Original publish date: August 29, 2025
KB ID:Â 5066470
Introduction
This article details the recent and upcoming changes in Windows 11, version 24H2 and Windows Server 2025, focusing on the auditing and eventual enforcement of blocking NTLMv1-derived cryptography. These changes are part of Microsoft’s broader initiative to phase out NTLM.
Background
Microsoft has removed the NTLMv1 protocol (see Removed features and functionality) from Windows 11, version 24H2 and Windows Server 2025 and later versions. However, while the NTLMv1 protocol is removed, remnants of NTLMv1 cryptography are still present in some scenarios, such as when using MS-CHAPv2 in a domain-joined environment.
Credential Guard provides complete protection of both NTLMv1 legacy cryptography and many other attack surfaces, and thus Microsoft strongly recommends its deployment and enablement if Credential Guard’s requirements are met. The upcoming changes only affect devices where Credential guard is disabled; if Windows Credential Guard is enabled on the device, the changes outlined in this article do not take effect.
Goal
With the deprecation of NTLM (see Deprecated features) and the removal of NTLMv1 protocol, Microsoft is working to finalize the disablement of NTLMv1 by disabling using NTLMv1-derived credentials.
Upcoming changes
Two new changes, the introduction of a new registry key and new event logs, are included in this update. For a timeline of these changes, see the Rollout of changes section.
New registry key
A new registry key is introduced, gating whether the changes are in Audit mode or Enforce mode.
|
Registry location |
HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\control\lsa\msv1_0 |
|
Value |
BlockNtlmv1SSO |
|
Type |
REG_DWORD |
|
Data |
|
New auditing capabilities
-
When using Audit (default) settings
Event Log
Microsoft-Windows-NTLM/Operational
Event Type
Warning
Event Source
NTLM
Event ID
4024
Event Text
Auditing an attempt to use NTLMv1-derived credentials for Single Sign-On Target server: <domain_name> Supplied user: <user_name> Supplied domain: <domain_name> PID of client process: <process_identifier> Name of client process: <process_name> LUID of client process: <locally_unique_identifier> User identity of client process: <user_name> Domain name of user identity of client process: <domain_name> ​​​​​​​Mechanism OID: <object_identifier> For more information, see https://go.microsoft.com/fwlink/?linkid=2321802.
-
When using Enforce settings
Event Log
Microsoft-Windows-NTLM/Operational
Event Type
Error
Event Source
NTLM
Event ID
4025
Event Text
An attempt to use NTLMv1-derived credentials for Single Sign-On was blocked due to policy. Target server: <domain_name> Supplied user: <user_name> Supplied domain: <domain_name> PID of client process: <process_identifier> Name of client process: <process_name> LUID of client process: <locally_unique_identifier> User identity of client process: <user_name> Domain name of user identity of client process: <domain_name> ​​​​​​​Mechanism OID: <object_identifier> For more information, see https://go.microsoft.com/fwlink/?linkid=2321802.
For more information about other auditing enhancements, see Overview of NTLM auditing enhancements in Windows 11, version 24H2 and Windows Server 2025.
Rollout of changes
In September 2025 and later updates, the changes will be rolled out to Windows 11, version 24H2 and later client OS in Audit mode. In this mode, Event ID: 4024 will be logged whenever NTLMv1-derived credentials are used but the authentication will continue to work. The rollout will reach Windows Server 2025 later in the year.
In October 2026, Microsoft will set the default value of BlockNTLMv1SSO registry key to 1 (Enforce) instead of 0 (Audit) if the BlockNTLMv1SSO registry key has not been deployed to the device.
Timeline
|
Date |
Change |
|
Late August 2025 |
Auditing logs for NTLMv1 usage enabled on Windows 11, version 24H2 and newer clients. |
|
November 2025 |
Begin rollout of changes to Windows Server 2025. |
|
October 2026 |
The default value of the BlockNtlmv1SSO registry key is changed from Audit mode (0) to Enforce mode (1) through a future Windows update, strengthening NTLMv1 restrictions. This change in defaults only takes effect if the BlockNtlmv1SSO registry key has not been deployed. |
Note These dates are tentative and subject to change.
Frequently asked questions (FAQ)
Microsoft uses a gradual rollout method to distribute a release update over a period of time, rather than all at once. This means that users receive the updates at different times, and it might not be immediately available to all users.
NTLMv1-derived credentials are used by certain higher-level protocols for Single Sign-On purposes; examples include Wi-Fi, Ethernet, and VPN deployments using MS-CHAPv2 authentication. Similarly to when Credential Guard is enabled, Single Sign-On flows for these protocols would not work but manually entering credentials will continue to work even in Enforce mode. For more information and best practices, see Considerations and known issues when using Credential Guard.
The only similarity between this update and Credential Guard is protections around user credentials from NTLMv1-derived cryptography. This update does not provide the wide and robust protection of Credential Guard; Microsoft recommends Credential Guard enablement on all supported platforms.
