Would you like to learn how to use a group policy to disable NTLM version 1 on Windows? In this tutorial, we will show you how to create a group policy to force the utilization of NTLM version 2 on Windows.

• Windows 2012 R2
• Windows 2016
• Windows 2019
• Windows 10
• Windows 11

Equipment list

Here you can find the list of equipment used to create this tutorial.

This link will also show the software list used to create this tutorial.

Tutorial GPO - Disable NTLM version 1

On the domain controller, open the group policy management tool.

Windows - Group Policy management

Create a new group policy.

Windows 2012 - Group Policy Objects

Enter a name for the new group policy.

Windows - Add GPO

In our example, the new GPO was named: MY-GPO.

On the Group Policy Management screen, expand the folder named Group Policy Objects.

Right-click your new Group Policy Object and select the Edit option.

Windows - Edit GPO

On the group policy editor screen, expand the Computer configuration folder and locate the following item.

Copy to Clipboard

Access the folder named Security options.

GPO - Local security options

Access the item named Network Security: LAN Manager authentication level.

Select the option to send only NTLMv2 response.

GPO - Disable NTLM version 1

Desktops and member servers will accept only NTLM version 2.

Domain controllers will still accept NTLMv1.

To configure domain controllers to accept only NTLM version 2, select the option named Send NTLMv2 response only. Refuse LM & NTLM.

GPO - Disable NTLMv1

To save the group policy configuration, you need to close the Group Policy editor.

Congratulations! You have finished the GPO creation.

Tutorial GPO - Disable NTLMv1

On the Group policy management screen, you need to right-click the Organizational Unit desired and select the option to link an existent GPO.

Windows-2012-Applocker application

In our example, we are going to link the group policy named MY-GPO to the root of the domain.

GPO- tutorial linking

After applying the GPO you need to wait for 10 or 20 minutes.

During this time the GPO will be replicated to other domain controllers.

In our example, we disabled the NTLMv1 authentication using a GPO.