NTLM Blocking on Windows 10 21H1 breaks some group policies, specifically allow/deny log on locally

I'm struggling with blocking NTLM outbound from workstations, as it appears that some group policy processing, specifically the user rights assignments, requires it. I've been able to replicate this so far.

Steps to reproduce on Windows 10 21H1 Pro:

Block NTLM outgoing on a workstation

Set "allow log on locally" or "deny log on locally" to include any domain group in the user rights assignments security settings/local policy.

Enable Group policy debugging with registry entry: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics: GPSvcDebugLevel DWORD 0x30002

Reboot

Look in c:\windows\security\logs\winlogon.log and find entries stating that it could not enumerate the groups you added. You will also find that they are not enforced.

So. how to get the winlogon process to use Kerberos and not NTLM? Can anyone else confirm this?

0 Replies

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

NTLM Blocking on Windows 10 21H1 breaks some group policies, specifically allow/deny log on locally

NTLM Blocking on Windows 10 21H1 breaks some group policies, specifically allow/deny log on locally