This walkthrough configures the Notakey Windows Credential Provider (WCP) for remote desktop authentication with a phone-based second factor.
Appliance setup
Create the application. In the Notakey appliance, create a new application named Windows Remote Desktop; the matching graphics load automatically. Enable biometric check support; enable force biometric check if logins must always require a fingerprint or face verification.
Define users. Create users directly or connect an external user source. Active Directory is the common choice and is covered in the appliance documentation. Users synchronized from AD can later get escalation or multi-user approval policies.
Configure onboarding requirements so the application appears in Notakey Authenticator. If phone numbers exist in AD, SMS or WhatsApp onboarding is available. When using simple credentials verified against AD, edit the requirement and check Authenticate against remote AUTH user sources.
Generate API credentials. Create a new API client with an empty scopes field, and the system generates a Client ID and secret for the credential provider.
Windows machine setup
Create a registry file with your appliance access credentials, save it as
wcp_notakey.reg, and double-click to import:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Notakey]
[HKEY_LOCAL_MACHINE\SOFTWARE\Notakey\WindowsCP]
"ServiceURL"="https://your-appliance.example.com/api/"
"ServiceID"="29afa6c0-907d-40f4-898f-8a96fcdf7230"
"ClientID"="c6df76db-10a7-4349-8e05-8b3656a4d404"
"ClientSecret"="pZ5lSo1Rz_ftCDg4h302794ZlmjMO64sVtiAvHop6dI"
"MessageTtlSeconds"=dword:0000001e
"MessageActionTitle"="Winlogin"
"MessageDescription"="Proceed as {0} on server {1}?"
"AuthCreateTimeoutSecs"=dword:00000014
"AuthWaitTimeoutSecs"=dword:0000003c
Replace the first four values with your own: ServiceURL is your
appliance’s API endpoint, ServiceID the application’s ID, and
ClientID/ClientSecret the API credentials generated above. The
remaining values are sensible defaults, in hex: MessageTtlSeconds
(0x1e = 30 s) is how long the push stays approvable,
AuthCreateTimeoutSecs (0x14 = 20 s) how long WCP waits to create the
request, and AuthWaitTimeoutSecs (0x3c = 60 s) how long it waits for the
user’s answer. In MessageDescription, {0} is the username and {1} the
machine name.
Install the newest Windows Credential Provider from the
downloads page, restart Windows, and log in normally once.
Then check LastLoggedOnProvider under
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI.
Lock the machine and select the Notakey Credential Provider. Enter username and password — Notakey asks permission to encrypt the password, and from then on the login is username + phone approval.
Going passwordless-only
To make Notakey the only way in, disable the default credential provider:
find its CLSID under
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers
and add a DWORD named Disabled with value 1. Group Policy offers the same
control at fleet scale.
After this, only the Notakey Credential Provider remains active, and logins require just the username and the second factor.