IT Connect

Information technology tools and resources at the UW

LMCompatibilityLevel Guidance for IT staff

Background

You might want to acquaint yourself with The Most Misunderstood Windows Setting of All Time. It’s the best written document on the relevant background for LMCompatibilityLevel. Review the NTLMv1 Known Problems and Workarounds for the most comprehensive resource available for the various problems associated with NTLMv1 being turned off.

What’s needed

Level 5 corresponds to “Send NTLMv2 response only. Refuse LM & NTLM.” and is the most desired state.

Level 3 (“Send NTLMv2 response only”) is the minimum needed to continue to interact with the NETID DCs. But note that if you use level 3 instead of level 5, that you will continue to allow NTLMv1 in your domain and will remain at risk with your domain’s accounts.

See How do I reconfigure NTLMv1 on my computer so it will work with the NETID domain? for a good write-up of all the options for making this change.

NOTE: If your computers are in the NETID domain, there is already a domain-wide policy that sets LMCompatibilityLevel=5. That was set on 8/1/2013. That policy is overridden in a couple cases, e.g. the NETID DCs (which will change this summer) and on some of the UW Exchange & UW Sharepoint servers. So if your computers are in the NETID domain, they are likely already good to go.

Guidance on how to proceed

Note that NTLMv1 use can result from misconfigurations in a great number of places. And those misconfigurations can happen anywhere in the “authentication chain”. Misconfigurations can happen on the client endpoint, on a member server that provides the service the endpoint connects to, or any domain controller leveraged by the two. Most misconfiguration comes down to one of two things: the Windows LMCompatibilityLevel or browser configuration.

 

If you are looking for the quickest way forward, we’d suggest using group policy to set a LMCompatibilityLevel=5 (“Send NTLMv2 response only. Refuse LM & NTLM.”) across all your computers. Doing this will likely unearth many misconfigurations in other places, and the other known problems & workarounds will come into play. Most of those will be the set of browser configurations needed. See https://itconnect.uw.edu/wares/msinf/other-help/reconfigure-ntlmv1/ for a good write-up of the browser fixes.

 

If you want a more cautious approach, start by setting LMCompatibilityLevel=3 on your DCs and member servers. Then set LMCompatibilityLevel=5 on all your client computers. Resolve any issues (unlikely to be many). Then set LMCompatibilityLevel=5 on your member servers, perhaps one by one if you want to be cautious. Resolve any issues (here is where you are likely to see issues). Finally set LMCompatibilityLevel=5 on your domain controllers.