Event details

NTLM (New Technology LAN Manager) in Windows 11 is being phased out in favor of more secure protocols like Kerberos. Learn the history of NTLM and the associated security risks. Explore how auditing can expose legacy dependencies in storage traffic, then find out how IAKerb, Local KDC, and auto-redirect can fill Kerberos gaps so that you feel confident and prepared ahead of NTLM disablement in Windows.

Speakers: Mariam Gewida & Steve Syfuhs

 

This session is part of the Microsoft Technical Takeoff: Windows + Intune. Add it to your calendar, click Attend for event reminders, and post your questions and comments below! This session will also be recorded and available on demand shortly after conclusion of the live event.

Heather_Poulsen
Updated Feb 26, 2026
Technical Takeoff

13 Comments

Comments have been turned off for this event
  • Henk_-_Simac_IT_NL's avatar
    Henk_-_Simac_IT_NL
    Copper Contributor
    Mar 02, 2026

    When can we expect CSP or settings catalog Policies in Intune to elmininate NTLM and other active directory hardening? It's really frustrating to write scripts for all registry keys and it's more prone to error.

    • Steve_Syfuhs's avatar
      Steve_Syfuhs
      Icon for Microsoft rankMicrosoft
      Mar 05, 2026

      Existing NTLM disable sent policies are already available in GP and Intune. Can you clarify what more you're expecting to see?

      • Henk_-_Simac_IT_NL's avatar
        Henk_-_Simac_IT_NL
        Copper Contributor
        Mar 06, 2026

        Hi Steve, it's confusing. Defender says this: 

        Disabling NTLM Auth

        Apply via Group Policy (recommended for most customers):

        • Open Group Policy Management Console (GPMC).
        • Edit the relevant GPO linked to your client machines.
        • Navigate to: Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options
        • Modify the following:
          • Network Security: LAN Manager Authentication Level — Double click and select "Send NTLMv2 response only/refuse LM & NTLM".
          • Network Security: Restrict NTLM: Incoming NTLM Traffic — Double click and select Deny all accounts.
          • Network Security: Restrict NTLM: Outgoing NTLM Traffic to remote servers — Double click and select Deny all accounts.
          • Network Security: Restrict NTLM: NTLM authentication in this domain — Double click and select Deny all accounts. (Applicable on Domain Controller machines only)
        • Run gpupdate /force

        Alternative Registry Method:

        Set the following registry values:

        • Navigate to HKLM\SYSTEM\CurrentControlSet\Control\Lsa
          • Find key: LmCompatibilityLevel and set value to 5
        • Navigate to HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
          • Find key: RestrictReceivingNTLMTraffic and set value to 2
          • Find key: RestrictSendingNTLMTraffic and set value to 2
        • Navigate to HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
          • Find key: RestrictNTLMInDomain and set value to 7 (Applicable on Domain Controller machines only)

         

        But actualy defender is also looking at 

        HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\RestrictSendingNTLMToDC

         

        Both these settings are classified as domain controller only (correct me if i'm wrong), and not available in Settings catalog or Policy CSP:

        • RestrictSendingNTLMToDC 
        • RestrictNTLMInDomain

         

        On Windows 11 25h2 and Server 2025 we do see these policies available in GPO.

         

        So could u please clarify which policies we exactly need to remediate for Windows 11 devices and make sure defender for endpoint is looking at the right keys or policies? If the last two are needed then we need them in CSP or settings catalog as well.

  • Anthonymelwhrhs's avatar
    Anthonymelwhrhs
    Steel Contributor
    Mar 02, 2026

    Any chance this will be back ported to at least Windows Server 2022? I mean it's still supported for another five years at least.

    • Steve_Syfuhs's avatar
      Steve_Syfuhs
      Icon for Microsoft rankMicrosoft
      Mar 02, 2026

      No plan to backport to 2022 but if the demand is there that justifies the cost of doing so we would certainly consider it.

  • Heather_Poulsen's avatar
    Heather_Poulsen
    Icon for Community Manager rankCommunity Manager
    Mar 02, 2026

    Welcome to “Eliminating NTLM in Windows” at Microsoft Technical Takeoff. Q&A is open now and throughout the week. Please post any questions or feedback here in the Comments. [Note: If your organization’s policies prevent you from seeing the video on this page, you can also tune in on LinkedIn.]

    • AWTG's avatar
      AWTG
      Occasional Reader
      Mar 02, 2026

      Is it NTLMv1 that will be deprecated later this year or NTLMv2 also? It's not quite clear.

      • Heather_Poulsen's avatar
        Heather_Poulsen
        Icon for Community Manager rankCommunity Manager
        Mar 02, 2026

        AWTG​ - (From Steve_Syfuhs​) - NTLMv1 has already been deprecated for more than a decade. It was deprecated when we introduced Credential Guard in Windows 10. As such, we're talking NTLMv2.

  • Henk_-_Simac_IT_NL's avatar
    Henk_-_Simac_IT_NL
    Copper Contributor
    Feb 16, 2026

    Hi, we have seen recommendations about eliminating NTLM in hardening NTLM, but having issues with Defender for Endpoint were it's not checking the correct keys to remediate this issue. Is this issue known within the Defender experts?