NTLM Blocking on Windows 10 21H1 breaks some group policies, specifically allow/deny log on locally

I'm using my work profile to answer my own question here. 

If you enable rpc authentication it will fall back to NTLM and  if you have outbound NTLM denied you will have problems. Ex: guid mapping to groups fail; some GPO processing fails. Usernames show up as guids when viewing group memberships on workstations.

This took forever to track down when we removed ntlm from our network

https://techcommunity.microsoft.com/t5/security-compliance-and-identity/rpc-endpoint-mapper-client-authentication-uses-ntlm/m-p/3961525

Read the text in the blue box on Microsofts explanation:

https://learn.microsoft.com/en-us/windows-server/security/rpc-interface-restrict

THIS IS A KNOWN ISSUE!

You've identified a very specific and challenging issue. Based on your detailed testing, you are correct: the Windows Local Security Authority (LSA) process, which handles user logons and enforces Group Policy's user rights assignments, falls back to NTLM when it cannot use Kerberos. This is a core behavior of the Windows security architecture, not a bug.

Windows security policies and user rights assignments often require some form of authentication, and NTLM is commonly used for local and network authentication in various scenarios. When you block NTLM outbound, certain operations, including group enumeration during policy processing, may fail because the system can't authenticate or retrieve group membership information.

Restrict outgoing NTLM traffic to remote servers; use the addresses of domain controllers that support Kerberos authentication instead.

In Group Policy, configure the network security restriction for outbound NTLM traffic to remote servers to “Allow all,” and specify the domain controller address to use Kerberos authentication instead.