Update audit-domain-controller-ntlmv1.md

Edit review per CI 9559

Author: przlplx

support/windows-server/windows-security/audit-domain-controller-ntlmv1.md

@@ -18,15 +18,15 @@ _Original KB number:_   4090105
 
 ## Summary
 
-This article describes how to audit NTLMv1 authentication on Windows Server domain controllers. Use this information to identify applications and services that still use NTLMv1 before you disable it in your environment.
+This article describes how to audit NTLMv1 authentication on Windows Server domain controllers (DCs). Use this information to identify applications and services that still use NTLMv1 before you disable NTLMv1 in your environment.
 
 NTLMv1 is a legacy authentication protocol that Microsoft deprecated in June 2024. For more information, see [Deprecated Features](/windows/whats-new/deprecated-features#deprecated-features).
 
-To maintain security, identify any remaining NTLMv1 usage and migrate applications to use modern authentication protocols. To audit the use of any version of NTLM, use the methods that are described in this article and in [Removing NTLMv1, new audit event for use of NTLM](https://support.microsoft.com/topic/upcoming-changes-to-ntlmv1-in-windows-11-version-24h2-and-windows-server-2025-c0554217-cdbc-420f-b47c-e02b2db49b2e)
+To maintain security, identify any remaining NTLMv1 usage, and migrate applications to use modern authentication protocols. To audit the use of any version of NTLM, use the methods that are described in this article and in [Removing NTLMv1, new audit event for use of NTLM](https://support.microsoft.com/topic/upcoming-changes-to-ntlmv1-in-windows-11-version-24h2-and-windows-server-2025-c0554217-cdbc-420f-b47c-e02b2db49b2e).
 
 ## NTLM auditing
 
-To find applications that use NTLMv1, enable Logon Success Auditing on the DC. Then review the event log on the DC for Success auditing Event ID 4624, which contains information about the version of NTLM.
+To find applications that use NTLMv1, enable Logon Success Auditing on the DC. Then, review the event log on the DC for Success auditing Event ID 4624. This log entry contains information about the version of NTLM.
 
 The text of Event ID 4624 resembles the following example:
 
@@ -73,7 +73,7 @@ Key Length: 128
 
 [!INCLUDE [Registry important alert](../../../includes/registry-important-alert.md)]
 
-To configure a DC to only use NTLMv2 for authentication, configure the following registry value on the DC:
+To configure a DC to use only NTLMv2 for authentication, configure the following registry value on the DC:
 
 - Subkey: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa`
 - Entry: `LMCompatibilityLevel`
@@ -83,14 +83,14 @@ For more information, see [How to enable NTLM 2 authentication](../../windows-cl
 
 ## More information
 
-The sign-in (logon) operation that Event ID 4624 describes doesn't use NTLMv1 session security. There's actually no session security, because no key material exists.
+The sign-in (logon) operation that Event ID 4624 describes doesn't use NTLMv1 session security. This operation actually has no session security because no key material exists.
 
-The logic of the NTLM Auditing is that it logs NTLMv2-level authentication when it finds NTLMv2 key material on the sign-in session. It logs NTLMv1 in all other cases, which include anonymous sessions. Therefore, our general recommendation is to ignore the event for security protocol usage information when the event is logged for **ANONYMOUS LOGON**.
+The logic of NTLM Auditing is that it logs NTLMv2-level authentication when it finds NTLMv2 key material on the sign-in session. It logs NTLMv1 in all other cases, including anonymous sessions. Therefore, our general recommendation is to ignore the event for security protocol usage information if the event is logged for **ANONYMOUS LOGON**.
 
 Common sources of anonymous logon sessions include the following applications and services:
 
-- [Computer Browser Service](/previous-versions/windows/it-pro/windows-server-2003/cc778351(v=ws.10)): It's a legacy service from Windows 2000 and earlier versions of Windows. The service provides lists of computers and domains on the network. The service runs in the background. However, today this data is no longer used. We recommend that you disable this service across the enterprise.
+- [Computer Browser Service](/previous-versions/windows/it-pro/windows-server-2003/cc778351(v=ws.10)): A legacy service from Windows 2000 and earlier versions of Windows. The service runs in the background and provides lists of computers and domains on the network. However, this data is no longer used. We recommend that you disable this service across the enterprise.
 
-- SID-Name mapping: It can use anonymous sessions. See [Network access: Allow anonymous SID/Name translation](/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation). We recommend that you require authentication for this functionality.
+- SID-Name mapping: A process that can use anonymous sessions. See [Network access: Allow anonymous SID/Name translation](/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation). We recommend that you require authentication for this functionality.
 
 - Client applications that don't authenticate: The application server might still create a logon session as an anonymous user. Similarly, it might create an anonymous session if it uses NTLM authentication together with empty user name and password strings.