Microsoft will audit and then begin enforcing a block on NTLMv1–derived credentials in Windows 11, version 24H2 and Windows Server 2025: the change is gated by a new registry key (BlockNtlmv1SSO), exposes two new NTLM event IDs for Audit vs Enforce behavior, and will be rolled out in phases starting with auditing in late August/September 2025 and moving to a default Enforce posture for unmanaged devices by October 2026. e what Microsoft changed, why it matters, who is affected, how to detect...