4 March 2026

How to configure WCP for Windows Remote Desktop

Set up the Notakey Windows Credential Provider for two-factor remote desktop login, from appliance config to going passwordless.

This walkthrough configures the Notakey Windows Credential Provider (WCP) for remote desktop authentication with a phone-based second factor.

Appliance setup

Create the application. In the Notakey appliance, create a new application named Windows Remote Desktop; the matching graphics load automatically. Enable biometric check support; enable force biometric check if logins must always require a fingerprint or face verification.

Define users. Create users directly or connect an external user source. Active Directory is the common choice and is covered in the appliance documentation. Users synchronized from AD can later get escalation or multi-user approval policies.

Configure onboarding requirements so the application appears in Notakey Authenticator. If phone numbers exist in AD, SMS or WhatsApp onboarding is available. When using simple credentials verified against AD, edit the requirement and check Authenticate against remote AUTH user sources.

Generate API credentials. Create a new API client with an empty scopes field, and the system generates a Client ID and secret for the credential provider.

Windows machine setup

Create a registry file with your appliance access credentials, save it as wcp_notakey.reg, and double-click to import:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Notakey]

[HKEY_LOCAL_MACHINE\SOFTWARE\Notakey\WindowsCP]
"ServiceURL"="https://your-appliance.example.com/api/"
"ServiceID"="29afa6c0-907d-40f4-898f-8a96fcdf7230"
"ClientID"="c6df76db-10a7-4349-8e05-8b3656a4d404"
"ClientSecret"="pZ5lSo1Rz_ftCDg4h302794ZlmjMO64sVtiAvHop6dI"
"MessageTtlSeconds"=dword:0000001e
"MessageActionTitle"="Winlogin"
"MessageDescription"="Proceed as {0} on server {1}?"
"AuthCreateTimeoutSecs"=dword:00000014
"AuthWaitTimeoutSecs"=dword:0000003c

Replace the first four values with your own: ServiceURL is your appliance’s API endpoint, ServiceID the application’s ID, and ClientID/ClientSecret the API credentials generated above. The remaining values are sensible defaults, in hex: MessageTtlSeconds (0x1e = 30 s) is how long the push stays approvable, AuthCreateTimeoutSecs (0x14 = 20 s) how long WCP waits to create the request, and AuthWaitTimeoutSecs (0x3c = 60 s) how long it waits for the user’s answer. In MessageDescription, {0} is the username and {1} the machine name.

Install the newest Windows Credential Provider from the downloads page, restart Windows, and log in normally once. Then check LastLoggedOnProvider under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI.

Lock the machine and select the Notakey Credential Provider. Enter username and password — Notakey asks permission to encrypt the password, and from then on the login is username + phone approval.

Going passwordless-only

To make Notakey the only way in, disable the default credential provider: find its CLSID under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers and add a DWORD named Disabled with value 1. Group Policy offers the same control at fleet scale.

After this, only the Notakey Credential Provider remains active, and logins require just the username and the second factor.

← All posts

See your first passwordless login this week

A 30-minute call with an engineer, not a sales deck. We’ll map your VPN, SSO or Windows setup to a working pilot.