diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md
index 0950cd842a..9fe15efb61 100644
--- a/windows/client-management/mdm/policy-csp-kerberos.md
+++ b/windows/client-management/mdm/policy-csp-kerberos.md
@@ -1,672 +1,774 @@
---
-title: Policy CSP - Kerberos
-description: Define the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs).
+title: Kerberos Policy CSP
+description: Learn more about the Kerberos Area in Policy CSP
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 01/02/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.localizationpriority: medium
-ms.date: 09/27/2019
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
---
+
+
+
# Policy CSP - Kerberos
-
-
-
-## Kerberos policies
-
-
- -
- Kerberos/AllowForestSearchOrder
-
- -
- Kerberos/CloudKerberosTicketRetrievalEnabled
-
- -
- Kerberos/KerberosClientSupportsClaimsCompoundArmor
-
- -
- Kerberos/PKInitHashAlgorithmConfiguration
-
- -
- Kerberos/PKInitHashAlgorithmSHA1
-
- -
- Kerberos/PKInitHashAlgorithmSHA256
-
- -
- Kerberos/PKInitHashAlgorithmSHA384
-
- -
- Kerberos/PKInitHashAlgorithmSHA512
-
- -
- Kerberos/RequireKerberosArmoring
-
- -
- Kerberos/RequireStrictKDCValidation
-
- -
- Kerberos/SetMaximumContextTokenSize
-
- -
- Kerberos/UPNNameHints
-
-
-
> [!TIP]
-> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md).
+> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy).
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
+
+
-
-**Kerberos/AllowForestSearchOrder**
+
+## AllowForestSearchOrder
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Kerberos/AllowForestSearchOrder
+```
+
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
+
+
This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs).
-If you enable this policy setting, the Kerberos client searches the forests in this list, if it's unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain.
+If you enable this policy setting, the Kerberos client searches the forests in this list, if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain.
-If you disable or don't configure this policy setting, the Kerberos client doesn't search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name isn't found, NTLM authentication might be used.
+If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used.
+
-
+
+
+
-
-ADMX Info:
-- GP Friendly name: *Use forest search order*
-- GP name: *ForestSearch*
-- GP path: *System/Kerberos*
-- GP ADMX file name: *Kerberos.admx*
+
+**Description framework properties**:
-
-
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**Kerberos/CloudKerberosTicketRetrievalEnabled**
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | forestsearch |
+| Friendly Name | Use forest search order |
+| Location | Computer Configuration |
+| Path | System > Kerberos |
+| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters |
+| Registry Value Name | UseForestSearch |
+| ADMX File Name | Kerberos.admx |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+## CloudKerberosTicketRetrievalEnabled
-> [!div class = "checklist"]
-> * Device
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Kerberos/CloudKerberosTicketRetrievalEnabled
+```
+
-
-
-This policy allows retrieving the cloud Kerberos ticket during the sign in.
+
+
+This policy setting allows retrieving the Azure AD Kerberos Ticket Granting Ticket during logon.
-- If you disable (0) or don't configure this policy setting, the cloud Kerberos ticket isn't retrieved during the sign in.
+If you disable or do not configure this policy setting, the Azure AD Kerberos Ticket Granting Ticket is not retrieved during logon.
-- If you enable (1) this policy, the cloud Kerberos ticket is retrieved during the sign in.
-
+If you enable this policy setting, the Azure AD Kerberos Ticket Granting Ticket is retrieved during logon.
+
-
-Valid values:
-0 (default) - Disabled
-1 - Enabled
+
+
+
-
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Allow retrieving the cloud Kerberos ticket during the logon*
-- GP name: *CloudKerberosTicketRetrievalEnabled*
-- GP path: *System/Kerberos*
-- GP ADMX file name: *Kerberos.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
-
-
+
+**Allowed values**:
-
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Disabled. |
+| 1 | Enabled. |
+
-
-**Kerberos/KerberosClientSupportsClaimsCompoundArmor**
+
+**Group policy mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | CloudKerberosTicketRetrievalEnabled |
+| Friendly Name | Allow retrieving the Azure AD Kerberos Ticket Granting Ticket during logon |
+| Location | Computer Configuration |
+| Path | System > Kerberos |
+| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters |
+| Registry Value Name | CloudKerberosTicketRetrievalEnabled |
+| ADMX File Name | Kerberos.admx |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+## KerberosClientSupportsClaimsCompoundArmor
-> [!div class = "checklist"]
-> * Device
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Kerberos/KerberosClientSupportsClaimsCompoundArmor
+```
+
-
-
-This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring, using Kerberos authentication with domains that support these features.
