LmCompatibilityLevel 5 GPO Setting Fails to Fully Block NTLMv1 in Active Directory
NTLMv1Active DirectoryGPOLmCompatibilityLevelWindows SecurityMicrosoftNetlogonMS-NRPCWindows Server 2025Windows 11vulnerabilitysecurity policy
Setting LmCompatibilityLevel to 5 does not fully block NTLMv1 in Active Directory environments. The policy fails to enforce restrictions on applications that explicitly request NTLMv1 via the ParameterControl flag in the Netlogon Remote Protocol (MS-NRPC). Microsoft confirmed this behavior but does not classify it as a vulnerability, instead planning to remove NTLMv1 in Windows Server 2025 and Windows 11 24H2. Audit logging is suggested to identify NTLMv1 usage in existing environments.