Forum Discussion
NTLM Blocking on Windows 10 21H1 breaks some group policies, specifically allow/deny log on locally
I'm struggling with blocking NTLM outbound from workstations, as it appears that some group policy processing, specifically the user rights assignments, requires it. I've been able to replicate this so far.
Steps to reproduce on Windows 10 21H1 Pro:
Block NTLM outgoing on a workstation
Set "allow log on locally" or "deny log on locally" to include any domain group in the user rights assignments security settings/local policy.
Enable Group policy debugging with registry entry: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics: GPSvcDebugLevel DWORD 0x30002
Reboot
Look in c:\windows\security\logs\winlogon.log and find entries stating that it could not enumerate the groups you added. You will also find that they are not enforced.
So. how to get the winlogon process to use Kerberos and not NTLM? Can anyone else confirm this?
3 Replies
Windows security policies and user rights assignments often require some form of authentication, and NTLM is commonly used for local and network authentication in various scenarios. When you block NTLM outbound, certain operations, including group enumeration during policy processing, may fail because the system can't authenticate or retrieve group membership information.
Restrict outgoing NTLM traffic to remote servers; use the addresses of domain controllers that support Kerberos authentication instead.
In Group Policy, configure the network security restriction for outbound NTLM traffic to remote servers to “Allow all,” and specify the domain controller address to use Kerberos authentication instead.
