Anavem
EnglishFrancais
Anavem
Languagefr
How to Disable NTLM Authentication Protocol in Active Directory 2026

How to Disable NTLM Authentication Protocol in Active Directory 2026

Learn to securely transition from NTLM to Kerberos authentication in Active Directory environments through Group Policy configuration, auditing, and progressive restrictions.

Evan MaelEvan Mael
March 17, 2026 18 min
hardntlm 7 steps 18 min

Why Disable NTLM Authentication in Active Directory?

NTLM (NT LAN Manager) authentication protocol has been a cornerstone of Windows authentication for decades, but it's now considered a significant security liability. Microsoft announced in July 2024 their plan to deprecate NTLM, with Windows 11 24H2 and Windows Server 2025 already removing NTLMv1 support entirely. The company is implementing a three-phase approach: Phase 1 (enhanced auditing) is active in current releases, Phase 2 (addressing blockers) begins in the second half of 2026, and Phase 3 (NTLM disabled by default) will arrive in a future major release.

What Security Risks Does NTLM Present?

NTLM authentication suffers from several critical vulnerabilities that make it unsuitable for modern security requirements. The protocol is susceptible to pass-the-hash attacks, where attackers can use captured password hashes to authenticate without knowing the actual password. NTLM also lacks mutual authentication, meaning clients cannot verify the authenticity of servers, opening the door to man-in-the-middle attacks. Additionally, NTLM uses weaker encryption compared to Kerberos and doesn't support modern security features like smart card authentication or advanced encryption standards.

How Does Kerberos Improve Security Over NTLM?

Kerberos provides significant security advantages over NTLM through its ticket-based authentication system. It offers mutual authentication, ensuring both client and server verify each other's identity. Kerberos uses stronger encryption algorithms, supports delegation scenarios more securely, and integrates better with modern authentication protocols. The protocol also provides better auditing capabilities and supports advanced features like smart card authentication and multi-factor authentication integration. By transitioning from NTLM to Kerberos, organizations can significantly reduce their attack surface and improve their overall security posture.

Implementation Guide

Full Procedure

01

Enable NTLM Auditing Policies

Before disabling NTLM, you need to understand where it's being used in your environment. Windows 11 24H2 and Windows Server 2025 include enhanced NTLM logging capabilities that make this process much more effective.

Open Group Policy Management Console and navigate to your domain policy or create a new GPO:

gpmc.msc

Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options. Configure these auditing policies:

Policy NameSettingRegistry Path
Network security: Restrict NTLM: Audit NTLM authentication in this domainEnable allHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\auditntlmindomain
Network security: Restrict NTLM: Audit Incoming NTLM TrafficEnable allHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\AuditReceiving
Network security: Restrict NTLM: Audit Outgoing NTLM traffic to remote serversEnable allHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\AuditSending

For Windows 11 24H2 and Server 2025, also enable the new enhanced logging policies under the same location.

Verification: Force Group Policy update and check Event Viewer:

gpupdate /force
# Check for NTLM events in Security log
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624,4625} | Where-Object {$_.Message -like '*NTLM*'} | Select-Object TimeCreated, Id, LevelDisplayName, Message
Pro tip: Run auditing for at least 2 weeks during normal business operations to capture all NTLM usage patterns, including weekend batch jobs and scheduled tasks.
02

Analyze NTLM Usage and Dependencies

After collecting audit data, analyze the results to identify applications and services that rely on NTLM authentication. This step is critical for preventing service disruptions.

Use PowerShell to extract and analyze NTLM events:

# Extract NTLM authentication events from the last 7 days
$StartTime = (Get-Date).AddDays(-7)
$NTLMEvents = Get-WinEvent -FilterHashtable @{
    LogName='Security'
    ID=4624,4625
    StartTime=$StartTime
} | Where-Object {$_.Message -match 'NTLM'}

# Group by source workstation and target
$NTLMEvents | ForEach-Object {
    $Event = [xml]$_.ToXml()
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        SourceWorkstation = $Event.Event.EventData.Data | Where-Object {$_.Name -eq 'WorkstationName'} | Select-Object -ExpandProperty '#text'
        TargetUser = $Event.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'} | Select-Object -ExpandProperty '#text'
        AuthenticationPackage = $Event.Event.EventData.Data | Where-Object {$_.Name -eq 'AuthenticationPackageName'} | Select-Object -ExpandProperty '#text'
    }
} | Group-Object SourceWorkstation, TargetUser | Sort-Object Count -Descending

Check for common NTLM dependencies:

# Check for applications using NTLM
Get-WmiObject -Class Win32_Process | Where-Object {$_.CommandLine -like '*ntlm*' -or $_.CommandLine -like '*negotiate*'}

# Check IIS authentication methods
if (Get-WindowsFeature -Name IIS-WebServer | Where-Object {$_.InstallState -eq 'Installed'}) {
    Import-Module WebAdministration
    Get-WebConfiguration -Filter 'system.webServer/security/authentication/*' | Where-Object {$_.enabled -eq $true}
}

Verification: Document all applications and services using NTLM. Create a remediation plan for each identified dependency before proceeding to restrictions.

