Enable rolling of expiring NTLM secrets during sign in, for users who are required to use Microsoft Passport or smart card for interactive sign on" can be activated.

Posted by vane1978@reddit | sysadmin | View on Reddit | 3 comments

Hi, By enabling "rolling of expiring NTLM secrets during sign on, for users who are required to use Microsoft Passport or smart card for interactive sign on" in our Windows 2016 domain. I know this policy affects users who have **Smart card is required for interactive logon** checked. But what about users who are set up with Windows Hello for Business but do **NOT** have the "Smart card is required for interactive logon" box checked? They just have the standard password policy. Are they going to be affected by this NTLM secrets rolling as well?

3 Comments

[-]

SteveSyfuhs@reddit

If you don't have SCRIL enabled then the password is still a supported authentication mechanism and because the NTLM hash is derived from the password, it cannot be rotated at random. Therefore only SCRIL can allow randomized NTLM hashes.

dimx_00@reddit

From my understanding the policy doesn’t affect users that don’t have the smart card required check box. For the users that don’t have smart card requirement their hash is rolled when they change their password.

vane1978@reddit (OP)

Thanks!

Reply to Post

3 Comments