I am wanting to set up a Group Policy to deploy the Okta Credential Provider agent across all workstations in my network, so that I can be 100% confident none have been missed and that all RDP logins will be subject to MFA. Server is Windows Server 2016 and workstations are Windows 10. I can easily install the MSI using Group Policy Software Installation, but this won't allow me to include the command line parameters for Client_ID, Client_Secret and URL, which means that the agent will be installed with invalid config, thus rendering the machine inaccessible (pretty dangerous I think?). Is anybody able to help with a way around this?

In addition, I want to configure the Agent to RdpOnly=true. As far as I can see this can't be done by command line on installation, but only by editing the Config file after installation ... is this correct? I guess I could create a login script to update the config file - but how can I ensure the login script runs after the Config file has been created?

Finally, I have seen other posts on this forum lamenting the fact that Okta MFA can't be simply deployed against the Remote Desktop Gateway, rather than having to have an agent installed on every computer. This would be easier to deploy and a lot more reliable (ie. it couldn't be turned off on individual PCs either accidentally or deliberately)