3175x175(CURRENT).thumb.jpg.b05acc060982b36f5891ba728e6d953c.jpg)
Last year in December, Microsoft began deprecating all versions of NTLM (NT LAN Manager) protocol on Windows 11 24H2 and Windows Server 2025. This meant that it was no longer in active development and hence support was reduced and removal was coming soon. The standard has proven vulnerable in modern times and recommends moving to modern authentication ways like Kerberos.
NTLMv1 has already been removed on 24H2 and Server 2025, and as such, the company has recently published a couple of guidance articles regarding it. Neowin noticed these while browsing.
In July, Microsoft shared a support article regarding NTLM auditing changes. This auditing is meant to help IT admins and system administrators identify NTLM usage at their organizations. Microsoft understands that despite the removal of NTLM, some organizations continue to rely on legacy NTLM authentication and thus it is crucial to have tools like these in place.
This official guide walks admins through how the NTLM settings can be configured by either the new "NTLM Enhanced Logging" Group Policy for client and server logging, or the new "Log Enhanced Domain-wide NTLM Logs" for domain-wide logging.
You can find the full details in this support article here under KB5064479.
While the first guidance piece was about auditing via Group Policy, the second one adds information related to a new Registry key addition about the "auditing" and "enforcement" of Credential Guard for blocking NTLMv1 cryptography. If you are wondering, Credential Guard, as the name suggests, locks out credentials safely from theft with the help of VBS, and the feature should help secure NTLM password hashes.
Details for the new Registry key are given below:
|
Registry location |
HKLM\SYSTEM\currentcontrolset\control\lsa\msv1_0 |
|---|---|
|
Value |
BlockNtlmv1SSO |
|
Type |
REG_DWORD |
|
Data |
|
Microsoft has also shared the timeline of the rollout of these changes:
|
Date |
Change |
|---|---|
|
Late August 2025 |
Auditing logs for NTLMv1 usage enabled on Windows 11, version 24H2 and newer clients. |
|
November 2025 |
Begin rollout of changes to Windows Server 2025. |
|
October 2026 |
The default value of the BlockNtlmv1SSO registry key is changed from Audit mode (0) to Enforce mode (1) through a future Windows update, strengthening NTLMv1 restrictions. This change in defaults only takes effect if the BlockNtlmv1SSO registry key has not been deployed. |
You can find more details about it in the support article here under KB5066470 on Microsof'ts official website.
Hope you enjoyed this news post. Feedback welcome.
Posted Monday 8 September 2025 at 4:01 am AEST (my time).
News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of August): 4,048
Recommended Comments
There are no comments to display.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.