Welcome to our latest blog post on How to prevent Storing LAN Manager Hash with Microsoft Intune. When managing security across Windows endpoints, especially in enterprise environments, it’s important to minimize the risk of password compromise. One commonly overlooked setting involves the storage of LAN Manager (LM) hashes. Although largely deprecated, LM hashes can still be stored on some systems—posing a security risk due to their weak encryption and vulnerability to brute-force attacks. In this post, we’ll look at how to prevent the storage of LAN Manager hashes using Microsoft Intune, helping you enforce better security standards across your organization.
Table of Contents
What is Storing LAN Manager Hash?
LAN Manager (LM) hashes are a legacy method used by early versions of Windows to store user passwords. Unlike modern hashing algorithms, LM hashes are notoriously weak—they convert passwords to uppercase, split them into smaller chunks, and use outdated encryption, making them highly susceptible to cracking. While modern versions of Windows don’t rely on LM hashes by default, certain configurations or domain environments may still allow their creation and storage. Preventing the storage of LM hashes is a crucial step in hardening password security and reducing the chances of credential theft through tools like Mimikatz or hash dumping attacks.
How to prevent Storing LAN Manager Hash with Microsoft Intune
In this section we will show you the process of How to block Control Panel and Windows Settings with Microsoft Intune. Just follow the steps below.
- Go to intune.microsoft.com
- Click on Devices
- Click on Windows
- Click on Configuration profiles
- Click on Create
- Click on New Policy
- Platform: Windows 10 and later
- Profile type: Settings catalog
- Click on Create
Give it a meaningful name and description. Click on Next.
On the Configuration settings tab do the following:
- Click on Add settings
- Search for Lan Manager
- Choose Local Policies Security Options
- Click on Network Security Do Not Store LAN Manager Hash Value On Next Password Change
- On the left site Enabel Network Security Do Not Store LAN Manager Hash Value On Next Password Change
- Define your Scope if applicable and click on Next
- On the Assignments tab assign the Policy to a Group or to All Users / All Devices
- And Review + Create the Policy
Congratulations! You have successfully deployed the policy.
Conclusion
You learned How to prevent Storing LAN Manager Hash with Microsoft Intune. We created a new Configuration Profile in the Microsoft Intune Portal. We hope this guide has provided you with valuable insights to improve your device management strategy. Did you enjoy this article? Dont forget to follow us and share this article. If you have any questions or need further assistance, feel free to reach out or leave a comment below.
