Intune Settings Catalog "Local Policies Security Option"

David Rechtenbach 46 Reputation points
2022-12-07T09:59:17.447+00:00

Hello,

The security recommendations in the security.microsoftcom portal shows me following recommendation:
Set LAN Manager authentication level to 'Send NTLMv2 response only. Refuse LM & NTLM'

Ich found in the Settingscatalog following setting:
268068-screenshot-2022-12-07-104419.png

Which setting should i choose for NTLMv2 response only? If i use "Send LM and NTLMv2 response only. Refuse LM and NTLM" i found in the registry this

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\LocalPoliciesSecurityOptions\NetworkSecurity_LANManagerAuthenticationLevel
268056-screenshot-2022-12-07-105329.jpg

I would expected Value 5 and not 3. The recommendations in the security.microsoftcom portal is still present.

Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
Microsoft Security | Intune | Configuration
Windows for business | Windows Server | Devices and deployment | Configure application groups
Microsoft Security | Intune | Other
0 comments No comments
{count} votes

Accepted answer
  1. Lu Dai-MSFT 28,501 Reputation points
    2022-12-08T01:46:05.277+00:00

    @David Rechtenbach Thanks for posting in our Q&A.

    Based on my research, the correct registry location is "HKLM\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel".
    https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level#registry-location

    When this policy with "Send NTLMv2 response only. Refuse LM & NTLM" is deployed successfully, LmCompatibilityLevel value is "5".
    268340-image.png

    Hope it will help.


    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Limitless Technology 44,766 Reputation points
    2022-12-08T08:26:13.43+00:00

    Hello there,

    The LAN Manager Authentication Level setting determines which authentication protocol Windows should accept to authenticate users to a given network resource. LAN Manager authentication includes the LM, NTLM, and NTLMv2 protocols.The safest of them is the NTLMv2 protocol as it mitigates replay attacks. LAN Manager Authentication policy must be set to accept NTLMv2 authentication and refuse LM and NTLM authentication.

    Follow the below steps in GPO to resolve the misconfiguration. Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: LAN Manager authentication level" to "Send NTLMv2 response only. Refuse LM & NTLM".

    --------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.