Deploy authentik Agent on Windows

What it can do

Retrieves information about the host for use in authentik, see Device Compliance.
SSH to Linux hosts using authentik credentials, see SSH authentication.
Authenticate CLI applications using authentik credentials, see CLI application authentication.

Supported Windows Versions

The authentik Agent is currently only tested on Windows 11 and Windows Server 2022. Other versions may work but are untested.

Windows Credential Provider (WCP) is a component of the authentik Agent that allows logging in to Windows workstations using authentik credentials.

It currently only supports local login; RDP login is not supported.

warning

When WCP is enabled, the password of the Windows user account that's used to login is set to a random string.
WCP can cause issues with user encrypted directories.
Support with Active Directory has not been confirmed yet.
Offline login is currently not supported.

You must configure your authentik deployment to support the authentik Agent.

If you already have an enrollment token, skip to the next section.

Log in to authentik as an administrator and open the authentik Admin interface.
Navigate to Endpoint Devices > Connectors.
Click on the authentik Agent connector that you created when configuring your authentik deployment to support the authentik agent.
Under Enrollment Tokens, click Create, and configure the following settings:
- Token name: provide a descriptive name for the token
- Device group (optional): select a device access group for the device to be added to after completing enrollment
- Expiring (optional): set whether or not the enrollment token will expire
Click Create.
(Optional) Click the Copy icon in the Actions column to copy the enrollment token. This value will be required if enabling a device for device compliance.

Automated deployment is recommended

It's recommended to deploy the Agent via MDM or automation tools instead of manually configuring it.

Log in to authentik as an administrator and open the authentik Admin interface.
Navigate to Endpoint Devices > Connectors.
Click on the authentik Agent connector that you created when configuring your authentik deployment to support the authentik agent.
Under Setup, click Windows to download the authentik Agent installer.
Once the download is complete, install the MSI file.
(Optional) During installation, select Windows Credential Provider if you want to log in to the Windows device using authentik credentials.
Confirm that the authentik Agent is installed by opening a PowerShell or Terminal window and entering the following command: ak You should see a response that starts with: authentik CLI v<version_number>

To enable device compliance features, you must join the device to an authentik domain.

ak-sysd domains join <deployment_name> --authentik-url https://authentik.company

deployment_name is the name that will be used to identify the authentik deployment on the device.
https://authentik.company is the fully qualified domain name of the authentik deployment.

You will be prompted to enter your enrollment token.
Once provided, the device will be enrolled with your authentik deployment and should appear on the Devices page after a check-in is completed.

To enable initiating SSH connections and CLI application authentication, the device must be connected to an authentik deployment. To do so, follow these steps:

ak config setup --authentik-url https://authentik.company

Your default browser will open and direct you to the authentik login page. Once authenticated, the authentik Agent will be configured.

The authentik Agent primarily outputs logs to Windows Event Viewer.

WCP logs to the ak_cred_provider.log located in C:\ProgramData\Authentik Security Inc\logs.