I'm about to disable NTLMv1 across my systems, but I want to make sure everything's ready before I do. Here's my setup: all PCs are on Windows 10 or 11, and the servers range from 2016 to 2025. I've had auditing for NTLMv1 turned on for a week now, and I've been running PowerShell scripts daily to check for any NTLMv1 events, but so far, I haven't found any. Is there anything else I should check before I go ahead with this change?
4 Answers
I thought I was the only one who did this four years ago!
You’ve already audited NTLM usage, which is great! If you haven’t seen any hits after having auditing for about a month, I’d say you’re safe to proceed. I've had NTLMv1 disabled for years now and even disabled NTLMv2 for client outbound connections last year—everything’s been running smoothly without any hiccups.
I'm also planning to do this. Out of curiosity, did you notice any Anonymous Logon events? If so, are you just ignoring those?
You’re all set, just go for it! No worries!
I'm not auditing for Anonymous logons, should I be?