG] [OktaWebRequest.SendMessageAsync] Sending POST-message to https://atkoepd.oktapreview.com/device-access/api/v1/desktop-mfa/enrollments/register 1``````````````````````````````````````````````` 2025-07-25 00:09:55.478 +05:30 [INF] [RetryDelegatingHandler.ExecuteWithRetry] Sending http request 1 of 3 2025-07-25 00:09:56.466 +05:30 [INF] [OktaWebRequest.SendMessageAsync] Received response from https://atkoepd.oktapreview.com/device-access/api/v1/desktop-mfa/enrollments/register with status OK and request id 4002289e45a9b463c9c2d8255855d087

Related References

• Enable Desktop MFA recovery for Windows
• Device Access certificates
• Configure and deploy Desktop MFA policies for Windows