From 3f3782e8d65f096cbac3b2b7b5157ca1f1e765a2 Mon Sep 17 00:00:00 2001 From: Herbert Mauerer <41573578+HerbertMauerer@users.noreply.github.com> Date: Wed, 28 Jan 2026 10:03:21 +0100 Subject: [PATCH] Update NTLMv1 audit documentation with deprecation notice Added information about the deprecation of NTLM and provided links for auditing NTLM usage. Add link to article with details on new auditing options. --- .../windows-security/audit-domain-controller-ntlmv1.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/support/windows-server/windows-security/audit-domain-controller-ntlmv1.md b/support/windows-server/windows-security/audit-domain-controller-ntlmv1.md index 5cc32a73b2d..1b2eb9d06f7 100644 --- a/support/windows-server/windows-security/audit-domain-controller-ntlmv1.md +++ b/support/windows-server/windows-security/audit-domain-controller-ntlmv1.md @@ -25,6 +25,9 @@ _Original KB number:_   4090105 You may do this test before setting computers to only use NTLMv2. To configure the computer to only use NTLMv2, set **LMCompatibilityLevel** to **5** under the `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa` key on the domain controller. +Microsoft has deprecated NTLM as a whole in June 2024, please see [Deprecated Features](/windows/whats-new/deprecated-features#deprecated-features). You may use the options described in this article to audit the use of NTLM, any version: +[Removing NTLMv1, new audit event for use of NTLM](topic/upcoming-changes-to-ntlmv1-in-windows-11-version-24h2-and-windows-server-2025-c0554217-cdbc-420f-b47c-e02b2db49b2e) + ## NTLM auditing To find applications that use NTLMv1, enable Logon Success Auditing on the domain controller, and then look for Success auditing Event 4624, which contains information about the version of NTLM. @@ -72,7 +75,7 @@ Key Length: 128 ## More information -This logon in the event log doesn't really use NTLMv1 session security. There's actually no session security, because no key material exists. +This logon in the event log doesn't use NTLMv1 session security. There's actually no session security, because no key material exists. The logic of the NTLM Auditing is that it will log NTLMv2-level authentication when it finds NTLMv2 key material on the logon session. It logs NTLMv1 in all other cases, which include anonymous sessions. Therefore, our general recommendation is to ignore the event for security protocol usage information when the event is logged for **ANONYMOUS LOGON**.