Policy

NTLM Enhanced Logging

Microsoft Windows

Back to NTLMBack to main
NTLM Enhanced Logging
Jump to overview

Policy overview

Key metadata and intent for this policy.

Computer
Category
System > NTLM
Supported on
At least Windows 11 Version 24H2

Supported OS tags: Windows11

This policy setting allows the NTLM security package to log the new, enhanced auditing logs for both clients and servers. These enhanced logs have information about what is using NTLM, why NTLM is being used, and the destination of the NTLM authentication request. They also have information about NTLMv1 usage and other security downgrades. If you enabled or do not configure this policy, the new auditing logs will be generated. If you disable the policy, the new logs are not generated.

Internal name
LogEnhancedNtlmAudits
Policy ID
9a4c1d9d72f7
Elements
0

Registry values

How enabled and disabled states update the registry.

ScopeRegistry locationTypeEnabled valueDisabled valueCopy
Computer
Path
Software\Microsoft\Windows\CurrentVersion\Policies\System\NTLM\Parameters
Value name
LogEnhancedAuditEvents
REG_DWORD
HKLM
1
HKLM
0
Registry location
Type REG_DWORD · Computer
Path
Software\Microsoft\Windows\CurrentVersion\Policies\System\NTLM\Parameters
Value name
LogEnhancedAuditEvents
Hive
HKLM
Enabled value
1
Disabled value
0

Policy elements

Inputs and configuration options exposed by this policy.

This policy has no additional user input fields.