Information
This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Digest authentication.
The recommended state for this setting is: Enabled.
Rationale:
Digest authentication is less robust than other authentication methods available in WinRM, an attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM.
Impact:
The WinRM client will not use Digest authentication.
Solution
To establish the recommended configuration, set the following Device Configuration Policy to Enabled:
To access the Device Configuration Policy from the Intune Home page:
Click Devices
Click Configuration profiles
Click Create profile
Select the platform (Windows 10 and later)
Select the profile (Administrative Templates)
Click Create
Enter a Name
Click Next
Configure the following Setting
Path: Computer Configuration/Windows Components/Windows Remote Management (WinRM)/WinRM Client
Setting Name: Disallow Digest authentication
Configuration: Enabled
Select OK
Continue through the Wizard to complete the creation of the profile (profile assignments, applicability etc.)
Note: More than one configuration setting from each of the Configuration profiles (ex: Administrative Templates, Custom etc.) can be added to each Device Configuration Policy.
Default Value:
Disabled. (The WinRM client will use Digest authentication.)