Forum Discussion

Squirrel215's avatar
Squirrel215
Copper Contributor
Apr 12, 2022

NTLM Blocking on Windows 10 21H1 breaks some group policies, specifically allow/deny log on locally

 I'm struggling with blocking NTLM outbound from workstations, as it appears that some group policy processing, specifically the user rights assignments, requires it.  I've been able to replicate this so far.  

 

Steps to reproduce on Windows 10 21H1 Pro:

Block NTLM outgoing on a workstation

Set "allow log on locally" or "deny log on locally" to include any domain group in the user rights assignments security settings/local policy.

Enable Group policy debugging with registry entry: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics: GPSvcDebugLevel DWORD 0x30002

Reboot

Look in c:\windows\security\logs\winlogon.log and find entries stating that it could not enumerate the groups you added.  You will also find that they are not enforced.

 

So. how to get the winlogon process to use Kerberos and not NTLM?  Can anyone else confirm this?

 

 

No RepliesBe the first to reply

Resources