The Network Security: Restrict NTLM: Audit Incoming NTLM Traffic setting should be configured correctly. This policy setting allows you to audit incoming NTLM traffic. This policy is supported on at least Windows 7 or Windows Server 2008 R2. Note: Audit events are recorded on this computer in the Operational Log located under the Applications and Services Log/Microsoft/Windows/NTLM. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Restrict NTLM: Audit Incoming NTLM Traffic (2) KEY: HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0\AuditReceivingNTLMTraffic