Help CenterIn Windows environments, configuring security settings related to authentication protocols is critical to ensure secure communications between systems. One such setting is the LmCompatibilityLevel, which determines the authentication mode used between Windows clients and servers. This article explains a PowerShell script that automates the management of the LmCompatibilityLevel registry value, ensuring it is set to the most secure level.
What is LMCompatibilityLevel?
The LmCompatibilityLevel setting controls the protocol used for network authentication. It impacts how NTLM (NT LAN Manager) and LAN Manager authentication requests are handled. Higher values of LmCompatibilityLevel enforce stricter security by requiring more secure authentication methods like NTLMv2, which is less vulnerable to attacks compared to older protocols.
The value 5 enforces NTLMv2 responses only, and it refuses LM and NTLM authentication, offering a higher level of security in Windows environments.
Here is the script:
$keyPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa"
$keyName = "LmCompatibilityLevel"
$newValue = 5
if ((Test-Path -Path "$keyPath") -and ((Get-ItemProperty -Path $$keyPath -Name $keyName -ErrorAction SilentlyContinue) -and ((Get-ItemProperty -Path $keyPath -Name $keyName).$keyName -ne $newValue))) {
Set-ItemProperty -Path $keyPath -Name $keyName -Value $newValue -Type DWORD -Force | Out-Null Write-Output "The LmCompatibilityLevel value has been set to 5."
}
elseif ((Test-Path -Path "$keyPath") -and ((Get-ItemProperty -Path $keyPath -Name $keyName -ErrorAction SilentlyContinue) -and ((Get-ItemProperty -Path $keyPath -Name $keyName).$keyName -eq $newValue))) {
Write-Output "The LmCompatibilityLevel value is already set to 5."
}
else { Write-Output "The LmCompatibilityLevel value does not exist."
}