This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 52%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EI%3C/text%3E%3C/svg%3E)
Hi,
I try to combine together all requrements for "Device Claims". From what I could see 1) There have to be Windows 8 not below 2)Kerberos setting in Group policy
Plus I presume DC running 2012 +. Are there any other requirements? While KDC GP must be run on DC, Kerberos GP - must be on client? Can somebody clarify this one and confirm the above ones? Thank you!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 96%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFF%3C/text%3E%3C/svg%3E)
Hi,@InfoTechdude
I am checking to see if the problem has been resolved.
If there's anything you'd like to know, don't hesitate to ask.
Best Regards
Thanks for posting here!
Based on my research, when we try to set the device claims, and user claims we need to set the GPOs = KDC GP must be run on DC, Kerberos GP - must be on clients.
As you said ,Dynamic Access Control is not supported in Windows operating systems prior to Windows Server 2012 and Windows 8. When Dynamic Access Control is configured in environments with supported and non-supported versions of Windows, only the supported versions will implement the changes.
For more information about the requirements , you can refer to the following link:
https://video2.skills-academy.com/en-us/windows/security/identity-protection/access-control/dynamic-access-control
Best Regards,
Hi,
Welcome to share your current situation if there are any updates.
Please feel free to let us know if you need further assistance.
Best Regards,
Thanks. What to do in the case if you have parent domain(contoso.com) and child domain (usa.contoso.com). How do you enable claims on child domains? What if you have tree domain(fabrikam.com)? Where do you start? What can you do from child domain, what I must do from parent domain. This parent-child stuff is a little bit tricky.
Thanks for your time!