Policy
Allow cryptography algorithms compatible with Windows NT 4.0
Windows 11 25H2
Policy overview
Key metadata and intent for this policy.
Supported OS tags: Windows10, Windows10RT, Windows11, Windows7, Windows8, Windows81, WindowsRT, WindowsRT81, WindowsServer2008, WindowsServer2012, WindowsServer2012R2, WindowsServer2016, WindowsVista
This policy setting controls whether the Net Logon service will allow the use of older cryptography algorithms that are used in Windows NT 4.0. The cryptography algorithms used in Windows NT 4.0 and earlier are not as secure as newer algorithms used in Windows 2000 or later, including this version of Windows. By default, Net Logon will not allow the older cryptography algorithms to be used and will not include them in the negotiation of cryptography algorithms. Therefore, computers running Windows NT 4.0 will not be able to establish a connection to this domain controller. If you enable this policy setting, Net Logon will allow the negotiation and use of older cryptography algorithms compatible with Windows NT 4.0. However, using the older algorithms represents a potential security risk. If you disable this policy setting, Net Logon will not allow the negotiation and use of older cryptography algorithms. If you do not configure this policy setting, Net Logon will not allow the negotiation and use of older cryptography algorithms.
Registry values
How enabled and disabled states update the registry.
| Registry location | Type | Enabled value | Disabled value |
|---|---|---|---|
| HKLM\Software\Policies\Microsoft\Netlogon\Parameters\AllowNT4Crypto | REG_DWORD | 1 | 0 |
Policy elements
Inputs and configuration options exposed by this policy.
This policy has no additional user input fields.
Other policies in this category
Explore related policies at the same level.
- ComputerContact PDC on logon failureAt least Windows Server 2003 operating systems or Windows XP Professional
- ComputerLog Enhanced Domain-wide NTLM LogsAt least Windows 11 Version 24H2
- ComputerSet Netlogon share compatibilityAt least Windows Server 2003
- ComputerSet scavenge intervalAt least Windows Server 2003 operating systems or Windows XP Professional
- ComputerSet SYSVOL share compatibilityAt least Windows Server 2003
- ComputerSpecify expected dial-up delay on logonAt least Windows Server 2003 operating systems or Windows XP Professional
- ComputerSpecify log file debug output levelAt least Windows Server 2003
- ComputerSpecify maximum log file sizeAt least Windows Server 2003
- ComputerSpecify negative DC Discovery cache settingAt least Windows Server 2003 operating systems or Windows XP Professional
- ComputerSpecify positive periodic DC Cache refresh for non-background callersAt least Windows Server 2003 operating systems or Windows XP Professional
- ComputerSpecify site nameAt least Windows Server 2003 operating systems or Windows XP Professional
- ComputerUse final DC discovery retry setting for background callersAt least Windows Server 2003 operating systems or Windows XP Professional