Microsoft will soon be disabling NTLM authentication on Windows Domain Controllers: The evolution of Windows authentication | Windows IT Pro Blog (microsoft.com).

It is important that you understand and prepare for the impacts of this to your network. It is recommended that you audit your network to find any applications or devices that may still be using NTLM to authenticate and take steps to update, replace or decommission them. When you're ready, NTML authentication can then be disabled.

Before disabling NTLM in your domain, its important to ensure that there are no applications still utilising NTLM authentication.

To enable auditing of NTLM Authentication attempts, follow the steps given below:

1. Log on to your Primary Domain Controller as a Domain Administrator.
   Note: For Community Connect® 4 (CC4) networks, this will be your CC4 First server.
2. Click the Start button and select Run.
3. In the Run box, type GPMC.msc and press enter.
4. In the Group Policy Management console, expand Group Policy Management, Forest {Forest Name}, Domains, {Domain Name}, Domain Controllers.
5. Right-click the Default Domain Controller Policy and select Edit.
6. In the Group Policy Management Editor, expand Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options.
7. Locate the 'Network Security: Restrict NTLM: Audit NTLM authentication in this domain' setting policy and set it to Enable All.
8. Close the Group Policy Management Editor.
9. Back in the Group Policy Management console, locate the Default Domain Policy in the left pane.
10. Right-click the Default Domain Policy and select Edit.
11. Expand Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options.
12. Locate and edit 'Network Security: Restrict NTLM: Audit Incoming NTLM Traffic' and set its value to 'Enable auditing for domain accounts'.
13. Locate and edit 'Network security: Restrict NTLM: Outgoing NTLM traffic to Remote servers' and set its value to Audit All.
14. Close the Group Policy Management Editor.

When you have enabled NTLM auditing by following the above steps, NTLM authentication attempts will appear in the NTLM Event Log.

You should monitor for the presence of any of these events for a suitable amount of time; we suggest at least three typical working weeks.

On the primary domain controller, open Event Viewer and browse to the below log:
Event Viewer, 'Applications and Services Logs', Microsoft, Windows, NTLM.

To make reading the Directory Services log easier, you can filter for the necessary entries with the Event IDs '4624' and '4776'. For any 4624 entries, check the Package Name. Any instances of 'NTLM V1' or 'NTLM V2' will need to be investigated.

After establishing that NTLM authentication is no longer in use on your network, you can go ahead and disable it from both server and client devices:

1. Log on to your Primary Domain Controller as a Domain Administrator.
2. Click the Start button and select Run.
3. In the Run box, type GPMC.msc and press enter.
4. In the Group Policy Management console, expand Group Policy Management, Forest {Forest Name}, Domains, {Domain Name}, Domain Controllers.
5. Right-click the Default Domain Controller Policy and select Edit.
6. In the Group Policy Management Editor, expand Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options.
7. Locate the 'Network Security: Restrict NTLM: NTLM authentication in this domain' setting policy and set it to Deny All.
8. Back in the Group Policy Management console, locate the Default Domain Policy in the left pane.
9. Right-click the Default Domain Policy and select Edit.
10. Expand Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options.
11. Locate and edit 'Network security: Restrict NTLM: Incoming NTLM traffic' and set its value to Deny All Accounts.
12. Locate and edit 'Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers' and set its value to Deny All.
13. Close the Group Policy Management Editor.

If you have to temporarily keep NTLM v2 authentication for an application or device that cannot be updated or replaced yet, its strongly recommended that you at least disable the more vulnerable NTLM v1:

1. Log on to your Primary Domain Controller as a Domain Administrator.
2. Click the Start button and select Run.
3. In the Run box, type GPMC.msc and press enter.
4. In the Group Policy Management console, expand Group Policy Management, Forest {Forest Name}, Domains, {Domain Name}, Domain Controllers.
5. Right-click the Default Domain Controller Policy and select Edit.
6. In the Group Policy Management Editor, expand Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options.
7. Locate the 'Network security: LAN Manager Authentication Level' setting policy and set it to 'Send NTLMv2 response only. Refuse LM & NTLM'.
8. Close the Group Policy Management Editor.

As of 'Veeam Backup & Replication 12', Kerberos authentication is now fully supported. Please refer to this Veeam article below for more details: Kerberos Authentication - User Guide for VMware vSphere (veeam.com)

If still using older versions of 'Veeam Backup & Replication' do not fully support Kerberos authentication, please upgrade your version of 'Veeam Backup & Replication' before fully disabling NTLM authentication.

If Management Configuration Manager (MCM) is used on your network, it is important to disable NTLM authentication there too.
Note: Microsoft Configuration Manager was formerly known as System Centre Configuration Manager (SCCM) and Microsoft Endpoint Configuration Manager (MECM).

To disable NTLM authentication:

1. Log on to your MCM server as an Administrator.
2. Open the Microsoft Configuration Manager console.
3. In the MCM console, expand Administration, Site Configuration, Sites.
4. Right-click your site and select Client Installation Settings, Client Push Installation.
5. Under the General Tab, ensure that 'Allow connection fallback to NTLM' is cleared.
6. Click OK.