New NTLM Controls in Windows 11 24H2 & Server 2025
New NTLM Controls in Windows 11 24H2 & Server 2025
NTLM had a good run. But like dial-up modems and floppy disks, its time has come and gone.
Back in December, Microsoft made it official: NTLM (NT LAN Manager) is on life support in Windows 11 24H2 and Windows Server 2025. No more active development. No more long-term support. And sooner than you think — it’s getting pulled from the OS entirely.
Why? Because in today’s world, NTLM is basically handing attackers a skeleton key. Microsoft’s been shouting it from the rooftops: move to Kerberos. It’s faster, more secure, and actually designed for modern networks.
NTLMv1? Already gone in 24H2 and Server 2025.
NTLMv2? On borrowed time.
But Microsoft knows — some of you are still stuck with legacy apps, old printers, or that one ancient ERP system that refuses to die. So instead of yanking the plug overnight, they’re giving you tools to see what’s still using NTLM… and how to shut it down safely.
🔍 New Tools for Tracking (and Killing) NTLM Usage
Microsoft recently dropped two key guidance docs — that every admin should bookmark.
✅ Part 1: NTLM Auditing via Group Policy
First up: NTLM Enhanced Logging.
This isn’t just another checkbox in gpedit.msc. It’s a full audit trail that tells you exactly where NTLM is still lurking in your environment — whether it’s a client machine, a server, or crawling across your domain.
You’ve got two flavors:
- “NTLM Enhanced Logging” — for per-machine client/server logging
- “Log Enhanced Domain-wide NTLM Logs” — if you want the big picture across your entire AD
🔐 Part 2: Credential Guard + New Registry Key = NTLMv1’s Final Nail
Second — and arguably more important — Microsoft introduced a new registry key that works hand-in-hand with Credential Guard to finally lock NTLMv1 out for good.
Quick refresher: Credential Guard uses Virtualization-Based Security (VBS) to isolate and protect credentials from being stolen — even if malware gets local admin rights.
Now, pair that with this new key:
Registry Path:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Msv1_0
Value Name:
BlockNtlmv1SSO
Type:
REG_DWORD
Options:
0 (Default) → Audit Mode
- NTLMv1 requests are logged (with warnings), but still allowed.
- Perfect for testing without breaking anything.
1 → Enforce Mode
- NTLMv1 is BLOCKED. Hard stop.
- Generates error logs so you know exactly what failed.
This is your kill switch. Flip it when you’re ready.
👉 Official docs: KB5066470
📅 The Timeline: When Things Get Real
Microsoft’s not moving fast — they’re moving predictably. Here’s the rollout schedule:
| Late August 2025 | NTLMv1 auditing logs go live on Windows 11 24H2+ clients. Start monitoring now. |
| November 2025 | Changes roll out to Windows Server 2025. Time to test in your lab. |
| October 2026 | Default flips from Audit (0) → Enforce (1) via Windows Update — unless you override it. |
⚠️ Heads up: If you do nothing, your systems will start blocking NTLMv1 automatically in late 2026. No warning. No mercy. Just errors.
🛠️ What You Should Do Right Now
- Enable NTLM auditing — Use the new GPOs to map out where NTLM is still in use.
- Test Enforce Mode in a lab — Flip
BlockNtlmv1SSOto1on a test machine. See what breaks. - Update or replace legacy systems — That 15-year-old inventory app? Yeah, it’s time.
- Document exceptions — If you must keep something running on NTLM, whitelist it — and plan its retirement.
- Train your team — Make sure everyone knows NTLM is dead. No more “just enable it for now.”
