Policy
NTLM Enhanced Logging
This policy setting allows the NTLM security package to log the new, enhanced auditing logs for both clients and servers. These enhanced logs have information about what is using NTLM, why NTLM is being used, and the destination of the NTLM authentication request. They also have information about NTLMv1 usage and other security downgrades. If you enabled or do not configure this policy, the new auditing logs will be generated. If you disable the policy, the new logs are not generated.
9a4c1d9d72f7 LogEnhancedNtlmAudits Registry
Copy registry mappings
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\NTLM\Parameters\LogEnhancedAuditEvents (enabled) = 1
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\NTLM\Parameters\LogEnhancedAuditEvents (disabled) = 0Policy notes
This policy setting allows the NTLM security package to log the new, enhanced auditing logs for both clients and servers. These enhanced logs have information about what is using NTLM, why NTLM is being used, and the destination of the NTLM authentication request. They also have information about NTLMv1 usage and other security downgrades. If you enabled or do not configure this policy, the new auditing logs will be generated. If you disable the policy, the new logs are not generated.