NTLM Enhanced Logging
Supported on: At least Windows 11 Version 24H2
Registry
HKLM
Software\Microsoft\Windows\CurrentVersion\Policies\System\NTLM\Parameters Value name: LogEnhancedAuditEvents
Enabled: LogEnhancedAuditEvents = 1
Disabled: LogEnhancedAuditEvents = 0
Description
This policy setting allows the NTLM security package to log the new, enhanced auditing logs for both clients and servers. These enhanced logs have information about what is using NTLM, why NTLM is being used, and the destination of the NTLM authentication request. They also have information about NTLMv1 usage and other security downgrades. If you enabled or do not configure this policy, the new auditing logs will be generated. If you disable the policy, the new logs are not generated.