-If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains that support claims and compound authentication for Dynamic Access Control and Kerberos armoring.
+
+
+This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features.
+If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring.
-If you disable or don't configure this policy setting, the client devices won't request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device won't be able to retrieve claims for clients using Kerberos protocol transition.
+If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition.
+
-
+
+
+
-
-ADMX Info:
-- GP Friendly name: *Kerberos client support for claims, compound authentication and Kerberos armoring*
-- GP name: *EnableCbacAndArmor*
-- GP path: *System/Kerberos*
-- GP ADMX file name: *Kerberos.admx*
+
+**Description framework properties**:
-
-
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**Kerberos/PKInitHashAlgorithmConfiguration**
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | EnableCbacAndArmor |
+| Friendly Name | Kerberos client support for claims, compound authentication and Kerberos armoring |
+| Location | Computer Configuration |
+| Path | System > Kerberos |
+| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters |
+| Registry Value Name | EnableCbacAndArmor |
+| ADMX File Name | Kerberos.admx |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+## PKInitHashAlgorithmConfiguration
-> [!div class = "checklist"]
-> * Device
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
-
-
-
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmConfiguration
+```
+
+
+
This policy setting controls hash or checksum algorithms used by the Kerberos client when performing certificate authentication.
-If you enable this policy, you'll be able to configure one of four states for each hash algorithm (SHA1, SHA256, SHA384, and SHA512) using their respective policies.
+If you enable this policy, you will be able to configure one of four states for each algorithm:
+
+- “Default” sets the algorithm to the recommended state.
+
+- “Supported” enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
+
+- “Audited” enables usage of the algorithm and reports an event (ID 206) every time it is used. This state is intended to verify that the algorithm is not being used and can be safely disabled.
+
+- “Not Supported” disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.
+
+If you disable or do not configure this policy, each algorithm will assume the “Default” state.
+More information about the hash and checksum algorithms supported by the Windows Kerberos client and their default states can be found at .
+
+Events generated by this configuration: 205, 206, 207, 208.
+
+
+
+
+
+
+
+**Description framework properties**:
-If you disable or don't configure this policy, each algorithm will assume the **Default** state.
-
-* 0 - **Disabled**
-* 1 - **Enabled**
-
-More information about the hash and checksum algorithms supported by the Windows Kerberos client and their default states can be found https://go.microsoft.com/fwlink/?linkid=2169037.
-
-
-
-
-ADMX Info:
-- GP Friendly name: *Configure Hash algorithms for certificate logon*
-- GP name: *PKInitHashAlgorithmConfiguration*
-- GP path: *System/Kerberos*
-- GP ADMX file name: *Kerberos.admx*
-
-
-
-
-
-
-
-**Kerberos/PKInitHashAlgorithmSHA1**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-
-This policy setting controls the configuration of the SHA1 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm:
-
-* 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.
-* 1 - **Default**: This state sets the algorithm to the recommended state.
-* 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled.
-* 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
-
-If you don't configure this policy, the SHA1 algorithm will assume the **Default** state.
-
-
-
-
-ADMX Info:
-- GP Friendly name: *Configure Hash algorithms for certificate logon*
-- GP name: *PKInitHashAlgorithmConfiguration*
-- GP path: *System/Kerberos*
-- GP ADMX file name: *Kerberos.admx*
-
-
-
-
-
-
-
-**Kerberos/PKInitHashAlgorithmSHA256**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-
-This policy setting controls the configuration of the SHA256 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm:
-
-* 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.
-* 1 - **Default**: This state sets the algorithm to the recommended state.
-* 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled.
-* 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
-
-If you don't configure this policy, the SHA256 algorithm will assume the **Default** state.
-
-
-
-
-ADMX Info:
-- GP Friendly name: *Configure Hash algorithms for certificate logon*
-- GP name: *PKInitHashAlgorithmConfiguration*
-- GP path: *System/Kerberos*
-- GP ADMX file name: *Kerberos.admx*
-
-
-
-
-
-
-
-**Kerberos/PKInitHashAlgorithmSHA384**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-
-This policy setting controls the configuration of the SHA384 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm:
-
-* 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.
