Support for device authentication using certificate will require connectivity to a DC in the device account domain which supports certificate authentication for computer accounts. This policy setting allows you to set support for Kerberos to attempt authentication using the certificate for the device to the domain. If you enable this policy setting, the device's credentials will be selected based on the following options: Automatic: Device will attempt to authenticate using its certificate. If the DC does not support computer account authentication using certificates then authentication with password will be attempted. Force: Device will always authenticate using its certificate. If a DC cannot be found which support computer account authentication using certificates then authentication will fail. If you disable this policy setting, Disable will be used. If you do not configure this policy setting, Automatic will be used. Counter Measure: Enable and configure this setting to use "Force". Potential Impact: If the setting is configured to Force and a domain controller cannot be found which support computer account authentication using certificates, authentication will fail. Fix: (1) GPO: Computer Configuration\Administrative Templates\System\Kerberos\Support device authentication using certificate (2) REG: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters!DevicePKInitEnabled