Support device authentication using certificate

Support for device authentication using certificate will require connectivity to a DC in the device account domain which supports certificate authentication for computer accounts.

This policy setting allows you to set support for Kerberos to attempt authentication using the certificate for the device to the domain.

If you enable this policy setting, the device’s credentials will be selected based on the following options:

Automatic: Device will attempt to authenticate using its certificate. If the DC does not support computer account authentication using certificates then authentication with password will be attempted.

Force: Device will always authenticate using its certificate. If a DC cannot be found which support computer account authentication using certificates then authentication will fail.

If you disable this policy setting, certificates will never be used.
If you do not configure this policy setting, Automatic will be used.

Supported on: At least Windows 10 Server, Windows 10 or Windows 10 RT
Registry HiveHKEY_LOCAL_MACHINE
Registry PathSoftware\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters
Value NameDevicePKInitEnabled
Value TypeREG_DWORD
Enabled Value1
Disabled Value0

Device authentication behavior using certificate:


  1. Automatic
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSoftware\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters
    Value NameDevicePKInitBehavior
    Value TypeREG_DWORD
    Value0
  2. Force
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSoftware\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters
    Value NameDevicePKInitBehavior
    Value TypeREG_DWORD
    Value1


kerberos.admx

Administrative Templates (Computers)

Administrative Templates (Users)