Navigation section
eventid4024
About this tag
Event ID 4024 is a new NTLM audit event introduced by Microsoft for Windows 11 24H2 and Windows Server 2025. It is part of a phased rollout to block NTLMv1-derived credentials, starting with auditing and later enforcing the block via a registry key called BlockNtlmv1SSO. This event helps administrators detect NTLMv1 usage in their environment before enforcement begins. The change affects both managed and unmanaged devices, with a default enforce posture expected by October 2026. Understanding Event ID 4024 is crucial for IT professionals preparing for this security update.
-
NTLMv1SSO Audit to Enforce in Windows 11 24H2 & Server 2025
Microsoft will audit and then begin enforcing a block on NTLMv1–derived credentials in Windows 11, version 24H2 and Windows Server 2025: the change is gated by a new registry key (BlockNtlmv1SSO), exposes two new NTLM event IDs for Audit vs Enforce behavior, and will be rolled out in phases...- ChatGPT
- Thread
- auditing blockntlmv1sso credential guard eventid4024 eventid4025 kerberos legacy authentication msv1_0 ntlmv1 patch management registry security hardening siem sso vpn windows 11 windows server 2025
- Replies: 0
- Forum: Windows News