Microsoft Introduces New Registry Key and Group Policies for NTLM in Windows 11 24H2 and Server 2025

Microsoft Introduces New Registry Key and Group Policies for NTLM in Windows 11 24H2 and Server 2025

Deprecation of NTLM Protocol in Windows 11 and Server 2025

In December of last year, Microsoft initiated the phasing out of the NT LAN Manager (NTLM) protocol across Windows 11 24H2 and Windows Server 2025. This significant move indicates that NTLM is no longer under active development, leading to diminished support and an eventual removal. Given the protocol’s vulnerabilities in today’s security landscape, Microsoft strongly advocates transitioning to more modern authentication methods, such as Kerberos.

NTLMv1 Removal and Guidance Articles

As part of this transition, NTLMv1 has already been eliminated from both Windows 11 24H2 and Windows Server 2025. In response, Microsoft has released a series of guidance documents aimed at assisting IT professionals and system administrators in adapting to these changes.

In July, a support article detailing auditing modifications for NTLM was disseminated. This auditing feature is critical for identifying NTLM usage within organizations, acknowledging that some entities still depend on this legacy authentication method. The availability of such tools is essential for managing the security implications involved.

Configuration Instructions

The guidance further explores how administrators can configure NTLM settings through two new Group Policies: “NTLM Enhanced Logging” for client and server settings, and “Log Enhanced Domain-wide NTLM Logs” for comprehensive domain logging.

ntlm audit group policyntlm audit group policy

For further information, you can access the complete support article on Microsoft’s website under KB5064479.

New Registry Key for Credential Guard

Besides auditing guidelines, Microsoft has introduced details regarding a new Registry key concerning the auditing and enforcement of Credential Guard. This feature plays a crucial role in safeguarding credentials against theft by utilizing Virtualization-Based Security (VBS), thereby securing NTLM password hashes.

Registry Key Information

Registry Location HKLM\SYSTEM\currentcontrolset\control\lsa\msv1_0
Value BlockNtlmv1SSO
Type REG_DWORD
Data
  • 0 (default): Allows requests to generate NTLMv1 credentials but audits them, generating warning events. This mode is referred to as Audit mode.
  • 1: Blocks NTLMv1 credentials generation, resulting in error events. This is categorized as Enforce mode.

Timeline for Rollout of Changes

Microsoft has also outlined a timeline for the implementation of these changes:

Date Change
Late August 2025 Activation of auditing logs for NTLMv1 usage on Windows 11, version 24H2 or newer clients.
November 2025 Commencement of changes rollout for Windows Server 2025.
October 2026 The default setting for the BlockNtlmv1SSO registry key will switch from Audit mode (0) to Enforce mode (1) via a future Windows update, elevating restrictions on NTLMv1. This alteration will only be implemented if the BlockNtlmv1SSO registry key has not been utilized.

For additional insights, refer to the support article here under KB5066470 on Microsoft’s official platform.

Source & Images

Leave a Reply

Your email address will not be published. Required fields are marked *