Warning: Legacy applications, vulnerability scanners, and some backup solutions commonly use NTLM. Ensure you have alternative authentication methods configured before blocking NTLM.
03

Block NTLMv1 Authentication

As a baseline security measure, disable the legacy NTLMv1 protocol while maintaining NTLMv2 compatibility. NTLMv1 has been removed from Windows 11 24H2 and Windows Server 2025, but this policy ensures older systems are protected.

In Group Policy Management Console, navigate to the same Security Options location and configure:

Policy: Network security: LAN Manager authentication level
Setting: Send NTLMv2 response only. Refuse LM & NTLM

This can also be configured via registry:

# Set LAN Manager authentication level to refuse LM and NTLM
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name 'LmCompatibilityLevel' -Value 3 -Type DWord

# Verify the setting
Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name 'LmCompatibilityLevel'

Apply the policy and force an update:

gpupdate /force
# Restart may be required for some systems
Restart-Computer -Confirm

Test authentication after the change:

# Test Kerberos authentication
klist tgt

# Test network authentication to a domain resource
Test-NetConnection -ComputerName 'domaincontroller.domain.com' -Port 88

# Check for authentication failures
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4625} -MaxEvents 10

Verification: Confirm that authentication still works for domain resources and that no NTLMv1 events appear in the security log.

04

Implement Progressive NTLM Restrictions

After remediation, begin implementing NTLM restrictions progressively. Start with the most secure systems and gradually expand coverage.

Configure these policies in Security Options, applying them to different OUs based on your security tiers:

For client computers (Tier 1/2):

Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
Setting: Deny all

For member servers (Tier 1):

Network security: Restrict NTLM: Incoming NTLM traffic
Setting: Deny all domain accounts

For domain controllers (Tier 0) - Apply LAST:

Network security: Restrict NTLM: NTLM authentication in this domain
Setting: Deny for domain accounts to domain servers

Use PowerShell to configure these settings programmatically:

# Configure outgoing NTLM restrictions
$OutgoingNTLM = @{
    Path = 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0'
    Name = 'RestrictSendingNTLMTraffic'
    Value = 2  # Deny all
    Type = 'DWord'
}
Set-ItemProperty @OutgoingNTLM

# Configure incoming NTLM restrictions (avoid loopback issues)
$IncomingNTLM = @{
    Path = 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0'
    Name = 'RestrictReceivingNTLMTraffic'
    Value = 1  # Deny all domain accounts
    Type = 'DWord'
}
Set-ItemProperty @IncomingNTLM

# For domain controllers only - restrict domain NTLM
if ((Get-WmiObject -Class Win32_ComputerSystem).DomainRole -ge 4) {
    Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters' -Name 'RestrictNTLMInDomain' -Value 1 -Type DWord
}

Verification: Test authentication and monitor for failures:

# Force policy update
gpupdate /force

# Test Kerberos ticket acquisition
klist purge
klist tgt

# Monitor for NTLM restriction events (Event ID 4004, 4005)
Get-WinEvent -FilterHashtable @{LogName='System'; ID=4004,4005} -MaxEvents 20
Pro tip: Implement restrictions during maintenance windows and have a rollback plan ready. Use the "Add remote server exceptions" policy if specific legacy systems require NTLM temporarily.
05

Configure NTLM Exceptions for Legacy Systems

Some legacy systems may require temporary NTLM exceptions while you work on long-term remediation. Configure these exceptions carefully to maintain security.

Create exception lists for systems that must continue using NTLM:

In Group Policy, navigate to the same Security Options location and configure:

Policy: Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication
Setting: List of specific servers (FQDN or NetBIOS names)

Example exception configuration:

legacyapp01.domain.com
backupserver.domain.com
192.168.1.100

For domain-level exceptions on domain controllers:

Policy: Network security: Restrict NTLM: Add server exceptions in this domain
Setting: List of servers that can receive NTLM from domain accounts

Configure exceptions via registry if needed:

# Create exception list for outgoing NTLM traffic
$ExceptionList = @(
    'legacyapp01.domain.com',
    'backupserver.domain.com',
    '192.168.1.100'
)

# Set the exception list (semicolon-separated)
$ExceptionString = $ExceptionList -join ';'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0' -Name 'ClientAllowedNTLMServers' -Value $ExceptionString -Type String

# Verify the exception list
Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0' -Name 'ClientAllowedNTLMServers'

Monitor exception usage:

# Check for NTLM usage to exception servers
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624} | Where-Object {
    $_.Message -match 'NTLM' -and 
    ($_.Message -match 'legacyapp01' -or $_.Message -match 'backupserver')
} | Select-Object TimeCreated, Message

Verification: Confirm that exceptions work as expected and that NTLM is still blocked for non-exception systems.

