NTLM Blocking on Windows 10 21H1 breaks some group policies, specifically allow/deny log on locally

You've identified a very specific and challenging issue. Based on your detailed testing, you are correct: the Windows Local Security Authority (LSA) process, which handles user logons and enforces Group Policy's user rights assignments, falls back to NTLM when it cannot use Kerberos. This is a core behavior of the Windows security architecture, not a bug.