This policy setting allows you to set support for Kerberos to attempt authentication using the certificate for the device to the domain. Support for device authentication using certificate will require connectivity to a DC in the device account domain which supports certificate authentication for computer accounts. The recommended state for this setting is: Enabled: Automatic. Rationale: Having stronger device authentication with the use of certificates is strongly encouraged over standard username and password authentication. Having this set to Automatic will allow certificate based authentication to be used whenever possible. Impact: None - this is the default behavior.
Solution
To establish the recommended configuration, set the following Device Configuration Policy to Enabled: Automatic: To access the Device Configuration Policy from the Intune Home page: Click Devices Click Configuration profiles Click Create profile Select the platform (Windows 10 and later) Select the profile (Administrative Templates) Click Create Enter a Name Click Next Configure the following Setting Path: Computer Configuration\System\Kerberos Setting Name: Support device authentication using certificate Configuration: Enabled: Automatic Select OK Continue through the Wizard to complete the creation of the profile (profile assignments, applicability etc.) Note: More than one configuration setting from each of the Configuration profiles (ex: Administrative Templates, Custom etc.) can be added to each Device Configuration Policy. Default Value: Automatic. (Devices will attempt to authenticate using their certificate. If the DC does not support computer account authentication using certificates then authentication with password will be attempted.)