Policy CSP - ADMX_WindowsRemoteManagement

Tip

This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see Understanding ADMX-backed policies.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

DisallowKerberos_1

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later
✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsRemoteManagement/DisallowKerberos_1

This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Kerberos credentials over the network.

  • If you enable this policy setting, the WinRM service doesn't accept Kerberos credentials over the network.

  • If you disable or don't configure this policy setting, the WinRM service accepts Kerberos authentication from a remote client.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name DisallowKerberos_1
Friendly Name Disallow Kerberos authentication
Location Computer Configuration
Path Windows Components > Windows Remote Management (WinRM) > WinRM Service
Registry Key Name Software\Policies\Microsoft\Windows\WinRM\Service
Registry Value Name AllowKerberos
ADMX File Name WindowsRemoteManagement.admx

DisallowKerberos_2

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later
✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsRemoteManagement/DisallowKerberos_2

This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Kerberos authentication directly.

  • If you enable this policy setting, the Windows Remote Management (WinRM) client doesn't use Kerberos authentication directly. Kerberos can still be used if the WinRM client is using the Negotiate authentication and Kerberos is selected.

  • If you disable or don't configure this policy setting, the WinRM client uses the Kerberos authentication directly.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name DisallowKerberos_2
Friendly Name Disallow Kerberos authentication
Location Computer Configuration
Path Windows Components > Windows Remote Management (WinRM) > WinRM Client
Registry Key Name Software\Policies\Microsoft\Windows\WinRM\Client
Registry Value Name AllowKerberos
ADMX File Name WindowsRemoteManagement.admx

Policy configuration service provider