-* 1 - **Default**: This state sets the algorithm to the recommended state.
-* 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled.
-* 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
-
-If you don't configure this policy, the SHA384 algorithm will assume the **Default** state.
-
-
-
-
-ADMX Info:
-- GP Friendly name: *Configure Hash algorithms for certificate logon*
-- GP name: *PKInitHashAlgorithmConfiguration*
-- GP path: *System/Kerberos*
-- GP ADMX file name: *Kerberos.admx*
-
-
-
-
-
-
-
-**Kerberos/PKInitHashAlgorithmSHA512**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-
-This policy setting controls the configuration of the SHA512 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm:
-
-* 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.
-* 1 - **Default**: This state sets the algorithm to the recommended state.
-* 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled.
-* 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
-
-If you don't configure this policy, the SHA512 algorithm will assume the **Default** state.
-
-
-
-
-ADMX Info:
-- GP Friendly name: *Configure Hash algorithms for certificate logon*
-- GP name: *PKInitHashAlgorithmConfiguration*
-- GP path: *System/Kerberos*
-- GP ADMX file name: *Kerberos.admx*
-
-
-
-
-
-
-**Kerberos/RequireKerberosArmoring**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-This policy setting controls whether a computer requires that Kerberos message exchanges being armored when communicating with a domain controller.
-
-> [!WARNING]
-> When a domain doesn't support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Disabled / Not Configured |
+| 1 | Enabled |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | PKInitHashAlgorithmConfiguration |
+| Friendly Name | Configure hash algorithms for certificate logon |
+| Location | Computer Configuration |
+| Path | System > Kerberos |
+| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters |
+| Registry Value Name | PKInitHashAlgorithmConfigurationEnabled |
+| ADMX File Name | Kerberos.admx |
+
+
+
+
+
+
+
+
+
+## PKInitHashAlgorithmSHA1
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmSHA1
+```
+
+
+
+
+Configure SHA-1 hash algorithm for certificate logon
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+| Dependency [PKINIT_Hash_Algorithm_Configuration_DependencyGroup] | Dependency Type: `DependsOn`
Dependency URI: `Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmConfigurationEnabled`
Dependency Allowed Value: `[1]`
Dependency Allowed Value Type: `Range`
|
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not Supported |
+| 1 (Default) | Default |
+| 2 | Audited |
+| 3 | Supported |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | PKInitHashAlgorithmSHA1 |
+| Path | Kerberos > AT > System > kerberos |
+
+
+
+
+
+
+
+
+
+## PKInitHashAlgorithmSHA256
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmSHA256
+```
+
+
+
+
+Configure SHA-256 hash algorithm for certificate logon
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+| Dependency [PKINIT_Hash_Algorithm_Configuration_DependencyGroup] | Dependency Type: `DependsOn`
Dependency URI: `Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmConfigurationEnabled`
Dependency Allowed Value: `[1]`
Dependency Allowed Value Type: `Range`
|
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not Supported |
+| 1 (Default) | Default |
+| 2 | Audited |
+| 3 | Supported |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | PKInitHashAlgorithmSHA256 |
+| Path | Kerberos > AT > System > kerberos |
+
+
+
+
+
+
+
+
+
+## PKInitHashAlgorithmSHA384
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmSHA384
+```
+
+
+
+
+Configure SHA-384 hash algorithm for certificate logon
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+| Dependency [PKINIT_Hash_Algorithm_Configuration_DependencyGroup] | Dependency Type: `DependsOn`
Dependency URI: `Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmConfigurationEnabled`
Dependency Allowed Value: `[1]`
Dependency Allowed Value Type: `Range`
|
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not Supported |
+| 1 (Default) | Default |
+| 2 | Audited |
+| 3 | Supported |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | PKInitHashAlgorithmSHA384 |
+| Path | Kerberos > AT > System > kerberos |
+
+
+
+
+
+
+
+
+
+## PKInitHashAlgorithmSHA512
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmSHA512
+```
+
+
+
+
+Configure SHA-512 hash algorithm for certificate logon
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+| Dependency [PKINIT_Hash_Algorithm_Configuration_DependencyGroup] | Dependency Type: `DependsOn`
Dependency URI: `Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmConfigurationEnabled`
Dependency Allowed Value: `[1]`
Dependency Allowed Value Type: `Range`
|
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not Supported |
+| 1 (Default) | Default |
+| 2 | Audited |
+| 3 | Supported |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | PKInitHashAlgorithmSHA512 |
+| Path | Kerberos > AT > System > kerberos |
+
+
+
+
+
+
+
+
+
+## RequireKerberosArmoring
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Kerberos/RequireKerberosArmoring
+```
+
+
+
+
+This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller.