Warning: Exception lists should be temporary. Each exception represents a potential security risk and should have a documented remediation timeline.
06

Test Kerberos Authentication and Troubleshoot Issues

After implementing NTLM restrictions, thoroughly test Kerberos authentication and resolve any issues that arise.

Test Kerberos functionality across your environment:

# Clear existing tickets and request new ones
klist purge
klist tgt

# Test authentication to various services
Test-NetConnection -ComputerName 'fileserver.domain.com' -Port 445
Test-NetConnection -ComputerName 'webserver.domain.com' -Port 80
Test-NetConnection -ComputerName 'sqlserver.domain.com' -Port 1433

# Check for Kerberos tickets for specific services
klist

Common troubleshooting steps for Kerberos issues:

# Check time synchronization (critical for Kerberos)
w32tm /query /status
w32tm /resync

# Verify DNS resolution for domain controllers
nslookup _kerberos._tcp.domain.com
nslookup _ldap._tcp.domain.com

# Check SPN registration for services
setspn -L serviceaccount
setspn -Q HTTP/webserver.domain.com

# Test Kerberos authentication with specific encryption
klist -e

Monitor for authentication failures and NTLM fallback attempts:

# Check for Kerberos authentication failures
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4768,4769,4771} -MaxEvents 50 | Where-Object {$_.LevelDisplayName -eq 'Error'}

# Check for NTLM restriction events
Get-WinEvent -FilterHashtable @{LogName='System'; ID=4004,4005,4006,4007} -MaxEvents 20

# Look for authentication package downgrades
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624} | Where-Object {$_.Message -match 'NTLM' -and $_.Message -notmatch 'SYSTEM'}

If you encounter persistent issues, use Microsoft's recommended escalation:

# Collect detailed authentication logs for Microsoft support
wevtutil el | findstr -i auth
wevtutil qe Security /q:"*[System[(EventID=4624 or EventID=4625)]]" /f:text /rd:true /c:100

Verification: Confirm that all critical services authenticate successfully using Kerberos and that no unexpected NTLM usage occurs.

Pro tip: If you encounter issues that can't be resolved immediately, contact ntlm@microsoft.com with detailed logs. Microsoft provides specific support for NTLM transition challenges.
07

Monitor and Maintain NTLM Restrictions

Establish ongoing monitoring to ensure NTLM restrictions remain effective and to catch any new dependencies that might emerge.

Create a monitoring script to track NTLM usage:

# Create NTLM monitoring script
$MonitoringScript = @'
# NTLM Monitoring Script
$LogPath = "C:\Logs\NTLM-Monitor.log"
$Date = Get-Date -Format "yyyy-MM-dd HH:mm:ss"

# Check for NTLM authentication events
$NTLMEvents = Get-WinEvent -FilterHashtable @{
    LogName='Security'
    ID=4624,4625
    StartTime=(Get-Date).AddHours(-1)
} | Where-Object {$_.Message -match 'NTLM'}

if ($NTLMEvents) {
    "$Date - NTLM authentication detected:" | Out-File -FilePath $LogPath -Append
    $NTLMEvents | ForEach-Object {
        "  Event ID: $($_.Id), Time: $($_.TimeCreated), Message: $($_.Message.Substring(0,200))..." | Out-File -FilePath $LogPath -Append
    }
}

# Check for NTLM restriction violations
$RestrictionEvents = Get-WinEvent -FilterHashtable @{
    LogName='System'
    ID=4004,4005,4006,4007
    StartTime=(Get-Date).AddHours(-1)
} -ErrorAction SilentlyContinue

if ($RestrictionEvents) {
    "$Date - NTLM restriction events:" | Out-File -FilePath $LogPath -Append
    $RestrictionEvents | ForEach-Object {
        "  Event ID: $($_.Id), Time: $($_.TimeCreated), Level: $($_.LevelDisplayName)" | Out-File -FilePath $LogPath -Append
    }
}
'@

# Save and schedule the monitoring script
$MonitoringScript | Out-File -FilePath "C:\Scripts\NTLM-Monitor.ps1" -Encoding UTF8

# Create scheduled task for hourly monitoring
$Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-ExecutionPolicy Bypass -File C:\Scripts\NTLM-Monitor.ps1"
$Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Hours 1)
$Principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount
Register-ScheduledTask -TaskName "NTLM-Monitor" -Action $Action -Trigger $Trigger -Principal $Principal

Set up alerting for unexpected NTLM usage:

