Ansible winrm for non domain joined devices and domain joined

We use a lot of windows devices. They are installed with the windows deployment toolkit and after that i want to run ansible playbooks on it to join domain and some other settings.

Which winrm authentication can we best configure for security.

I think credsp is the best in this solution because it works local and domain joined?

Kerberos is by far the best authentication method to use but unfortunately that only works for domain accounts. If you need to use local accounts, CredSSP is ok but you do need to be aware of the unconstrained delegation of credentials it introduces. In the end if you need to auth with a local account your should be doing it over https which negates some of the security concerns with things like ntlm or basic auth because the whole http payload is encrypted.

Another question. I can add a server to a group with another winrm settings but Can I also remove that group and add a another one?