With the release of 24H2, we've started testing this feature, and have discovered a slightly odd behaviour that means we cannot currently enable this.
For our endpoint admin users, we can no longer access shares when this setting is enabled. This is the case even on devices where outbound NTLM is already blocked system-wide.
The users involved have the following properties.
1. Smart-Card only set on user object.
2. Account set as not delegated on user object.
3. User is a member of Protected Users.
4. Local administrator on the client device.
The behaviour is as follows.
1. If System-Wide NTLM Blocking (restrictsendingntlmtraffic) is enabled, the issue does not occur, and the share can be accessed.
2. If SMB-only NTLM Blocking is additionally enabled, the share cannot be accessed, Event 4015 is logged, and a message of "Authentication failed because NTLM authentication has been disabled." is received.
Is this expected behaviour for this feature?