How to Disable WinRM Basic Authentication Using Microsoft Intune

Open your web browser and navigate to the Microsoft Intune Admin Center. Sign in with your administrative credentials and access the device configuration section.

Navigate to Devices > Configuration > + Create > + New Policy. This opens the policy creation wizard where you'll configure the WinRM security settings.

In the policy creation wizard, select Windows 10 and later as the target platform. This ensures compatibility with modern Windows devices in your organization.

Choose Settings Catalog as the profile type. The Settings Catalog provides granular control over Windows configuration settings and is the recommended approach for advanced security configurations.

Click Create to proceed to the configuration settings page.

In the Configuration Settings tab, click + Add Settings to open the Settings Picker. This interface allows you to browse and select specific Windows configuration options.

Browse by Category and navigate through the following path:

System > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Client

Locate and select Allow Basic authentication from the available settings list. This setting controls whether the WinRM client can use Basic authentication for credential transmission.

Set the Allow Basic authentication policy to Disabled. This prevents the WinRM client from using Basic authentication, which transmits credentials in plain text over the network.

The registry modification this creates:

Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client
Registry Value Name: AllowBasic
Value Type: DWORD
Value Data: 0 (Disabled)

Add a second setting by repeating the process for WinRM Service > Allow Basic authentication and also set it to Disabled.

While in the Settings Picker, add these additional security configurations to strengthen your WinRM security posture:

Navigate to WinRM Client and add:

• Allow unencrypted traffic - Set to Disabled
• Disallow Digest authentication - Set to Enabled

Navigate to WinRM Service and add:

• Allow unencrypted traffic - Set to Disabled
• Disallow WinRM from storing RunAs credentials - Set to Enabled

These settings align with Microsoft's security baseline recommendations and Zero Trust principles.

Provide a descriptive name for your policy, such as "WinRM Security Hardening - Disable Basic Auth". Add a clear description explaining the policy's purpose and security benefits.

Click Next to proceed to the Assignments tab. Select the appropriate security groups or organizational units that should receive this policy.

Consider creating a phased deployment:

Phase 1: IT Test Group (10-20 devices)
Phase 2: IT Department (50-100 devices)
Phase 3: All Corporate Devices

Configure any scope tags if your organization uses them for policy management and delegation.

Review all policy settings on the Review + Create page. Verify that all WinRM security configurations are correctly set:

• WinRM Client Basic authentication: Disabled
• WinRM Service Basic authentication: Disabled
• Unencrypted traffic settings: Disabled
• Additional security hardening: Enabled

Click Create to deploy the policy. The policy will be distributed to target devices during their next check-in cycle.

Navigate to Devices > Monitor > Device configuration to track policy deployment status. Monitor the compliance dashboard for successful policy application.

Check individual device compliance by navigating to Devices > All devices and selecting specific devices to view their configuration status.

Force immediate policy refresh on test devices using:

Get-ScheduledTask | Where-Object {$_.TaskName -eq "PushLaunch"} | Start-ScheduledTask

Or use the Intune Company Portal app to sync policies manually.

Connect to a target device and verify the registry settings have been applied correctly. Open PowerShell as Administrator and run:

# Check WinRM Client Basic Auth setting
Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" -Name "AllowBasic" -ErrorAction SilentlyContinue

# Check WinRM Service Basic Auth setting
Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" -Name "AllowBasic" -ErrorAction SilentlyContinue

# Verify WinRM configuration
winrm get winrm/config/client/auth
winrm get winrm/config/service/auth

The AllowBasic values should be 0 (disabled), and the WinRM configuration should show Basic authentication as false.

Test WinRM connectivity using secure authentication methods to ensure the policy doesn't break legitimate remote management scenarios:

# Test WinRM connectivity with Kerberos authentication
Test-WSMan -ComputerName "target-computer" -Authentication Kerberos

# Test PowerShell remoting with current credentials
Enter-PSSession -ComputerName "target-computer" -Authentication Negotiate

# Check WinRM listener configuration
winrm enumerate winrm/config/listener

If connections fail, verify that HTTPS listeners are configured and certificates are properly installed. For troubleshooting, check the Windows Event Logs:

Get-WinEvent -LogName "Microsoft-Windows-WinRM/Operational" -MaxEvents 50

Common resolution: Configure WinRM to use HTTPS (port 5986) instead of HTTP (port 5985) for secure communications.