# Create alert script for critical NTLM events
$AlertScript = @'
Param([string]$EventLogName, [int]$EventID)

$Event = Get-WinEvent -FilterHashtable @{LogName=$EventLogName; ID=$EventID} -MaxEvents 1
if ($Event -and $Event.TimeCreated -gt (Get-Date).AddMinutes(-5)) {
    # Send email alert (configure SMTP settings)
    $EmailParams = @{
        To = "admin@domain.com"
        From = "ntlm-monitor@domain.com"
        Subject = "NTLM Alert: Unexpected authentication detected"
        Body = "NTLM event detected: $($Event.Message)"
        SmtpServer = "mail.domain.com"
    }
    Send-MailMessage @EmailParams
}
'@

$AlertScript | Out-File -FilePath "C:\Scripts\NTLM-Alert.ps1" -Encoding UTF8

Regular maintenance tasks:

# Weekly NTLM status report
$WeeklyReport = @'
# Generate weekly NTLM status report
$StartDate = (Get-Date).AddDays(-7)
$Report = @()

# Count NTLM events by type
$NTLMCount = (Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624; StartTime=$StartDate} | Where-Object {$_.Message -match 'NTLM'}).Count
$KerberosCount = (Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624; StartTime=$StartDate} | Where-Object {$_.Message -match 'Kerberos'}).Count

$Report += "NTLM Authentication Events: $NTLMCount"
$Report += "Kerberos Authentication Events: $KerberosCount"
$Report += "NTLM Percentage: $([math]::Round(($NTLMCount / ($NTLMCount + $KerberosCount)) * 100, 2))%"

$Report | Out-File -FilePath "C:\Reports\NTLM-Weekly-$(Get-Date -Format 'yyyy-MM-dd').txt"
'@

Verification: Review monitoring logs regularly and investigate any unexpected NTLM usage. Ensure your monitoring captures both successful and failed authentication attempts.

Frequently Asked Questions

Can I completely disable NTLM authentication in Windows Server 2025?+
Yes, you can disable NTLM authentication in Windows Server 2025, but it requires careful planning and progressive implementation. Microsoft has removed NTLMv1 from Windows Server 2025 and Windows 11 24H2, but NTLMv2 can still be disabled through Group Policy settings. You must first audit NTLM usage, remediate dependencies, and ensure all applications support Kerberos authentication before complete disablement to avoid service disruptions.
What happens if I disable NTLM without proper preparation?+
Disabling NTLM without proper preparation can cause widespread authentication failures and service outages. Legacy applications, backup systems, vulnerability scanners, and some third-party tools may fail to authenticate. External trust relationships default to NTLM and will break. System accounts and services that rely on NTLM fallback will stop functioning. This is why Microsoft recommends a phased approach with thorough auditing and testing before implementation.
How do I identify which applications are using NTLM authentication?+
Use the enhanced NTLM auditing policies available in Windows 11 24H2 and Windows Server 2025. Enable 'Audit NTLM authentication in this domain', 'Audit Incoming NTLM Traffic', and 'Audit Outgoing NTLM traffic' through Group Policy. Monitor the Security event log for Event IDs 4624 and 4625 with NTLM authentication packages. Run auditing for at least two weeks during normal business operations to capture all usage patterns, including scheduled tasks and batch jobs.
Is it safe to disable NTLM on domain controllers first?+
No, domain controllers should be the last systems where you disable NTLM authentication. Start with client computers and member servers first, then progress to domain controllers. Domain controllers handle pass-through authentication for the entire domain, so disabling NTLM there affects all domain authentication. Microsoft recommends prioritizing Protected Users group members, then Tier 0 devices (PAWs), then new servers, and finally domain controllers as the last step in the process.
What should I do if I encounter persistent NTLM authentication issues?+
If you encounter persistent NTLM issues that cannot be resolved through standard troubleshooting, Microsoft provides specific support through ntlm@microsoft.com. Before contacting support, ensure time synchronization is correct (critical for Kerberos), verify DNS resolution for domain controllers, check SPN registration for affected services, and collect detailed authentication logs. You can also implement temporary exceptions using the 'Add remote server exceptions' Group Policy setting while working on long-term remediation.
Evan Mael
Written by

Evan Mael

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#ntlm#active-directory#kerberos

Further Intelligence

Deepen your knowledge with related resources

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It
tutorial
Windows

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It

Deep Dive
How to Deploy Network Locations via Group Policy in Windows Server 2025
tutorial
Networking

How to Deploy Network Locations via Group Policy in Windows Server 2025

Deep Dive
How to Configure Default Inbound Action for Public Profile in Windows Defender
tutorial
Cybersecurity

How to Configure Default Inbound Action for Public Profile in Windows Defender

Deep Dive

Discussion

Share your thoughts and insights

Sign in to join the discussion

Sign inCreate account