en-US

NTLM Enhanced Logging

Supported on: At least Windows 11 Version 24H2

Registry

HKLM Software\Microsoft\Windows\CurrentVersion\Policies\System\NTLM\Parameters

Value name: LogEnhancedAuditEvents

Enabled: LogEnhancedAuditEvents = 1

Disabled: LogEnhancedAuditEvents = 0

Description

This policy setting allows the NTLM security package to log the new, enhanced auditing logs for both clients and servers. These enhanced logs have information about what is using NTLM, why NTLM is being used, and the destination of the NTLM authentication request. They also have information about NTLMv1 usage and other security downgrades. If you enabled or do not configure this policy, the new auditing logs will be generated. If you disable the policy, the new logs are not generated.