Hello,
Thank you for posting in Q&A forum.
If you are sure that there are no applications or clients that rely on NTLMv2 in your environment, simply enable "Network Security: Restrict NTLM: Incoming NTLM Traffic: Deny All Accounts". This setting blocks all authentication requests using NTLMv2, forcing clients to authenticate using Kerberos. This is the most straightforward method for ensuring that all clients and servers in the domain are fully prepared to transition seamlessly to a pure Kerberos environment.
If you are unsure whether there are applications or clients in your environment that rely on NTLMv2, you can first enable the "Network Security: Restrict NTLM: Audit incoming NTLM traffic" policy setting. This will not block NTLMv2 traffic but will log all attempts to authenticate using NTLMv2 in the Operations Log. By analyzing these logs, you can identify which client applications, servers, or services still rely on NTLMv2, so you can make targeted adjustments or updates.
In modern Windows domain environments, Kerberos is typically enabled by default and the preferred authentication protocol. As long as your domain functional level, client operating system, and applications support Kerberos, and your network architecture (such as DNS configuration, time synchronization, etc.) meets the basic requirements for Kerberos, you generally can use Kerberos without additional configuration.
It is recommended to refer to the following link for a more detailed description:
How to Disable NTLM Authentication in Windows Domain | Windows OS Hub (woshub.com)
I hope the information above is helpful.
Best Regards,
Yanhong Liu
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.