Support device authentication using certificate

Supported OS tags: Windows10, Windows10RT, Windows11, WindowsServer2016

Support for device authentication using certificate will require connectivity to a DC in the device account domain which supports certificate authentication for computer accounts. This policy setting allows you to set support for Kerberos to attempt authentication using the certificate for the device to the domain. If you enable this policy setting, the device’s credentials will be selected based on the following options: Automatic: Device will attempt to authenticate using its certificate. If the DC does not support computer account authentication using certificates then authentication with password will be attempted. Force: Device will always authenticate using its certificate. If a DC cannot be found which support computer account authentication using certificates then authentication will fail. If you disable this policy setting, certificates will never be used. If you do not configure this policy setting, Automatic will be used.

• Computer
  Allow retrieving the Azure AD Kerberos Ticket Granting Ticket during logon

  At least Windows Server 2019, Windows 10 Version 2004
• Computer
  Always send compound authentication first

  At least Windows Server 2012 R2, Windows 8.1 or Windows RT 8.1
• Computer
  Configure hash algorithms for certificate logon

  At least Windows 11 Version 22H2
• Computer
  Define host name-to-Kerberos realm mappings

  At least Windows Vista
• Computer
  Define interoperable Kerberos V5 realm settings

  At least Windows Vista
• Computer
  Disable revocation checking for the SSL certificate of KDC proxy servers

  At least Windows Server 2012, Windows 8 or Windows RT
• Computer
  Enable Delegated Managed Service Account logons

  At least Windows 11 Version 24H2