LAN manager authentication level (NTLM) version and GPO problem

Question

Hello

My company running 1 AD forest and a few number of DCs.100 User PC.

Domain functional level 2016, DCs are 2016 or 2019. Clients are at least Win10.

Our audit found some NTLM v1 traffic (event id 4624) and suggest to disable it.

I check our DC GPO and the [Network security:LAN Manager authentication level] setting is:

Send NTLMv2 response only/refuse LM

But I check the GPO for users and the [Network security:LAN Manager authentication level] setting is:

Send NTLM response only

Is it the client sending NTLM v1 request?

Can I simply change the client GPO to Send NTLMv2 response only/refuse LM to stop the NTLM V1 traffic and no impact to users PC?

Please advise~thanks,have a nice day.

related KB here:

https://support.microsoft.com/en-us/topic/client-service-and-program-issues-can-occur-if-you-change-security-settings-and-user-rights-assignments-0cb6901b-dcbf-d1a9-e9ea-f1b49a56d53a

Answer 1

Hello,

Thank you for posting in Q&A forum.

Yes, based on the information you provided, there is a high probability that the client will send an NTLM v1 request if its GPO is set to "Send NTLM Responses Only".

You can change the GPO setting for the client to Send NTLMv2 response only/refuse LM, which will help stop NTLM v1 traffic.

For clients that are at least Windows 10, changing this setting usually doesn't have a significant impact on the user's PC, as Windows 10 supports NTLMv2 by default, and most modern applications and services also tend to use more secure authentication protocols such as Kerberos.

I hope the information above is helpful.

Best Regards,

Yanhong Liu

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.