Microsoft shares Windows 11 24H2, Server 2025 new Registry key and Group Policies for NTLM

By Neowin ·
View full version

Last year in December, Microsoft began deprecating all versions of NTLM (NT LAN Manager) protocol on Windows 11 24H2 and Windows Server 2025. This meant that it was no longer in active development and hence support was reduced and removal was coming soon. The standard has proven vulnerable in modern times and recommends moving to modern authentication ways like Kerberos.

NTLMv1 has already been removed on 24H2 and Server 2025, and as such, the company has recently published a couple of guidance articles regarding it. Neowin noticed these while browsing.

In July, Microsoft shared a support article regarding NTLM auditing changes. This auditing is meant to help IT admins and system administrators identify NTLM usage at their organizations. Microsoft understands that despite the removal of NTLM, some organizations continue to rely on legacy NTLM authentication and thus it is crucial to have tools like these in place.

This official guide walks admins through how the NTLM settings can be configured by either the new "NTLM Enhanced Logging" Group Policy for client and server logging, or the new "Log Enhanced Domain-wide NTLM Logs" for domain-wide logging.

You can find the full details in this support article here under KB5064479.

While the first guidance piece was about auditing via Group Policy, the second one adds information related to a new Registry key addition about the "auditing" and "enforcement" of Credential Guard for blocking NTLMv1 cryptography. If you are wondering, Credential Guard, as the name suggests, locks out credentials safely from theft with the help of VBS, and the feature should help secure NTLM password hashes.

Details for the new Registry key are given below:

Registry location

HKLM\SYSTEM\currentcontrolset\control\lsa\msv1_0

Value

BlockNtlmv1SSO

Type

REG_DWORD

Data

  • 0 (default) - The request to generate NTLMv1-credentials for a logged-on user is audited but allowed to succeed. Warning events are generated. This setting is also called Audit mode.

  • 1 – The request to generate NTLMv1-credentials for a logged-on user is blocked. Error events are generated. This setting is also called Enforce mode.

Microsoft has also shared the timeline of the rollout of these changes:

Date

Change

Late August 2025

Auditing logs for NTLMv1 usage enabled on Windows 11, version 24H2 and newer clients.

November 2025

Begin rollout of changes to Windows Server 2025.

October 2026

The default value of the BlockNtlmv1SSO registry key is changed from Audit mode (0) to Enforce mode (1) through a future Windows update, strengthening NTLMv1 restrictions. This change in defaults only takes effect if the BlockNtlmv1SSO registry key has not been deployed.

You can find more details about it in the support article here under KB5066470 on Microsof"ts official website.

Report a problem with article
Next Article

Microsoft Weekly: More on SSD issues, 25H2 ISO delayed, big updates, and more

Previous Article

Want a white Nvidia RTX 5090? This deal sees it on sale for $2300, no Amazon Prime needed