0

I have a requirement to set this up for servers on my Domain environment (both the client and server version). Workstations are Windows 10 and all Servers are Server 2019.

I know how to do it through GPO, but I am wondering if this can be done without certificates? All of our workstations are devoid of any (according to the Cert Manager "Personal" store anyways) and a few of the servers have yet to get any either. Would setting this policy to "Require 128-bit encryption" break things if certain elements of my Domain have no certificates?

As yet when I think "encryption" I think "certificates" so this is what I am basing my question on. MS documentation just says "older clients that don't support it wont be able to communicate" without any elaboration - I'd imagine both Windows versions I'm using are new enough at least, but there may be more I'm not considering.

The ITea Guy
  • 321
  • 1
  • 6
  • 16
  • This has been the default setting for over a decade so there typically is not an impact unless it had previously been disabled. This only affects NTLM and not certificates. – Greg Askew Feb 24 '23 at 15:14
  • It currently is not configured at all through group policy; a check into the regkey that stores the value reveals 0x20080030 (537395248) but I am not able to find out what that refers to as a setting. Is this what you mean by it having been "previously disabled"? Allegedly it needs to have the value of 537395200, which would be setting it to requiring 128. – The ITea Guy Feb 24 '23 at 16:36
  • 1
    `HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0!NTLMMinServerSec` 0x20000000 == require 128 bit encryption, 0x00080000 == Require NTLMv2 session security, 0x00000010 == Require message integrity, 0x00000020 == Require message confidentiality. 0x20080030 or if the value is absent, all values are enabled. That is the default since Windows 7/2010. https://learn.microsoft.com/en-us/troubleshoot/windows-client/windows-security/enable-ntlm-2-authentication – Greg Askew Feb 24 '23 at 18:32
  • Thanks! I had an opportunity to look further into this and I was surprised to discover that in spite of what I was seeing, this was already received in an existing GPO but not actually setting the regkey - do you know if there's some kind of special setup required for this as a policy object? – The ITea Guy Mar 01 '23 at 19:56

0 Answers0