From 5fa5389f20ce58652c66a5c1569a0372407c2171 Mon Sep 17 00:00:00 2001
From: mapalko <20977663+mapalko@users.noreply.github.com>
Date: Thu, 15 Sep 2022 17:19:13 -0700
Subject: [PATCH 1/2] add kerberos hash algorithm policies
---
.../mdm/policy-csp-kerberos.md | 227 +++++++++++++++++-
1 file changed, 220 insertions(+), 7 deletions(-)
diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md
index 0e1fdaeb77..c1c91b3fc2 100644
--- a/windows/client-management/mdm/policy-csp-kerberos.md
+++ b/windows/client-management/mdm/policy-csp-kerberos.md
@@ -31,6 +31,18 @@ manager: aaroncz
Kerberos/PKInitHashAlgorithmConfiguration
+
+
+ Kerberos/PKInitHashAlgorithmSHA1
+
+
+ Kerberos/PKInitHashAlgorithmSHA256
+
+
+ Kerberos/PKInitHashAlgorithmSHA384
+
+
+ Kerberos/PKInitHashAlgorithmSHA512
Kerberos/RequireKerberosArmoring
@@ -231,22 +243,20 @@ ADMX Info:
This policy setting controls hash or checksum algorithms used by the Kerberos client when performing certificate authentication.
-If you enable this policy, you'll be able to configure one of four states for each algorithm:
-
-* **Default**: This state sets the algorithm to the recommended state.
-* **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
-* **Audited**: This state enables usage of the algorithm and reports an event (ID 205) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled.
-* **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.
+If you enable this policy, you'll be able to configure one of four states for each hash algorithm (SHA1, SHA256, SHA384, and SHA512) using their respective policies.
If you disable or don't configure this policy, each algorithm will assume the **Default** state.
+* 0 - **Disabled**
+* 1 - **Enabled**
+
More information about the hash and checksum algorithms supported by the Windows Kerberos client and their default states can be found https://go.microsoft.com/fwlink/?linkid=2169037.
ADMX Info:
-- GP Friendly name: *Introducing agility to PKINIT in Kerberos protocol*
+- GP Friendly name: *Configure Hash algorithms for certificate logon*
- GP name: *PKInitHashAlgorithmConfiguration*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
@@ -256,6 +266,209 @@ ADMX Info:
+
+**Kerberos/PKInitHashAlgorithmSHA1**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+This policy setting controls the configuration of the SHA1 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm:
+
+* 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.
+* 1 - **Default**: This state sets the algorithm to the recommended state.
+* 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled.
+* 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
+
+If you don't configure this policy, each SHA1 will assume the **Default** state.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Configure Hash algorithms for certificate logon*
+- GP name: *PKInitHashAlgorithmConfiguration*
+- GP path: *System/Kerberos*
+- GP ADMX file name: *Kerberos.admx*
+
+
+
+
+
+
+
+**Kerberos/PKInitHashAlgorithmSHA256**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+This policy setting controls the configuration of the SHA256 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm:
+
+* 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.
+* 1 - **Default**: This state sets the algorithm to the recommended state.
+* 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled.
+* 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
+
+If you don't configure this policy, each SHA256 will assume the **Default** state.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Configure Hash algorithms for certificate logon*
+- GP name: *PKInitHashAlgorithmConfiguration*
+- GP path: *System/Kerberos*
+- GP ADMX file name: *Kerberos.admx*
+
+
+
+
+
+
+
+**Kerberos/PKInitHashAlgorithmSHA384**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+This policy setting controls the configuration of the SHA384 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm:
+
+* 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.
+* 1 - **Default**: This state sets the algorithm to the recommended state.
+* 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled.
+* 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
+
+If you don't configure this policy, each SHA384 will assume the **Default** state.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Configure Hash algorithms for certificate logon*
+- GP name: *PKInitHashAlgorithmConfiguration*
+- GP path: *System/Kerberos*
+- GP ADMX file name: *Kerberos.admx*
+
+
+
+
+
+
+
+**Kerberos/PKInitHashAlgorithmSHA512**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+
+This policy setting controls the configuration of the SHA512 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm:
+
+* 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.
+* 1 - **Default**: This state sets the algorithm to the recommended state.
+* 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled.
+* 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
+
+If you don't configure this policy, each SHA512 will assume the **Default** state.
+
+
+
+
+ADMX Info:
+- GP Friendly name: *Configure Hash algorithms for certificate logon*
+- GP name: *PKInitHashAlgorithmConfiguration*
+- GP path: *System/Kerberos*
+- GP ADMX file name: *Kerberos.admx*
+
+
+
+
+
**Kerberos/RequireKerberosArmoring**
From 566f04cab5b671c9095cc8105b38882711e89743 Mon Sep 17 00:00:00 2001
From: mapalko <20977663+mapalko@users.noreply.github.com>
Date: Mon, 19 Sep 2022 08:58:56 -0700
Subject: [PATCH 2/2] Update policy-csp-kerberos.md
Fixing grammatical issue
---
windows/client-management/mdm/policy-csp-kerberos.md | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md
index c1c91b3fc2..3c77cc2e2c 100644
--- a/windows/client-management/mdm/policy-csp-kerberos.md
+++ b/windows/client-management/mdm/policy-csp-kerberos.md
@@ -301,7 +301,7 @@ This policy setting controls the configuration of the SHA1 algorithm used by the
* 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled.
* 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
-If you don't configure this policy, each SHA1 will assume the **Default** state.
+If you don't configure this policy, the SHA1 algorithm will assume the **Default** state.
@@ -352,7 +352,7 @@ This policy setting controls the configuration of the SHA256 algorithm used by t
* 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled.
* 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
-If you don't configure this policy, each SHA256 will assume the **Default** state.
+If you don't configure this policy, the SHA256 algorithm will assume the **Default** state.
@@ -403,7 +403,7 @@ This policy setting controls the configuration of the SHA384 algorithm used by t
* 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled.
* 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
-If you don't configure this policy, each SHA384 will assume the **Default** state.
+If you don't configure this policy, the SHA384 algorithm will assume the **Default** state.
@@ -454,7 +454,7 @@ This policy setting controls the configuration of the SHA512 algorithm used by t
* 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled.
* 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
-If you don't configure this policy, each SHA512 will assume the **Default** state.
+If you don't configure this policy, the SHA512 algorithm will assume the **Default** state.
@@ -669,4 +669,4 @@ Devices joined to Azure Active Directory in a hybrid environment need to interac
## Related topics
-[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
+[Policy configuration service provider](policy-configuration-service-provider.md)