ADMT Computer Migration fails on Windows 11 24H2 with error “NTLM authentication has been disabled” during domain change (Win10 or Win7 works)

ray 0 Reputation points
2026-07-03T03:43:56.2666667+00:00

Hello everyone,I am currently performing a cross-domain migration using ADMT (Active Directory Migration Tool) from domain A.com to B.com.The migration works correctly for Windows 7 and Windows 10 machines, but fails consistently on Windows 11

Environment

  • Source domain: A.com (Server2012 R2)
  • Target domain: B.com (Server2022 )
  • ADMT version: ADMT 3.2 ( + SQL2022-SSEI-Expr base Server 2022)
  • OS tested:
    • Windows 7 → OK
    • Windows 10 → OK
    • Windows 11 → FAIL

Logs

ADMT Error Message :

ERR3:7075 Failed to change domain affiliation, hr=80070791

Authentication failed because NTLM authentication has been disabled.

Domain Join Log (NetSetup log excerpt): Clinetlog

(06/30/2026 17:01:46:445 -----------------------------------------------------------------

06/30/2026 17:01:46:448 NetpDoDomainJoin

06/30/2026 17:01:46:450 NetpDoDomainJoin: using current computer names

06/30/2026 17:01:46:450 NetpDoDomainJoin: NetpGetComputerNameEx(NetBios) returned 0x0

06/30/2026 17:01:46:450 NetpDoDomainJoin: NetpGetComputerNameEx(DnsHostName) returned 0x0

06/30/2026 17:01:46:450 NetpMachineValidToJoin: 'WIN11-PC01'

06/30/2026 17:01:46:450 OS Version: 10.0

06/30/2026 17:01:46:450 Build number: 26100 (26100.ge_release.240331-1435)

06/30/2026 17:01:46:457 SKU: Windows 11 Professional Edition

06/30/2026 17:01:46:457 Architecture: 64-bit (AMD64)

06/30/2026 17:01:46:457 NetpMachineValidToJoin: the specified machine is already joined to 'GJ'!

06/30/2026 17:01:46:457 NetpMachineValidToJoin: status: 0xa83

06/30/2026 17:01:46:457 NetpJoinDomain

06/30/2026 17:01:46:457 HostName: win11-pc01

06/30/2026 17:01:46:457 NetbiosName: WIN11-PC01

06/30/2026 17:01:46:457 Domain: tw.com\NSH01.tw.com

06/30/2026 17:01:46:457 MachineAccountOU: (NULL)

06/30/2026 17:01:46:457 Account: (NULL)

06/30/2026 17:01:46:457 Options: 0x61

06/30/2026 17:01:46:493 NetpJoinDomainOnDs: Unsecure join requested.

06/30/2026 17:01:46:493 NetpDisableIDNEncoding: no domain dns available - IDN encoding will NOT be disabled

06/30/2026 17:01:46:493 NetpJoinDomainOnDs: NetpDisableIDNEncoding returned: 0x0

06/30/2026 17:01:46:560 NetUseAdd to \NSH01.tw.com\IPC$ returned 1326

06/30/2026 17:01:46:560 Trying add to \NSH01.tw.com\IPC$ using NULL Session

06/30/2026 17:01:46:567 NullSession NetUseAdd to \NSH01.tw.com\IPC$ returned 1937

06/30/2026 17:01:46:567 NetpJoinDomainOnDs: status of connecting to dc '\NSH01.tw.com': 0x791

06/30/2026 17:01:46:567 NetpJoinDomainOnDs: Function exits with status of: 0x791

06/30/2026 17:01:46:567 NetpJoinDomainOnDs: NetpResetIDNEncoding on '(null)': 0x0

06/30/2026 17:01:46:567 NetpDoDomainJoin: status: 0x791)

Windows for business | Windows Client for IT Pros | Directory services | User logon and profiles

1 answer

Sort by: Most helpful
  1. Brian Huynh 3,305 Reputation points Microsoft External Staff Moderator
    2026-07-03T07:37:30.42+00:00

    Hello Ray, thank you for posting in the Microsoft Q&A community.

    Looking into the log snippet you provided, the error code hr=80070791 translates to ERROR_NTLM_BLOCKED. This indicates that when the ADMT agent attempted to perform the NetpJoinDomain operation over a remote procedure call or SMB session, Windows 11 client or Local Security Authority (LSA) explicitly blocked the NTLM authentication request.

    The cause of this behavior lies in the security posture updates introduced in Windows 11 version 24H2 and Windows Server 2025. Microsoft has officially deprecated and removed the legacy NTLMv1 protocol for clean installations, and introduced SMB NTLM Blocking mechanisms to prevent brute force and pass-the-hash attacks. Because ADMT is a legacy tool, its migration agent inherently relies on traditional NTLM protocols to communicate cross-domain during the computer migration phase. When it attempts this on 24H2, the connection is dropped by the modernized security defaults.

    To resolve this, we can temporarily modify the security settings on the Windows 11 24H2 target machine to allow NTLM traffic during the migration window.

    First, verify and adjust the Local Security Policy by opening secpol.msc and navigating to Local Policies > Security Options. Ensure that Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers is set to Allow all.

    Next, ensure the machine is allowed to send NTLMv2 responses by opening Registry Editor and navigating to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa. Ensure the lmcompatibilitylevel DWORD value is set to 3 or higher.

    Finally, because Windows 11 24H2 introduced a new native SMB NTLM blocking feature, open PowerShell window and run the following command to disable it:

    Set-SmbClientConfiguration -BlockNTLM $false
    

    To ensure we isolate the problem accurately if the standard fixes do not resolve the issue, please provide the outputs of the following diagnostic commands run from the affected Windows 11 machine:

    Get-SmbClientConfiguration | Select-Object RequireSecuritySignature, BlockNTLM
    Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "lmcompatibilitylevel" -ErrorAction SilentlyContinue
    

    Additionally, please check the Event Viewer under Applications and Services Logs > Microsoft > Windows > NTLM > Operational for Event ID 1937, which will confirm the exact authentication version being blocked by the OS.

    Microsoft Documentation:

    Was this answer helpful?


Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.