+
+Warning: When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled.
If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers.
-> [!NOTE]
-> The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring.
+Note: The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring.
-If you disable or don't configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain.
+If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain.
+
-
+
+
+
-
-ADMX Info:
-- GP Friendly name: *Fail authentication requests when Kerberos armoring is not available*
-- GP name: *ClientRequireFast*
-- GP path: *System/Kerberos*
-- GP ADMX file name: *Kerberos.admx*
+
+**Description framework properties**:
-
-
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**Kerberos/RequireStrictKDCValidation**
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | ClientRequireFast |
+| Friendly Name | Fail authentication requests when Kerberos armoring is not available |
+| Location | Computer Configuration |
+| Path | System > Kerberos |
+| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters |
+| Registry Value Name | RequireFast |
+| ADMX File Name | Kerberos.admx |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+## RequireStrictKDCValidation
-> [!div class = "checklist"]
-> * Device
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Kerberos/RequireStrictKDCValidation
+```
+
-
-
+
+
This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon.
-If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer isn't joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate.
+If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate.
-If you disable or don't configure this policy setting, the Kerberos client requires only the KDC certificate that contains the Server Authentication purpose object identifier in the EKU extensions that can be issued to any server.
+If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server.
+
-
+
+
+
-
-ADMX Info:
-- GP Friendly name: *Require strict KDC validation*
-- GP name: *ValidateKDC*
-- GP path: *System/Kerberos*
-- GP ADMX file name: *Kerberos.admx*
+
+**Description framework properties**:
-
-
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**Kerberos/SetMaximumContextTokenSize**
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | ValidateKDC |
+| Friendly Name | Require strict KDC validation |
+| Location | Computer Configuration |
+| Path | System > Kerberos |
+| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters |
+| Registry Value Name | KdcValidation |
+| ADMX File Name | Kerberos.admx |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+## SetMaximumContextTokenSize
-> [!div class = "checklist"]
-> * Device
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Kerberos/SetMaximumContextTokenSize
+```
+
-
-
-This policy setting allows you to set the value returned to applications that request the maximum size of the SSPI context token buffer size.
+
+
+This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size.
The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token.
If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally allowed maximum value, whichever is smaller.
-If you disable or don't configure this policy setting, the Kerberos client or server uses the locally configured value or the default value.
+If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value.
-> [!NOTE]
-> This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8, the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it's not advised to set this value more than 48,000 bytes.
+Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes.
+
-
+
+
+
-
-ADMX Info:
-- GP Friendly name: *Set maximum Kerberos SSPI context token buffer size*
-- GP name: *MaxTokenSize*
-- GP path: *System/Kerberos*
-- GP ADMX file name: *Kerberos.admx*
+
+**Description framework properties**:
-
-
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**Kerberos/UPNNameHints**
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | MaxTokenSize |
+| Friendly Name | Set maximum Kerberos SSPI context token buffer size |
+| Location | Computer Configuration |
+| Path | System > Kerberos |
+| Registry Key Name | System\CurrentControlSet\Control\Lsa\Kerberos\Parameters |
+| Registry Value Name | EnableMaxTokenSize |
+| ADMX File Name | Kerberos.admx |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+## UPNNameHints
-> [!div class = "checklist"]
-> * Device
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Kerberos/UPNNameHints
+```
+
-
-
-Adds a list of domains that an Azure Active Directory-joined device can attempt to contact when it can't resolve a UPN to a principal.
+
+
+Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an AAD UPN into an Active Directory Principal. This parameter adds a list of domains that an Azure Active Directory joined device should attempt to contact if it is otherwise unable to resolve a UPN to a principal.
+
-Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This limitation can cause failures, when such a device needs to resolve an Azure Active Directory UPN into an Active Directory Principal. You can use this policy to avoid those failures.
+
+
+
-
-
+
+**Description framework properties**:
-
-
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `0xF000`) |
+
-
-
+
+
+
-
-
-
+
-
+
+
+
-## Related topics
+
+
+## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)