Event details

NTLM (New Technology LAN Manager) in Windows 11 is being phased out in favor of more secure protocols like Kerberos. Learn the history of NTLM and the associated security risks. Explore how auditing ...
Heather_Poulsen
Updated Feb 26, 2026
Technical Takeoff
Henk_-_Simac_IT_NL's avatar
Henk_-_Simac_IT_NL
Copper Contributor
Mar 02, 2026

When can we expect CSP or settings catalog Policies in Intune to elmininate NTLM and other active directory hardening? It's really frustrating to write scripts for all registry keys and it's more prone to error.

Steve_Syfuhs's avatar
Steve_Syfuhs
Icon for Microsoft rankMicrosoft
Mar 05, 2026

Existing NTLM disable sent policies are already available in GP and Intune. Can you clarify what more you're expecting to see?

  • Henk_-_Simac_IT_NL's avatar
    Henk_-_Simac_IT_NL
    Copper Contributor
    Mar 06, 2026

    Hi Steve, it's confusing. Defender says this: 

    Disabling NTLM Auth

    Apply via Group Policy (recommended for most customers):

    • Open Group Policy Management Console (GPMC).
    • Edit the relevant GPO linked to your client machines.
    • Navigate to: Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options
    • Modify the following:
      • Network Security: LAN Manager Authentication Level — Double click and select "Send NTLMv2 response only/refuse LM & NTLM".
      • Network Security: Restrict NTLM: Incoming NTLM Traffic — Double click and select Deny all accounts.
      • Network Security: Restrict NTLM: Outgoing NTLM Traffic to remote servers — Double click and select Deny all accounts.
      • Network Security: Restrict NTLM: NTLM authentication in this domain — Double click and select Deny all accounts. (Applicable on Domain Controller machines only)
    • Run gpupdate /force

    Alternative Registry Method:

    Set the following registry values:

    • Navigate to HKLM\SYSTEM\CurrentControlSet\Control\Lsa
      • Find key: LmCompatibilityLevel and set value to 5
    • Navigate to HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
      • Find key: RestrictReceivingNTLMTraffic and set value to 2
      • Find key: RestrictSendingNTLMTraffic and set value to 2
    • Navigate to HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
      • Find key: RestrictNTLMInDomain and set value to 7 (Applicable on Domain Controller machines only)

     

    But actualy defender is also looking at 

    HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\RestrictSendingNTLMToDC

     

    Both these settings are classified as domain controller only (correct me if i'm wrong), and not available in Settings catalog or Policy CSP:

    • RestrictSendingNTLMToDC 
    • RestrictNTLMInDomain

     

    On Windows 11 25h2 and Server 2025 we do see these policies available in GPO.

     

    So could u please clarify which policies we exactly need to remediate for Windows 11 devices and make sure defender for endpoint is looking at the right keys or policies? If the last two are needed then we need them in CSP or settings catalog as well.