Disable NTLMv1 in group policy

Question

Disable NTLMv1 in group policy

Seema Kanwal Gurmani 336

Dear Community,

I want to enable below settings:

Disable NTLMv1 in domain controllers using Group Policy Management Console (GPMC).

What will be impact of doing this setting in GPO?

What is the best practice?

1 answer

Your answer

Answer 1

Disabling NTLMv1 on your domain controllers is a common hardening step, but there are some considerations to take into account:

Authentication Failures: Any clients, applications, or devices that still attempt to authenticate using NTLMv1 (and don't support newer authentication methods) will fail to log on.
Legacy Systems Impacted: Old Windows versions (Windows 2000, XP without updates, Server 2003, and some embedded/IoT devices) rely on NTLMv1. These will not be able to authenticate.
Non-Windows Devices: Older Linux Samba clients, network appliances (storage devices, printers, copiers, NAS systems, VPN appliances) might also fail if they only support NTLMv1.
Service Accounts and Apps: Some legacy applications coded to use NTLMv1 (e.g., old SQL clients, middleware, third-party apps) will break.

Regarding best practices

Audit first (do not disable yet)
- In Group Policy, set the Network Security: Restrict NTLM: Audit NTLM authentication in this domain to Audit mode.
- Collect logs from the DCs (Security Event Log, Event IDs 4624, 4625, and NTLM-specific logs).
- Identify which systems still use NTLMv1.
Remediate legacy dependencies
- Upgrade or patch systems/applications that still use NTLMv1.
- For non-Windows devices, check firmware/software updates to support NTLMv2 or Kerberos.
- If something cannot be upgraded, plan for exceptions (though not ideal).
Then disable NTLMv1
- In GPO → Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
- Set Network security: LAN Manager authentication level to Send NTLMv2 response only. Refuse LM & NTLM.
- This enforces NTLMv2 only.
Monitor after enforcement
- Keep auditing after rollout.
- Ensure all business-critical systems can still authenticate.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Seema Kanwal Gurmani 336 Reputation points

2025-08-29T04:49:00.0333333+00:00

My environment does not have any old Windows OS we have few oldest on windows 8 and we are just about to retire those as well, so from Windows OS perspective I am ok. But how do I know that my Printer, Applications or Linux Machines use this protocol? I mean what kind of information will logs provide me? What should I look for?
Marcin Policht 54,995 Reputation points MVP Volunteer Moderator

2025-08-29T11:19:45.92+00:00

When you enable Audit NTLM Authentication in GPO, your Domain Controllers will log every NTLM authentication attempt.

Enable auditing in GPO

On DCs:

Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options

Network security: Restrict NTLM: Audit NTLM authentication in this domain → Enable auditing for domain accounts

Network security: Restrict NTLM: Audit Incoming NTLM Traffic → Enable auditing

Reboot DCs or force GPUpdate.

Where to look

Event Viewer → Security log on Domain Controllers

Relevant Event IDs:

4624 (Successful Logon) → has Authentication Package: NTLM and Logon Process: NtLmSsp

4625 (Failed Logon) if something breaks

8004 (Microsoft-Windows-NTLM/Operational log) – directly shows NTLM authentication attempts and whether NTLMv1 or NTLMv2 was used

What to look for

In Event ID 4624, check the Logon Process and Authentication Package fields.

In NTLM events (ID 8004), you'll see:

NTLM V1 or NTLM V2 explicitly

Source workstation name or IP address

Target user/service

That tells you:

Which machine (IP or hostname) used NTLMv1

Which account it was trying to authenticate with

When it happened

Interpreting results

If you see no NTLMv1, you're safe to enforce.

If you see NTLMv1 from a printer, app server, or Linux box, that's a red flag:

For printers → check firmware/settings for “NTLMv2” or switch to Kerberos

For Linux/Samba → set client ntlmv2 auth = yes in smb.conf

For apps → check config or update libraries

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Share via

Disable NTLMv1 in group policy

1 answer

Your answer