Issues with WinRM from a Domain Device to an Entra-Joined Device

Hey everyone,

I'm working on connecting a WinRM (HTTPS) setup from a domain-joined machine to a device that's joined through Entra, which is appearing as a workgroup machine in our network. Here's my current setup:

- The source machine is domain-joined.
- The target machine is Entra-joined and not part of Active Directory.
- I've ensured that port 5986 for HTTPS is open.
- A certificate is deployed on the Entra device.
- The WinRM listener on the remote device is set up for HTTPS.

However, I'm running into a problem. When I execute the command:

Test-WSMan -ComputerName "xxx" -UseSSL -ErrorAction Stop

I get an error that says, "The WinRM client cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled..."

Here are a few important things I've noticed:
- It works fine with other domain-joined machines using Kerberos.
- The Entra device isn't registered in DNS, which seems normal in this scenario.
- I can only get it to resolve the name using its IP address.

I have a few questions:
1. Are there any known limitations when using WinRM from a domain device to an Entra-joined device?
2. What's the best authentication method to use in this case? Should I go with NTLM, Basic over HTTPS, or certificate-based authentication?
3. Is DNS registration necessary, or should I depend on using the IP address or hosts file for connectivity?
4. Are there specific WinRM settings that I need to adjust for devices that are only joined via Entra?

I think I might be missing something crucial regarding how WinRM authentication functions outside of AD and Kerberos. Any insights would be greatly appreciated! Thanks!