Hello Ray, thank you for posting in the Microsoft Q&A community.
Looking into the log snippet you provided, the error code hr=80070791 translates to ERROR_NTLM_BLOCKED. This indicates that when the ADMT agent attempted to perform the NetpJoinDomain operation over a remote procedure call or SMB session, Windows 11 client or Local Security Authority (LSA) explicitly blocked the NTLM authentication request.
The cause of this behavior lies in the security posture updates introduced in Windows 11 version 24H2 and Windows Server 2025. Microsoft has officially deprecated and removed the legacy NTLMv1 protocol for clean installations, and introduced SMB NTLM Blocking mechanisms to prevent brute force and pass-the-hash attacks. Because ADMT is a legacy tool, its migration agent inherently relies on traditional NTLM protocols to communicate cross-domain during the computer migration phase. When it attempts this on 24H2, the connection is dropped by the modernized security defaults.
To resolve this, we can temporarily modify the security settings on the Windows 11 24H2 target machine to allow NTLM traffic during the migration window.
First, verify and adjust the Local Security Policy by opening secpol.msc and navigating to Local Policies > Security Options. Ensure that Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers is set to Allow all.
Next, ensure the machine is allowed to send NTLMv2 responses by opening Registry Editor and navigating to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa. Ensure the lmcompatibilitylevel DWORD value is set to 3 or higher.
Finally, because Windows 11 24H2 introduced a new native SMB NTLM blocking feature, open PowerShell window and run the following command to disable it:
Set-SmbClientConfiguration -BlockNTLM $false
To ensure we isolate the problem accurately if the standard fixes do not resolve the issue, please provide the outputs of the following diagnostic commands run from the affected Windows 11 machine:
Get-SmbClientConfiguration | Select-Object RequireSecuritySignature, BlockNTLM
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "lmcompatibilitylevel" -ErrorAction SilentlyContinue
Additionally, please check the Event Viewer under Applications and Services Logs > Microsoft > Windows > NTLM > Operational for Event ID 1937, which will confirm the exact authentication version being blocked by the OS.
Microsoft Documentation:
- Block NTLM connections on SMB in Windows Server 2025 and Windows 11: https://learn.microsoft.com/en-us/windows-server/storage/file-server/smb-ntlm-blocking
- Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers: https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers
- Support policy and known issues for ADMT: https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/support-policy-and-known-issues-for-admt