This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The following document shows how to enable device authentication controls in Windows Server 2016 and 2012 R2.
Originally in AD FS 2012 R2 there was one global authentication property called DeviceAuthenticationEnabled that controlled device authentication.
To configure the setting, the Set-AdfsGlobalAuthenticationPolicy cmdlet was used as shown below:
PS:\>Set-AdfsGlobalAuthenticationPolicy –DeviceAuthenticationEnabled $true
To disable device authentication, the same cmdlet was used to set the value to $false.
The only type of device authentication supported in 2012 R2 was clientTLS. In AD FS 2016, in addition to clientTLS there are two new types of device authentication for modern devices authentication. These are:
To control the new behavior, the DeviceAuthenticationEnabled property is used in combination with a new property called DeviceAuthenticationMethod.
The device authentication method determines the type of device authentication that will be done: PRT, PKeyAuth, clientTLS, or some combination. It has the following values:
As you can see, PRT is part of all device authentication methods, making it in effect the default method that is always enabled when DeviceAuthenticationEnabled is set to $true.
Example: To configure the method(s), use the DeviceAuthenticationEnabled cmdlet as above, along with new property:
PS:\>Set-AdfsGlobalAuthenticationPolicy –DeviceAuthenticationEnabled $true
Note
In AD FS 2019, DeviceAuthenticationMethod can be used with the Set-AdfsRelyingPartyTrust command.
PS:\>Set-AdfsRelyingPartyTrust -DeviceAuthenticationMethod ClientTLS
Note
Enabling device authentication (setting DeviceAuthenticationEnabled to $true) means the DeviceAuthenticationMethod is implicitly set to SignedToken, which equates to PRT.
PS:\>Set-AdfsGlobalAuthenticationPolicy –DeviceAuthenticationMethod All
Note
The default device authentication method is SignedToken. Other values are PKeyAuth,ClientTLS, and All.
The meanings of the DeviceAuthenticationMethod values have changed slightly since AD FS 2016 was released. See the table below for the meaning of each value, depending on the update level:
| AD FS version | DeviceAuthenticationMethod value | Means |
|---|---|---|
| 2016 RTM | SignedToken | PRT + PkeyAuth |
| clientTLS | clientTLS | |
| All | PRT + PkeyAuth + clientTLS | |
| 2016 RTM + up to date with Windows Update | SignedToken (changed meaning) | PRT (only) |
| PkeyAuth (new) | PRT + PkeyAuth | |
| clientTLS | PRT + clientTLS | |
| All | PRT + PkeyAuth + clientTLS |
Training
Learning path
MD-100 Configure authorization and authentication - Training
MD-100 Configure authorization and authentication
Certification
Microsoft Certified: Identity and Access Administrator Associate - Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions, implement hybrid solutions, and implement identity governance.
Events
Apr 29, 2 PM - Apr 30, 7 PM
Join the ultimate Windows Server virtual event April 29-30 for deep-dive technical sessions and live Q&A with Microsoft engineers.
Sign up now