NTLM Settings Configuration settings for the NTLM security package. NTLM NTLM Enhanced Logging This policy setting allows the NTLM security package to log the new, enhanced auditing logs for both clients and servers. These enhanced logs have information about what is using NTLM, why NTLM is being used, and the destination of the NTLM authentication request. They also have information about NTLMv1 usage and other security downgrades. If you enabled or do not configure this policy, the new auditing logs will be generated. If you disable the policy, the new logs are not generated. NTLM Enhanced Blocking This policy setting allows the NTLM security package to block NTLM authentication requests based on the new, enhanced blocking policies at the Machine level. These enhanced blocking policies allow you to block NTLM authentication based on new criteria, such as the type of the account, the role of the device, or the type of application. If the overall policy is set to "Disabled" or "Not Configured", the subsettings below will not take effect. If the overall policy is set to "Enabled", the subpolicies below will take effect based on their configuration. Unless configured, all policies are set to "Audit" mode. Policies that are set to "Audit" will log a warning about the NTLM request that could be blocked, but will not block it. Multiple policies that are marked as "Audit" can be enabled at the same time, and they will be logged in an unified event log. If any policy is marked as "Enabled", the NTLM authentication request will be blocked if it matches the criteria of the policy. If multiple policies are marked as "Enabled", the NTLM authentication request will be blocked if it matches the criteria of any of the policies. An event log will be generated for the first policy that blocks the NTLM authentication. In scenarios where there are both "Audit" and "Enabled" policies, the "Enabled" policy will take precedence. All of the enhanced blocking policies outlined here share the same allow list, which specifies the accounts, devices, and applications that are allowed to use NTLM authentication. The allow list can contain a series of target names or SPNs to allow the authentication. For more information, please visit aka.ms/ntlmlogandblock. Disabled Audit Enabled Block NTLM for Domain Accounts Single Sign-On Block NTLM for Domain Controllers Block NTLM when Machine binding fails Block all NTLM authentication Specify the allow list for enhanced blocking policies: